Show simple item record

dc.contributor.supervisorReich, Christoph
dc.contributor.authorGantikow, Holger
dc.contributor.otherFaculty of Science and Engineeringen_US
dc.date.accessioned2024-10-10T11:43:24Z
dc.date.issued2024
dc.identifier10536439en_US
dc.identifier.urihttps://pearl.plymouth.ac.uk/handle/10026.1/22602
dc.description.abstract

This PhD thesis addresses the evolving landscape of High Performance Computing (HPC) by focusing on the critical challenge of securing the use of container virtualisation within HPC environments. The traditional approach to security for HPC operators is being challenged by a growing number of cyber security threats such as hacks and resource misuse. In addition, the risk of insider attacks is increasing, overall requiring a re-evaluation of security strategies, which in many cases are still based on a high level of trust in users.

This is further aggravated by the increasing demand to open up HPC environments to novel users and their diverse workloads. These generally differ from the existing users of an environment in that they come from a different domain and require a different application stack, that is often user-specific and conflicting with the existing software stack deployed in the HPC environment. This complexity and the high level of effort required to support such diversity means that in such a scenario the deployment of applications can often no longer be carried out in the traditional way by the administrators of the environment. In order to address this challenging situation, support for User-Defined Software Stacks (UDSS) is required to meet the demand for a growing range of user-specific applications and provide support for configurations conflicting the rest of the environment. Supporting the deployment and use of UDSS by users from different domains, however, has serious implications for the security of such an environment. This thus requires different approaches than if applications are made available in a curated manner by the administrators of the environment, as a different level of trust can be applied here. Container technology has emerged as a viable solution to support UDSS, offering the flexibility to support custom and sometimes conflicting software stacks - but it also introduces a new potential for security risks.

The central research question of this thesis is how the use of UDSS in an HPC environment can be made more secure. The individual research objectives encompass understanding current HPC environments, analysing container security measures, and proposing a secure container-based HPC architecture. This architecture takes into account the requirements and risks associated with UDSS to both empower users with support for UDSS while ensuring secure container execution. As part of this, a multi-stage image analysis process is introduced to identify potentially malicious user-provided applications prior to deployment. The outcome of this analysis also serves as a basis for advanced security measures further securing containerised workloads during execution. These are implemented as rule-based security monitoring and neural network-based anomaly detection. Additionally, a concept for extended isolation is outlined, emphasising additional protection from both other shared environment users and especially operators.

The experiments conducted as part of this research show that a) the general use of containerised applications is associated with a low performance overhead, which is outweighed by the advantages of containers, b) a rule-based monitoring approach, which offers the advantage that the rules can be easily analysed, modified and adapted to specific threats, can be applied at all levels related to containerised workload execution. Related performance overhead can be reduced through appropriate filtering, c) a neural network-based approach, based on an image-specific behavioural model and evaluated with two distinct approaches, shows that system call distribution and parameters using file system paths are in general suited for detecting malicious behaviour during workload execution.

With these contributions, the work advances the understanding of how to implement secure container use in HPC, fostering a potential for more flexible, yet secure compute environments.

en_US
dc.language.isoen
dc.publisherUniversity of Plymouth
dc.subjectContainersen_US
dc.subjectSecurityen_US
dc.subjectRule-based Security Monitoringen_US
dc.subjectNeural Network-based Anomaly Detectionen_US
dc.subjectMachine Learningen_US
dc.subjectHigh Performance Computing (HPC)en_US
dc.subjectUser-Defined Software Stacks (UDSS)en_US
dc.subjectDockeren_US
dc.subjectPodmanen_US
dc.subjectWorkload Isolationen_US
dc.subject.classificationPhDen_US
dc.titleSecure Container-based High Performance Computing Architectureen_US
dc.typeThesis
plymouth.versionpublishableen_US
dc.identifier.doihttp://dx.doi.org/10.24382/5235
dc.rights.embargodate2025-10-10T11:43:24Z
dc.rights.embargoperiod12 monthsen_US
dc.type.qualificationDoctorateen_US
rioxxterms.versionNA
plymouth.orcid_id0000-0003-4648-4381en_US


Files in this item

Thumbnail
Thumbnail

This item appears in the following Collection(s)

Show simple item record


All items in PEARL are protected by copyright law.
Author manuscripts deposited to comply with open access mandates are made available in accordance with publisher policies. Please cite only the published version using the details provided on the item record or document. In the absence of an open licence (e.g. Creative Commons), permissions for further reuse of content should be sought from the publisher or author.
Theme by 
Atmire NV