Deduplicating container provenance with graph grammars

Container-based virtualization is enabling unprecedented portability and deployment of code, facilitated by online registries like Docker Store and cluster management tools like Docker Swarm. However, present day audit mechanisms were not designed for this emerging paradigm, especially in large-scale clusters of container deployments where the sheer scale of storing and processing audit logs makes system monitoring prohibitively costly. In this poster, we consider a unique adaptation of Regular Grammar principles that enables us to define a provenance model for a container's expected behavior, and subsequently prune all but the unique/anomalous behaviors of a particular container instance. We consider the performance of such an approach, as well as real-world attack scenarios in which this approach enables cluster-wide monitoring of containers.