{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,9]],"date-time":"2026-06-09T07:03:43Z","timestamp":1780988623810,"version":"3.54.1"},"reference-count":35,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"2","license":[{"start":{"date-parts":[[2026,4,1]],"date-time":"2026-04-01T00:00:00Z","timestamp":1775001600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"DOI":"10.13039\/501100018531","name":"Major Science and Technology Projects in Yunnan Province","doi-asserted-by":"crossref","award":["202202AD080013"],"award-info":[{"award-number":["202202AD080013"]}],"id":[{"id":"10.13039\/501100018531","id-type":"DOI","asserted-by":"crossref"}]},{"name":"National Key Research and Development Project of China","award":["2019YFB2102303"],"award-info":[{"award-number":["2019YFB2102303"]}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61971014"],"award-info":[{"award-number":["61971014"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"name":"National Key Research and Development Program of China","award":["2024YFB3108200"],"award-info":[{"award-number":["2024YFB3108200"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Cloud Comput."],"published-print":{"date-parts":[[2026,4]]},"DOI":"10.1109\/tcc.2026.3677796","type":"journal-article","created":{"date-parts":[[2026,3,26]],"date-time":"2026-03-26T19:51:05Z","timestamp":1774554665000},"page":"967-984","source":"Crossref","is-referenced-by-count":0,"title":["Hela: A System Call Restriction Framework for Protecting the Entire Containers Lifecycle"],"prefix":"10.1109","volume":"14","author":[{"ORCID":"https:\/\/orcid.org\/0009-0003-7592-2288","authenticated-orcid":false,"given":"Shaohu","family":"Li","sequence":"first","affiliation":[{"name":"Faculty of Information Technology, Beijing University of Technology, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-5995-8027","authenticated-orcid":false,"given":"Jin","family":"Zhou","sequence":"additional","affiliation":[{"name":"Faculty of Information Technology, Beijing University of Technology, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Xinxin","family":"Li","sequence":"additional","affiliation":[{"name":"Faculty of Information Technology, Beijing University of Technology, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4384-5786","authenticated-orcid":false,"given":"Weizhi","family":"Meng","sequence":"additional","affiliation":[{"name":"School of Computing and Communications, Lancaster University, Lancaster, U.K."}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3188-3531","authenticated-orcid":false,"given":"Bei","family":"Gong","sequence":"additional","affiliation":[{"name":"Beijing Key Laboratory of Trusted Computing, Faculty of Information Technology, Beijing University of Technology, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jun","family":"Hu","sequence":"additional","affiliation":[{"name":"Beijing Key Laboratory of Trusted Computing, Faculty of Information Technology, Beijing University of Technology, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/jproc.2024.3353855"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1109\/wconf58270.2023.10235199"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2023.3268124"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1109\/CLOUD60044.2023.00043"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1109\/tsc.2022.3173791"},{"key":"ref6","first-page":"1749","article-title":"Temporal system call specialization for attack surface reduction","volume-title":"Proc. 29th USENIX Secur. Symp."},{"key":"ref7","first-page":"459","article-title":"Sysfilter: Automated system call filtering for commodity software","volume-title":"Proc. 23rd Int. Symp. Res. Attacks, Intrusions Defenses","author":"DeMarinis"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623207"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623137"},{"key":"ref10","first-page":"443","article-title":"Confine: Automated system call policy generation for container attack surface reduction","volume-title":"Proc. 23rd Int. Symp. Res. Attacks, Intrusions Defenses","author":"Ghavamnia"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1145\/3555776.3577593"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1145\/3579856.3582835"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-60876-1_11"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1145\/3650212.3680366"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.3390\/electronics13234773"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2022.04.016"},{"key":"ref17","article-title":"Docker: Accelerated container application development","year":"2024"},{"key":"ref18","article-title":"runC: The container runtime","year":"2025"},{"key":"ref19","first-page":"259","article-title":"The BSD packet filter: A new architecture for user-level packet capture","volume-title":"Proc. USENIX Winter","author":"McCanne"},{"key":"ref20","article-title":"What is eBPF? an introduction and deep dive into the eBPF technology","year":"2024"},{"key":"ref21","article-title":"Programmable system call security with eBPF","author":"Jia","year":"2023"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/TSC.2022.3194266"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-19-6414-5_12"},{"key":"ref24","first-page":"683","article-title":"BlackBox: A container security monitor for protecting containers on untrusted operating systems","volume-title":"Proc. 16th USENIX Symp. Operating Syst. Des. Implementation","author":"Hof"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1109\/cloud49709.2020.00089"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1145\/3474123.3486762"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484564"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/3582016.3582066"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3559366"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1145\/3373376.3378470"},{"key":"ref31","article-title":"Kernel Probes (Kprobes) \u2014 The Linux Kernel documentation","year":"2024"},{"key":"ref32","article-title":"Uprobe-tracer: Uprobe-based event tracing \u2014 the linux kernel documentation","year":"2024"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1145\/3428203"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/DSN-W52860.2021.00029"},{"key":"ref38","article-title":"Defeating eBPF uprobe monitoring","author":"Gl\u00e9naz","year":"2024"}],"container-title":["IEEE Transactions on Cloud Computing"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/6245519\/11554470\/11456734.pdf?arnumber=11456734","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,6,9]],"date-time":"2026-06-09T06:18:55Z","timestamp":1780985935000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11456734\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,4]]},"references-count":35,"journal-issue":{"issue":"2"},"URL":"https:\/\/doi.org\/10.1109\/tcc.2026.3677796","relation":{},"ISSN":["2168-7161","2372-0018"],"issn-type":[{"value":"2168-7161","type":"electronic"},{"value":"2372-0018","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,4]]}}}