{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,31]],"date-time":"2026-03-31T16:19:51Z","timestamp":1774973991897,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":39,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,4,14]],"date-time":"2022-04-14T00:00:00Z","timestamp":1649894400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Natural Sciences and Engineering Research Council of Canada and Ericsson Canada"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,4,14]]},"DOI":"10.1145\/3508398.3511515","type":"proceedings-article","created":{"date-parts":[[2022,4,16]],"date-time":"2022-04-16T04:13:31Z","timestamp":1650082411000},"page":"155-166","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":15,"title":["ProSPEC: Proactive Security Policy Enforcement for Containers"],"prefix":"10.1145","author":[{"given":"Hugo","family":"Kermabon-Bobinnec","sequence":"first","affiliation":[{"name":"Concordia University, Montreal, PQ, Canada"}]},{"given":"Mahmood","family":"Gholipourchoubeh","sequence":"additional","affiliation":[{"name":"Concordia University, Montreal, PQ, Canada"}]},{"given":"Sima","family":"Bagheri","sequence":"additional","affiliation":[{"name":"Concordia University, Montreal, PQ, Canada"}]},{"given":"Suryadipta","family":"Majumdar","sequence":"additional","affiliation":[{"name":"Concordia University, Montreal, PQ, Canada"}]},{"given":"Yosr","family":"Jarraya","sequence":"additional","affiliation":[{"name":"Ericsson Security Research, Montreal, PQ, Canada"}]},{"given":"Makan","family":"Pourzandi","sequence":"additional","affiliation":[{"name":"Ericsson Security Research, Montreal, PQ, Canada"}]},{"given":"Lingyu","family":"Wang","sequence":"additional","affiliation":[{"name":"Concordia University, Montreal, PQ, Canada"}]}],"member":"320","published-online":{"date-parts":[[2022,4,15]]},"reference":[{"key":"e_1_3_2_2_1_1","volume-title":"OpenStack Congress. https:\/\/wiki.openstack.org\/wiki\/Congress\/ Retrieved","year":"2021","unstructured":"2015. OpenStack Congress. https:\/\/wiki.openstack.org\/wiki\/Congress\/ Retrieved July 09, 2021 from 2015. OpenStack Congress. https:\/\/wiki.openstack.org\/wiki\/Congress\/ Retrieved July 09, 2021 from"},{"key":"e_1_3_2_2_2_1","volume-title":"https:\/\/falco.org\/ Retrieved","year":"2021","unstructured":"2018. Falco. https:\/\/falco.org\/ Retrieved June 15, 2021 from 2018. Falco. https:\/\/falco.org\/ Retrieved June 15, 2021 from"},{"key":"e_1_3_2_2_3_1","volume-title":"https:\/\/sysdig.com\/ Retrieved","year":"2021","unstructured":"2018. Sysdig. https:\/\/sysdig.com\/ Retrieved June 15, 2021 from 2018. Sysdig. https:\/\/sysdig.com\/ Retrieved June 15, 2021 from"},{"key":"e_1_3_2_2_4_1","volume-title":"Benchmark results of Kubernetes CNI over 10Gbit\/s network. https:\/\/itnext.io\/benchmark-results-of-kubernetes-network-plugins-cni-over-10gbit-s-network-updated-august-2020--6e1b757b9e49 Retrieved","year":"2021","unstructured":"2019. Benchmark results of Kubernetes CNI over 10Gbit\/s network. https:\/\/itnext.io\/benchmark-results-of-kubernetes-network-plugins-cni-over-10gbit-s-network-updated-august-2020--6e1b757b9e49 Retrieved July , 2021 from 2019. Benchmark results of Kubernetes CNI over 10Gbit\/s network. https:\/\/itnext.io\/benchmark-results-of-kubernetes-network-plugins-cni-over-10gbit-s-network-updated-august-2020--6e1b757b9e49 Retrieved July, 2021 from"},{"key":"e_1_3_2_2_5_1","volume-title":"Open Policy Agent\/Gatekeeper. https:\/\/open-policy-agent.github.io\/gatekeeper\/ Retrieved","year":"2021","unstructured":"2019. Open Policy Agent\/Gatekeeper. https:\/\/open-policy-agent.github.io\/gatekeeper\/ Retrieved July , 2021 from 2019. Open Policy Agent\/Gatekeeper. https:\/\/open-policy-agent.github.io\/gatekeeper\/ Retrieved July, 2021 from"},{"key":"e_1_3_2_2_7_1","volume-title":"Calico: Open source networking solution for Kubernetes. https:\/\/docs.projectcalico.org\/ Retrieved","year":"2021","unstructured":"2020. Calico: Open source networking solution for Kubernetes. https:\/\/docs.projectcalico.org\/ Retrieved August 09, 2021 from 2020. Calico: Open source networking solution for Kubernetes. https:\/\/docs.projectcalico.org\/ Retrieved August 09, 2021 from"},{"key":"e_1_3_2_2_8_1","volume-title":"Cloud Native Computing Foundation 2020 Survey Report. www.cncf.io\/wp-content\/uploads\/2020\/11\/CNCF_Survey_Report_2020.pdf Retrieved","year":"2021","unstructured":"2020. Cloud Native Computing Foundation 2020 Survey Report. www.cncf.io\/wp-content\/uploads\/2020\/11\/CNCF_Survey_Report_2020.pdf Retrieved September , 2021 from 2020. Cloud Native Computing Foundation 2020 Survey Report. www.cncf.io\/wp-content\/uploads\/2020\/11\/CNCF_Survey_Report_2020.pdf Retrieved September, 2021 from"},{"key":"e_1_3_2_2_9_1","volume-title":"CVE-2020--8554: Man in the middle in Kubernetes. https:\/\/blog.champtar.fr\/K8S_MITM_LoadBalancer_ExternalIPs\/ Retrieved","year":"2021","unstructured":"2020. CVE-2020--8554: Man in the middle in Kubernetes. https:\/\/blog.champtar.fr\/K8S_MITM_LoadBalancer_ExternalIPs\/ Retrieved July 10, 2021 from 2020. CVE-2020--8554: Man in the middle in Kubernetes. https:\/\/blog.champtar.fr\/K8S_MITM_LoadBalancer_ExternalIPs\/ Retrieved July 10, 2021 from"},{"key":"e_1_3_2_2_10_1","volume-title":"Torin Sandall","year":"2021","unstructured":"2020. Torin Sandall , OPA : Top 5 Kubernetes Admission Control Policies. https:\/\/thenewstack.io\/open-policy-agent-the-top-5-kubernetes-admission-control-policies\/ Retrieved July 20, 2021 from 2020. Torin Sandall, OPA: Top 5 Kubernetes Admission Control Policies. https:\/\/thenewstack.io\/open-policy-agent-the-top-5-kubernetes-admission-control-policies\/ Retrieved July 20, 2021 from"},{"key":"e_1_3_2_2_11_1","volume-title":"Azurescape' Kubernetes Attack Allows Cross-Container Cloud Compromise. https:\/\/threatpost.com\/azurescape-kubernetes-attack-container-cloud-compromise\/169319\/ Retrieved","year":"2021","unstructured":"2021. ' Azurescape' Kubernetes Attack Allows Cross-Container Cloud Compromise. https:\/\/threatpost.com\/azurescape-kubernetes-attack-container-cloud-compromise\/169319\/ Retrieved October , 2021 from 2021. 'Azurescape' Kubernetes Attack Allows Cross-Container Cloud Compromise. https:\/\/threatpost.com\/azurescape-kubernetes-attack-container-cloud-compromise\/169319\/ Retrieved October, 2021 from"},{"key":"e_1_3_2_2_12_1","volume-title":"https:\/\/kubernetes.io\/docs\/setup\/production-environment\/container-runtimes\/#cgroup-drivers Retrieved","author":"Runtimes Container","year":"2021","unstructured":"2021. Container Runtimes . https:\/\/kubernetes.io\/docs\/setup\/production-environment\/container-runtimes\/#cgroup-drivers Retrieved June , 2021 from 2021. Container Runtimes. https:\/\/kubernetes.io\/docs\/setup\/production-environment\/container-runtimes\/#cgroup-drivers Retrieved June, 2021 from"},{"key":"e_1_3_2_2_13_1","volume-title":"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021--43979 Retrieved","year":"2022","unstructured":"2021. CVE-2021--43979. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021--43979 Retrieved January , 2022 from 2021. CVE-2021--43979. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021--43979 Retrieved January, 2022 from"},{"key":"e_1_3_2_2_14_1","volume-title":"Docker authorization with OPA. www.openpolicyagent.org\/docs\/latest\/docker-authorization\/ Retrieved","year":"2021","unstructured":"2021. Docker authorization with OPA. www.openpolicyagent.org\/docs\/latest\/docker-authorization\/ Retrieved August 19, 2021 from 2021. Docker authorization with OPA. www.openpolicyagent.org\/docs\/latest\/docker-authorization\/ Retrieved August 19, 2021 from"},{"key":"e_1_3_2_2_15_1","volume-title":"https:\/\/docs.docker.com\/engine\/swarm\/ Retrieved","author":"Swarm Docker","year":"2021","unstructured":"2021. Docker Swarm . https:\/\/docs.docker.com\/engine\/swarm\/ Retrieved September 15, 2021 from 2021. Docker Swarm. https:\/\/docs.docker.com\/engine\/swarm\/ Retrieved September 15, 2021 from"},{"key":"e_1_3_2_2_16_1","volume-title":"Dynamic Admission Control. https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/extensible-admission-controllers\/ Retrieved","year":"2021","unstructured":"2021. Dynamic Admission Control. https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/extensible-admission-controllers\/ Retrieved September 30, 2021 from 2021. Dynamic Admission Control. https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/extensible-admission-controllers\/ Retrieved September 30, 2021 from"},{"key":"e_1_3_2_2_17_1","volume-title":"Installing kubeadm. https:\/\/kubernetes.io\/docs\/setup\/production-environment\/tools\/kubeadm\/install-kubeadm\/ Retrieved","year":"2021","unstructured":"2021. Installing kubeadm. https:\/\/kubernetes.io\/docs\/setup\/production-environment\/tools\/kubeadm\/install-kubeadm\/ Retrieved June , 2021 from 2021. Installing kubeadm. https:\/\/kubernetes.io\/docs\/setup\/production-environment\/tools\/kubeadm\/install-kubeadm\/ Retrieved June, 2021 from"},{"key":"e_1_3_2_2_18_1","volume-title":"https:\/\/kubernetes.io Retrieved","year":"2021","unstructured":"2021 a. Kubernetes. https:\/\/kubernetes.io Retrieved September 15, 2021 from 2021 a. Kubernetes. https:\/\/kubernetes.io Retrieved September 15, 2021 from"},{"key":"e_1_3_2_2_19_1","volume-title":"Kubernetes API Reference. https:\/\/v1--18.docs.kubernetes.io\/docs\/reference\/ Retrieved","year":"2021","unstructured":"2021 b. Kubernetes API Reference. https:\/\/v1--18.docs.kubernetes.io\/docs\/reference\/ Retrieved September 20, 2021 from 2021 b. Kubernetes API Reference. https:\/\/v1--18.docs.kubernetes.io\/docs\/reference\/ Retrieved September 20, 2021 from"},{"key":"e_1_3_2_2_20_1","volume-title":"Kubernetes Audit Logs. https:\/\/kubernetes.io\/docs\/tasks\/debug-application-cluster\/audit\/ Retrieved","year":"2021","unstructured":"2021 c. Kubernetes Audit Logs. https:\/\/kubernetes.io\/docs\/tasks\/debug-application-cluster\/audit\/ Retrieved September 09, 2021 from 2021 c. Kubernetes Audit Logs. https:\/\/kubernetes.io\/docs\/tasks\/debug-application-cluster\/audit\/ Retrieved September 09, 2021 from"},{"key":"e_1_3_2_2_21_1","volume-title":"www.elastic.co\/logstash\/ Retrieved","author":"Logstash","year":"2021","unstructured":"2021. Logstash CVE-2020--8554. www.elastic.co\/logstash\/ Retrieved June 13, 2021 from 2021. Logstash CVE-2020--8554. www.elastic.co\/logstash\/ Retrieved June 13, 2021 from"},{"key":"e_1_3_2_2_22_1","volume-title":"https:\/\/docs.openshift.com\/ Retrieved","year":"2021","unstructured":"2021. OpenShift. https:\/\/docs.openshift.com\/ Retrieved September 15, 2021 from 2021. OpenShift. https:\/\/docs.openshift.com\/ Retrieved September 15, 2021 from"},{"key":"e_1_3_2_2_23_1","volume-title":"Security Audit of Docker Container Images in Cloud Architecture","author":"Shameem Ahamed Waheeda Syed","unstructured":"Waheeda Syed Shameem Ahamed , Pavol Zavarsky , and Bobby Swar . 2021. Security Audit of Docker Container Images in Cloud Architecture . In ICSCCC. IEEE. Waheeda Syed Shameem Ahamed, Pavol Zavarsky, and Bobby Swar. 2021. Security Audit of Docker Container Images in Cloud Architecture. In ICSCCC. IEEE."},{"key":"e_1_3_2_2_24_1","unstructured":"Ankur Ankan and Abinash Panda. 2015. pgmpy: Probabilistic graphical models using python. In SCIPY. Citeseer.  Ankur Ankan and Abinash Panda. 2015. pgmpy: Probabilistic graphical models using python. In SCIPY. Citeseer."},{"key":"e_1_3_2_2_26_1","doi-asserted-by":"crossref","unstructured":"S\u00f6ren Bleikertz Carsten Vogel Thomas Gro\u00df and Sebastian M\u00f6dersheim. 2015. Proactive security analysis of changes in virtualized infrastructures. In ACSAC .  S\u00f6ren Bleikertz Carsten Vogel Thomas Gro\u00df and Sebastian M\u00f6dersheim. 2015. Proactive security analysis of changes in virtualized infrastructures. In ACSAC .","DOI":"10.1145\/2818000.2818034"},{"key":"e_1_3_2_2_27_1","volume-title":"Introduction to algorithms","author":"Cormen Thomas H","unstructured":"Thomas H Cormen , Charles E Leiserson , Ronald L Rivest , and Clifford Stein . 2009. Introduction to algorithms . MIT press . 594--602 pages. Thomas H Cormen, Charles E Leiserson, Ronald L Rivest, and Clifford Stein. 2009. Introduction to algorithms .MIT press. 594--602 pages."},{"key":"e_1_3_2_2_28_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2019.02.026"},{"key":"e_1_3_2_2_29_1","volume-title":"Flask web development: developing web applications with python .\" O'Reilly Media","author":"Grinberg Miguel","unstructured":"Miguel Grinberg . 2018. Flask web development: developing web applications with python .\" O'Reilly Media , Inc .\". Miguel Grinberg. 2018. Flask web development: developing web applications with python .\" O'Reilly Media, Inc.\"."},{"key":"e_1_3_2_2_30_1","unstructured":"Richard D Hipp. 2020. SQLite . https:\/\/www.sqlite.org\/index.html  Richard D Hipp. 2020. SQLite . https:\/\/www.sqlite.org\/index.html"},{"key":"e_1_3_2_2_31_1","doi-asserted-by":"crossref","unstructured":"Min Li Wanyu Zang Kun Bai Meng Yu and Peng Liu. 2013. MyCloud: supporting user-configured privacy protection in cloud computing. In ACSAC .  Min Li Wanyu Zang Kun Bai Meng Yu and Peng Liu. 2013. MyCloud: supporting user-configured privacy protection in cloud computing. In ACSAC .","DOI":"10.1145\/2523649.2523680"},{"key":"e_1_3_2_2_32_1","unstructured":"Wu Luo Qingni Shen Yutang Xia and Zhonghai Wu. 2019. Container-IMA: a privacy-preserving integrity measurement architecture for containers. In RAID .  Wu Luo Qingni Shen Yutang Xia and Zhonghai Wu. 2019. Container-IMA: a privacy-preserving integrity measurement architecture for containers. In RAID ."},{"key":"e_1_3_2_2_33_1","volume-title":"Proactive verification of security compliance for clouds through pre-computation: Application to OpenStack","author":"Majumdar Suryadipta","unstructured":"Suryadipta Majumdar , Yosr Jarraya , Taous Madi , Amir Alimohammadifar , Makan Pourzandi , Lingyu Wang , and Mourad Debbabi . 2016. Proactive verification of security compliance for clouds through pre-computation: Application to OpenStack . In ESORICS. Springer . Suryadipta Majumdar, Yosr Jarraya, Taous Madi, Amir Alimohammadifar, Makan Pourzandi, Lingyu Wang, and Mourad Debbabi. 2016. Proactive verification of security compliance for clouds through pre-computation: Application to OpenStack. In ESORICS. Springer."},{"key":"e_1_3_2_2_34_1","volume-title":"LeaPS: Learning-based proactive security auditing for clouds","author":"Majumdar Suryadipta","unstructured":"Suryadipta Majumdar , Yosr Jarraya , Momen Oqaily , Amir Alimohammadifar , Makan Pourzandi , Lingyu Wang , and Mourad Debbabi . 2017. LeaPS: Learning-based proactive security auditing for clouds . In ESORICS. Springer . Suryadipta Majumdar, Yosr Jarraya, Momen Oqaily, Amir Alimohammadifar, Makan Pourzandi, Lingyu Wang, and Mourad Debbabi. 2017. LeaPS: Learning-based proactive security auditing for clouds. In ESORICS. Springer."},{"key":"e_1_3_2_2_35_1","volume-title":"Proactivizer: Transforming existing verification tools into efficient solutions for runtime security enforcement","author":"Majumdar Suryadipta","year":"2019","unstructured":"Suryadipta Majumdar , Azadeh Tabiban , Meisam Mohammady , Alaa Oqaily , Yosr Jarraya , Makan Pourzandi , Lingyu Wang , and Mourad Debbabi . 2019 . Proactivizer: Transforming existing verification tools into efficient solutions for runtime security enforcement . In ESORICS. Springer . Suryadipta Majumdar, Azadeh Tabiban, Meisam Mohammady, Alaa Oqaily, Yosr Jarraya, Makan Pourzandi, Lingyu Wang, and Mourad Debbabi. 2019. Proactivizer: Transforming existing verification tools into efficient solutions for runtime security enforcement. In ESORICS. Springer."},{"key":"e_1_3_2_2_36_1","volume-title":"mbox","author":"Neapolitan Richard E","year":"2004","unstructured":"Richard E Neapolitan mbox . 2004 . Learning bayesian networks . Vol. 38 . Pearson Prentice Hall Upper Saddle River , NJ. 550 pages. Richard E Neapolitan et almbox. 2004. Learning bayesian networks . Vol. 38. Pearson Prentice Hall Upper Saddle River, NJ. 550 pages."},{"key":"e_1_3_2_2_37_1","volume-title":"Farzana Ahamed Bhuiyan, and Akond Rahman","author":"Shamim Shazibul Islam","year":"2020","unstructured":"d Shazibul Islam Shamim , Farzana Ahamed Bhuiyan, and Akond Rahman . 2020 . XI Commandments of Kubernetes Security: A Systematization of Knowledge Related to Kubernetes Security Practices. In SecDev. IEEE. d Shazibul Islam Shamim, Farzana Ahamed Bhuiyan, and Akond Rahman. 2020. XI Commandments of Kubernetes Security: A Systematization of Knowledge Related to Kubernetes Security Practices. In SecDev. IEEE."},{"key":"e_1_3_2_2_38_1","doi-asserted-by":"publisher","DOI":"10.1002\/eng2.12080"},{"key":"e_1_3_2_2_39_1","volume-title":"The max-min hill-climbing Bayesian network structure learning algorithm. Machine learning","author":"Tsamardinos Ioannis","year":"2006","unstructured":"Ioannis Tsamardinos , Laura E Brown , and Constantin F Aliferis . 2006. The max-min hill-climbing Bayesian network structure learning algorithm. Machine learning , Vol. 65 , 1 ( 2006 ), 31--78. Ioannis Tsamardinos, Laura E Brown, and Constantin F Aliferis. 2006. The max-min hill-climbing Bayesian network structure learning algorithm. Machine learning , Vol. 65, 1 (2006), 31--78."},{"key":"e_1_3_2_2_40_1","unstructured":"Wes McKinney. 2010. Data Structures for Statistical Computing in Python. In SCIPY St\u00e9fan van der Walt and Jarrod Millman (Eds.).  Wes McKinney. 2010. Data Structures for Statistical Computing in Python. In SCIPY St\u00e9fan van der Walt and Jarrod Millman (Eds.)."},{"key":"e_1_3_2_2_41_1","volume-title":"Arun Balaji Buduru, and Vinjith Nagaraja","author":"Yau Stephen S","year":"2015","unstructured":"Stephen S Yau , Arun Balaji Buduru, and Vinjith Nagaraja . 2015 . Protecting critical cloud infrastructures with predictive capability. In CLOUD. IEEE. Stephen S Yau, Arun Balaji Buduru, and Vinjith Nagaraja. 2015. Protecting critical cloud infrastructures with predictive capability. In CLOUD. IEEE."}],"event":{"name":"CODASPY '22: Twelveth ACM Conference on Data and Application Security and Privacy","location":"Baltimore MD USA","acronym":"CODASPY '22","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the Twelfth ACM Conference on Data and Application Security and Privacy"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3508398.3511515","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3508398.3511515","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T19:30:39Z","timestamp":1750188639000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3508398.3511515"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,4,14]]},"references-count":39,"alternative-id":["10.1145\/3508398.3511515","10.1145\/3508398"],"URL":"https:\/\/doi.org\/10.1145\/3508398.3511515","relation":{},"subject":[],"published":{"date-parts":[[2022,4,14]]},"assertion":[{"value":"2022-04-15","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}