{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,1]],"date-time":"2026-02-01T06:08:41Z","timestamp":1769926121838,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":68,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,10,16]],"date-time":"2023-10-16T00:00:00Z","timestamp":1697414400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-sa\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,10,16]]},"DOI":"10.1145\/3607199.3607205","type":"proceedings-article","created":{"date-parts":[[2023,10,3]],"date-time":"2023-10-03T22:30:51Z","timestamp":1696372251000},"page":"381-396","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":13,"title":["Container Orchestration Honeypot: Observing Attacks in the Wild"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2723-0370","authenticated-orcid":false,"given":"Noah","family":"Spahn","sequence":"first","affiliation":[{"name":"University of California, Santa Barbara, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-7995-6210","authenticated-orcid":false,"given":"Nils","family":"Hanke","sequence":"additional","affiliation":[{"name":"Ruhr University Bochum, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2783-1264","authenticated-orcid":false,"given":"Thorsten","family":"Holz","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5140-3414","authenticated-orcid":false,"given":"Christopher","family":"Kruegel","sequence":"additional","affiliation":[{"name":"University of California, Santa Barbara, United States of America"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3422-5369","authenticated-orcid":false,"given":"Giovanni","family":"Vigna","sequence":"additional","affiliation":[{"name":"University of California, Santa Barbara, United States of America"}]}],"member":"320","published-online":{"date-parts":[[2023,10,16]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"360CERT. 2022. PBot Mining Botnet Is Exploiting New Vulnerabilities. https:\/\/www.anquanke.com\/post\/id\/275297"},{"key":"e_1_3_2_1_2_1","unstructured":"Airflow. 2020. CVE-2020-11978. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-11978"},{"key":"e_1_3_2_1_3_1","unstructured":"Airflow. 2022. CVE-2022-24288. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-24288"},{"key":"e_1_3_2_1_4_1","unstructured":"Inc. Amazon Web\u00a0Services. 2023. Security in Amazon EKS - Amazon EKS. https:\/\/docs.aws.amazon.com\/eks\/latest\/userguide\/security.html"},{"key":"e_1_3_2_1_5_1","unstructured":"Argoproj. 2023. argoproj\/argo-workflows. https:\/\/github.com\/argoproj\/argo-workflows\/blob\/master\/USERS.md original-date: 2017-08-21T18:50:44Z."},{"key":"e_1_3_2_1_6_1","unstructured":"Ian Carroll. 2021. Exploiting outdated Apache Airflow instances in bug bounties. https:\/\/ian.sh\/airflow"},{"key":"e_1_3_2_1_7_1","unstructured":"Tyler Charboneau. 2022. Key Insights from Stack Overflow\u2019s 2022 Developer Survey | Docker. https:\/\/www.docker.com\/blog\/key-insights-from-stack-overflows-2022-developer-survey\/ Running Time: 9622 Section: Community."},{"key":"e_1_3_2_1_8_1","unstructured":"Jay Chen. 2020. Attacker\u2019s Tactics and Techniques in Unsecured Docker Daemons Revealed. https:\/\/unit42.paloaltonetworks.com\/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed\/"},{"key":"e_1_3_2_1_9_1","unstructured":"NSA CISA. 2022. NSA CISA release Kubernetes Hardening Guidance. https:\/\/www.nsa.gov\/Press-Room\/News-Highlights\/Article\/Article\/2716980\/"},{"key":"e_1_3_2_1_10_1","unstructured":"CloudSploit. 2019. A Technical Analysis of the Capital One Hack. https:\/\/blog.cloudsploit.com\/a-technical-analysis-of-the-capital-one-hack-a9b43d7c8aea"},{"key":"e_1_3_2_1_11_1","unstructured":"CloudStrike. 2023. 2023 Global Threat Report | CrowdStrike. https:\/\/www.crowdstrike.com\/global-threat-report\/"},{"key":"e_1_3_2_1_12_1","unstructured":"containerd. 2023. containerd. https:\/\/containerd.io\/"},{"key":"e_1_3_2_1_13_1","unstructured":"Docker. 2021. What is a Container? | Docker. https:\/\/www.docker.com\/resources\/what-container\/"},{"key":"e_1_3_2_1_14_1","volume-title":"Docker: Accelerated, Containerized Application Development. https:\/\/www.docker.com\/","year":"2022","unstructured":"Docker. 2022. Docker: Accelerated, Containerized Application Development. https:\/\/www.docker.com\/"},{"key":"e_1_3_2_1_15_1","unstructured":"Docker. 2023. Dockerfile reference. https:\/\/docs.docker.com\/engine\/reference\/builder\/"},{"key":"e_1_3_2_1_16_1","unstructured":"Docker. 2023. iptables and Docker. https:\/\/docs.docker.com\/network\/iptables\/"},{"key":"e_1_3_2_1_17_1","unstructured":"Docker. 2023. Run the Docker daemon as a non-root user (Rootless mode). https:\/\/docs.docker.com\/engine\/security\/rootless\/#known-limitations"},{"key":"e_1_3_2_1_18_1","unstructured":"Falco. 2023. Falco. https:\/\/falco.org\/"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/3545948.3545973"},{"key":"e_1_3_2_1_20_1","volume-title":"Backup Publisher: RFC Editor","author":"Foudil E.","year":"2022","unstructured":"E. Foudil and Y. Shafranovich. 2022. A File Format to Aid in Security Vulnerability Disclosure. RFC 9116. RFC Editor. Backup Publisher: RFC Editor ISSN: 2070-1721 Published: Internet Requests for Comments."},{"key":"e_1_3_2_1_21_1","unstructured":"Google. 2023. Google Kubernetes Engine (GKE). https:\/\/cloud.google.com\/kubernetes-engine"},{"key":"e_1_3_2_1_22_1","volume-title":"MASSCAN: Mass IP port scanner. https:\/\/github.com\/robertdavidgraham\/masscan original-date: 2013-07-28T05:35:33Z.","author":"Graham Robert\u00a0David","year":"2023","unstructured":"Robert\u00a0David Graham. 2023. MASSCAN: Mass IP port scanner. https:\/\/github.com\/robertdavidgraham\/masscan original-date: 2013-07-28T05:35:33Z."},{"key":"e_1_3_2_1_23_1","volume-title":"designing a honeypot using microservices-based architecture. Ph.\u00a0D. Dissertation","author":"Gupta C.","unstructured":"C. Gupta. 2021. HoneyKube : designing a honeypot using microservices-based architecture. Ph.\u00a0D. Dissertation. University of Twente. http:\/\/essay.utwente.nl\/88323\/"},{"key":"e_1_3_2_1_24_1","unstructured":"HackerOne. 2023. HackerOne | #1 Trusted Security Platform and Hacker Program. https:\/\/www.hackerone.com\/"},{"key":"e_1_3_2_1_25_1","unstructured":"Red Hat. 2022. What is container orchestration?https:\/\/www.redhat.com\/en\/topics\/containers\/what-is-container-orchestration"},{"key":"e_1_3_2_1_26_1","unstructured":"Kaizhe Huang. 2020. Learn the Attack Patterns of Kinsing with Sysdig. https:\/\/sysdig.com\/blog\/zoom-into-kinsing-kdevtmpfsi\/"},{"key":"e_1_3_2_1_27_1","unstructured":"initstring. 2023. Linux Privilege Escalation via LXD. https:\/\/github.com\/initstring\/lxd_root original-date: 2019-05-21T06:13:46Z."},{"key":"e_1_3_2_1_28_1","unstructured":"Intezer. 2022. TeamTNT Cryptomining Explosion. https:\/\/www.intezer.com\/blog\/malware-analysis\/teamtnt-cryptomining-explosion\/"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/SecDev45635.2020.00025"},{"key":"e_1_3_2_1_30_1","volume-title":"2021 IFIP\/IEEE International Symposium on Integrated Network Management (IM). IEEE","author":"Kato Seiya","year":"2021","unstructured":"Seiya Kato, Rui Tanabe, Katsunari Yoshioka, and Tsutomu Matsumoto. 2021. Adaptive Observation of Emerging Cyber Attacks targeting Various IoT Devices. In 2021 IFIP\/IEEE International Symposium on Integrated Network Management (IM). IEEE, Bordeaux, France, 143\u2013151."},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.3390\/s21072433"},{"key":"e_1_3_2_1_32_1","unstructured":"Roi Kol. 2020. Deep Analysis of TeamTNT Techniques Using Container Images to Attack. https:\/\/blog.aquasec.com\/container-security-tnt-container-attack"},{"key":"e_1_3_2_1_33_1","volume-title":"Dockershim: The Historical Context. https:\/\/kubernetes.io\/blog\/2022\/05\/03\/dockershim-historical-context\/ Section: blog.","year":"2022","unstructured":"Kubernetes. 2022. Dockershim: The Historical Context. https:\/\/kubernetes.io\/blog\/2022\/05\/03\/dockershim-historical-context\/ Section: blog."},{"key":"e_1_3_2_1_34_1","volume-title":"Updated: Dockershim Removal FAQ. https:\/\/kubernetes.io\/blog\/2022\/02\/17\/dockershim-faq\/ Section: blog.","year":"2022","unstructured":"Kubernetes. 2022. Updated: Dockershim Removal FAQ. https:\/\/kubernetes.io\/blog\/2022\/02\/17\/dockershim-faq\/ Section: blog."},{"key":"e_1_3_2_1_35_1","unstructured":"Kubernetes. 2023. DaemonSet. https:\/\/kubernetes.io\/docs\/concepts\/workloads\/controllers\/daemonset\/ Section: docs."},{"key":"e_1_3_2_1_36_1","unstructured":"Kubernetes. 2023. Good practices for Kubernetes Secrets. https:\/\/kubernetes.io\/docs\/concepts\/security\/secrets-good-practices\/ Section: docs."},{"key":"e_1_3_2_1_37_1","unstructured":"Kubernetes. 2023. Pods. https:\/\/kubernetes.io\/docs\/concepts\/workloads\/pods\/"},{"key":"e_1_3_2_1_38_1","unstructured":"Kubernetes. 2023. Production-Grade Container Orchestration. https:\/\/kubernetes.io\/"},{"key":"e_1_3_2_1_39_1","unstructured":"Kubernetes. 2023. Secrets. https:\/\/kubernetes.io\/docs\/concepts\/configuration\/secret\/ Section: docs."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833803"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2023.109596"},{"key":"e_1_3_2_1_42_1","volume-title":"Hacking Kubernetes: threat-driven analysis and defense. O\u2019Reilly Media","author":"Martin Andrew","unstructured":"Andrew Martin and Michael Hausenblas. 2022. Hacking Kubernetes: threat-driven analysis and defense. O\u2019Reilly Media, Sebastopol, CA. OCLC: on1248897043."},{"key":"e_1_3_2_1_43_1","unstructured":"Rory McCune. 2020. Exploring Rootless Docker. https:\/\/raesene.github.io\/blog\/2020\/12\/19\/rootless_docker\/"},{"key":"e_1_3_2_1_44_1","unstructured":"Rory McCune. 2022. Kubernetes RBAC: How to Avoid Privilege Escalation via Certificate Signing. https:\/\/blog.aquasec.com\/kubernetes-rbac-privilige-escalation"},{"key":"e_1_3_2_1_45_1","unstructured":"Victor\u00a0Ramos Mello. 2023. Diamorphine. https:\/\/github.com\/m0nad\/Diamorphine original-date: 2013-11-06T22:38:47Z."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2021.3094726"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103119"},{"key":"e_1_3_2_1_48_1","unstructured":"Moby. 2023. The Moby Project. https:\/\/github.com\/moby\/moby original-date: 2013-01-18T18:10:57Z."},{"key":"e_1_3_2_1_49_1","unstructured":"Monero. 2023. The Monero Project. https:\/\/www.getmonero.org\/\/index.html"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1016\/S1353-4858(21)00145-8"},{"key":"e_1_3_2_1_51_1","unstructured":"NetreseC. 2023. PolarProxy TLS proxy. https:\/\/www.netresec.com\/?page=PolarProxy"},{"key":"e_1_3_2_1_52_1","unstructured":"NHAS. 2023. Reverse SSH. https:\/\/github.com\/NHAS\/reverse_ssh original-date: 2021-02-11T05:15:56Z."},{"key":"e_1_3_2_1_53_1","volume-title":"SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft. https:\/\/sysdig.com\/blog\/cloud-breach-terraform-data-theft\/","author":"Pellitteri Alberto","year":"2023","unstructured":"Alberto Pellitteri. 2023. SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft. https:\/\/sysdig.com\/blog\/cloud-breach-terraform-data-theft\/"},{"key":"e_1_3_2_1_54_1","unstructured":"Podman. 2023. Podman. https:\/\/podman.io\/"},{"key":"e_1_3_2_1_55_1","unstructured":"Carlos Polop. 2023. PEASS-ng - Privilege Escalation Awesome Scripts SUITE new generation. https:\/\/github.com\/carlospolop\/PEASS-ng original-date: 2019-01-13T19:58:24Z."},{"key":"e_1_3_2_1_56_1","unstructured":"projectdiscovery. 2023. nuclei: Fast and customizable vulnerability scanner based on simple YAML based DSL.https:\/\/github.com\/projectdiscovery\/nuclei"},{"key":"e_1_3_2_1_57_1","volume-title":"Virtual Honeypots: From Botnet Tracking to Intrusion Detection","author":"Provos Niels","year":"2008","unstructured":"Niels Provos and Thorsten Holz. 2008. Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley Professional PTG, Boston, Massachusetts 02116."},{"key":"e_1_3_2_1_58_1","volume-title":"Updated: New Evidence Emerges to Suggest WatchDog Was Behind Crypto Campaign. https:\/\/unit42.paloaltonetworks.com\/teamtnt-cryptojacking-watchdog-operations\/","author":"Quist Nathaniel","year":"2021","unstructured":"Nathaniel Quist. 2021. Updated: New Evidence Emerges to Suggest WatchDog Was Behind Crypto Campaign. https:\/\/unit42.paloaltonetworks.com\/teamtnt-cryptojacking-watchdog-operations\/"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/3579639"},{"key":"e_1_3_2_1_60_1","unstructured":"Nicole\u00a0Fishbein Robinson Ryan. 2021. Misconfigured Airflows Leak Thousands of Credentials from Popular Services. https:\/\/www.intezer.com\/blog\/cloud-security\/misconfigured-airflows-leak-credentials\/"},{"key":"e_1_3_2_1_61_1","unstructured":"rootlesscontainers. 2020. Docker\/Moby | Rootless Containers. https:\/\/rootlesscontaine.rs\/getting-started\/docker\/"},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103123"},{"key":"e_1_3_2_1_63_1","volume-title":"Cetus: Cryptojacking Worm Targeting Docker Daemons. https:\/\/unit42.paloaltonetworks.com\/cetus-cryptojacking-worm\/","author":"Sasson Aviv","year":"2020","unstructured":"Aviv Sasson. 2020. Cetus: Cryptojacking Worm Targeting Docker Daemons. https:\/\/unit42.paloaltonetworks.com\/cetus-cryptojacking-worm\/"},{"key":"e_1_3_2_1_64_1","unstructured":"ShadowServer. 2023. Over 380 000 open Kubernetes API servers | The Shadowserver Foundation. https:\/\/www.shadowserver.org\/news\/over-380-000-open-kubernetes-api-servers\/"},{"key":"e_1_3_2_1_65_1","unstructured":"Shellz. 2022. ziggystartux. https:\/\/github.com\/isdrupter\/ziggystartux original-date: 2016-02-12T03:58:21Z."},{"key":"e_1_3_2_1_66_1","unstructured":"Yossi Weizman. 2021. Secure containerized environments with updated threat matrix for Kubernetes. https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/03\/23\/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes\/"},{"key":"e_1_3_2_1_67_1","unstructured":"xmrig. 2023. XMRig. https:\/\/github.com\/xmrig\/xmrig original-date: 2017-04-15T05:57:53Z."},{"key":"e_1_3_2_1_68_1","unstructured":"zmap. 2023. ZGrab 2.0. https:\/\/github.com\/zmap\/zgrab2 original-date: 2016-08-19T23:22:02Z."}],"event":{"name":"RAID 2023: The 26th International Symposium on Research in Attacks, Intrusions and Defenses","location":"Hong Kong China","acronym":"RAID 2023"},"container-title":["Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3607199.3607205","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3607199.3607205","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:37:34Z","timestamp":1750178254000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3607199.3607205"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,10,16]]},"references-count":68,"alternative-id":["10.1145\/3607199.3607205","10.1145\/3607199"],"URL":"https:\/\/doi.org\/10.1145\/3607199.3607205","relation":{},"subject":[],"published":{"date-parts":[[2023,10,16]]},"assertion":[{"value":"2023-10-16","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}