{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,4]],"date-time":"2026-06-04T16:02:20Z","timestamp":1780588940546,"version":"3.54.1"},"publisher-location":"New York, NY, USA","reference-count":67,"publisher":"ACM","license":[{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2026,6]]},"DOI":"10.1145\/3779208.3807484","type":"proceedings-article","created":{"date-parts":[[2026,6,4]],"date-time":"2026-06-04T15:21:58Z","timestamp":1780586518000},"page":"774-787","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["I\n                    <scp>mmu<\/scp>\n                    C\n                    <scp>heck<\/scp>\n                    : Selective Immutability for Container Escape Detection in Containerized Microservices"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-7853-1192","authenticated-orcid":false,"given":"Asbat","family":"El Khairi","sequence":"first","affiliation":[{"name":"University of Twente, Enschede, Netherlands"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1331-9702","authenticated-orcid":false,"given":"Amina","family":"Bassit","sequence":"additional","affiliation":[{"name":"Mobai, Gj\u00f8vik, Norway"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2929-5001","authenticated-orcid":false,"given":"Andreas","family":"Peter","sequence":"additional","affiliation":[{"name":"Carl von Ossietzky Universit\u00e4t Oldenburg, Oldenburg, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0329-1830","authenticated-orcid":false,"given":"Andrea","family":"Continella","sequence":"additional","affiliation":[{"name":"University of Twente, Enschede, Netherlands"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2026,6,4]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Proceedings of the USENIX Security Symposium","author":"Li Xing","year":"2021","unstructured":"Xing Li, Yan Chen, Zhiqiang Lin, Xiao Wang, and Jim Hao Chen. Automatic policy generation for inter-service access control of microservices. In Proceedings of the USENIX Security Symposium, 2021."},{"key":"e_1_3_2_1_2_1","volume-title":"Containers and microservices \u2014 a perfect pair. https:\/\/developer.ibm.com\/tutorials\/cl-ibm-cloud-microservices-in-action-part-2-trs\/","author":"Rick Osowski","year":"2021","unstructured":"Osowski Rick. Containers and microservices \u2014 a perfect pair. https:\/\/developer.ibm.com\/tutorials\/cl-ibm-cloud-microservices-in-action-part-2-trs\/, 2021."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.3990\/1.9789036569460"},{"key":"e_1_3_2_1_4_1","volume-title":"https:\/\/www.cncf.io\/wp-content\/uploads\/2025\/04\/cncf_annual_survey24_031225a.pdf","author":"Computing Foundation Cloud Native","year":"2024","unstructured":"Cloud Native Computing Foundation. Cloud Native 2024. https:\/\/www.cncf.io\/wp-content\/uploads\/2025\/04\/cncf_annual_survey24_031225a.pdf, 2024."},{"key":"e_1_3_2_1_5_1","volume-title":"Cloud Lateral Movement: Breaking in through a Vulnerable Container. https:\/\/sysdig.com\/blog\/lateral-movement-cloud-containers\/","author":"Stephano Chierici","year":"2022","unstructured":"Chierici Stephano. Cloud Lateral Movement: Breaking in through a Vulnerable Container. https:\/\/sysdig.com\/blog\/lateral-movement-cloud-containers\/, 2022."},{"key":"e_1_3_2_1_6_1","volume-title":"Andrea Continella. ConLock: Reducing Runtime Attack Surface in Containerized Microservices. In 4th International Workshop on System Security Assurance, SecAssure 2025","author":"Khairi Asbat El","year":"2025","unstructured":"Asbat El Khairi, Andreas Peter, and Andrea Continella. ConLock: Reducing Runtime Attack Surface in Containerized Microservices. In 4th International Workshop on System Security Assurance, SecAssure 2025, 2025."},{"key":"e_1_3_2_1_7_1","volume-title":"Falco: container native runtime security. https:\/\/falco.org\/","year":"2022","unstructured":"Sysdig. Falco: container native runtime security. https:\/\/falco.org\/, 2022."},{"key":"e_1_3_2_1_8_1","unstructured":"Aquasec. Aqua tracee: Runtime ebpf threat detection engine. https:\/\/www.aquasec.com\/products\/tracee\/."},{"key":"e_1_3_2_1_9_1","unstructured":"Kubernetes. Production-grade container orchestration."},{"key":"e_1_3_2_1_10_1","unstructured":"MITRE. Escape to Host: Mitigations. https:\/\/attack.mitre.org\/techniques\/T1611\/."},{"key":"e_1_3_2_1_11_1","volume-title":"Xiaohui Gu. CDL: Classified Distributed Learning for Detecting Security Attacks in Containerized Applications. In Proceedings of Annual Computer Security Applications Conference (ACSAC)","author":"Lin Yuhang","year":"2020","unstructured":"Yuhang Lin, Olufogorehan Tunde-Onadele, and Xiaohui Gu. CDL: Classified Distributed Learning for Detecting Security Attacks in Containerized Applications. In Proceedings of Annual Computer Security Applications Conference (ACSAC), 2020."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-24858-5_8"},{"key":"e_1_3_2_1_13_1","volume-title":"Andrea Continella. ReplicaWatcher: Training-less Anomaly Detection in Containerized Microservices. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS)","author":"Khairi Asbat El","year":"2024","unstructured":"Asbat El Khairi, Marco Caselli, Andreas Peter, and Andrea Continella. ReplicaWatcher: Training-less Anomaly Detection in Containerized Microservices. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS), February 2024."},{"key":"e_1_3_2_1_14_1","volume-title":"Andrea Continella. ProCatch: Detecting Execution-based Anomalies in Single-Instance Microservices. In 13th IEEE Conference on Communications and Network Security, CNS 2025","author":"Khairi Asbat El","year":"2025","unstructured":"Asbat El Khairi, Andreas Peter, and Andrea Continella. ProCatch: Detecting Execution-based Anomalies in Single-Instance Microservices. In 13th IEEE Conference on Communications and Network Security, CNS 2025, 2025."},{"key":"e_1_3_2_1_15_1","volume-title":"Andrea Continella. Contextualizing System Calls in Containers for Anomaly-Based Intrusion Detection. In Proceedings of the Cloud Computing Security Workshop (CCSW)","author":"Khairi Asbat El","year":"2022","unstructured":"Asbat El Khairi, Marco Caselli, Christian Knierim, Andreas Peter, and Andrea Continella. Contextualizing System Calls in Containers for Anomaly-Based Intrusion Detection. In Proceedings of the Cloud Computing Security Workshop (CCSW), 2022."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/IC2E55432.2022.00035"},{"key":"e_1_3_2_1_17_1","volume-title":"Microservices architecture and design: A complete overview. https:\/\/vfunction.com\/blog\/microservices-architecture-guide\/","year":"2024","unstructured":"Shatanik, Bhattacharjee. Microservices architecture and design: A complete overview. https:\/\/vfunction.com\/blog\/microservices-architecture-guide\/, 2024."},{"key":"e_1_3_2_1_18_1","unstructured":"\u00d6zeren Sila. The Ten Most Common Kubernetes Security Misconfigurations & How to Address Them. https:\/\/zhenzhongxu.com\/the-four-innovation-phases-of-netflixs-trillions-scale-real-time-data-infrastructure-2370938d7f01 2024."},{"key":"e_1_3_2_1_19_1","volume-title":"Sysdig 2021 Container Security and Usage Report. https:\/\/sysdig.com\/content\/c\/pf-2021-container-security-and-usage-report?x=u_WFRi","year":"2021","unstructured":"Sysdig. Sysdig 2021 Container Security and Usage Report. https:\/\/sysdig.com\/content\/c\/pf-2021-container-security-and-usage-report?x=u_WFRi, 2021."},{"key":"e_1_3_2_1_20_1","unstructured":"Linux. core(5) - linux man page. https:\/\/man7.org\/linux\/man-pages\/man5\/core.5.html."},{"key":"e_1_3_2_1_21_1","volume-title":"Black Hat USA, 2019","author":"Edwards Ian","year":"2024","unstructured":"Ian Edwards. Compendium of container escapes. In Black Hat USA, 2019. Accessed: 2024-10-30."},{"key":"e_1_3_2_1_22_1","unstructured":"Dongqi Han Zhiliang Wang Wenqi Chen Kai Wang Rui Yu Su Wang Han Zhang Zhihua Wang Minghui Jin Jiahai Yang et al. Anomaly detection in the open world: Normality shift detection explanation and adaptation."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3127479.3129249"},{"key":"e_1_3_2_1_24_1","unstructured":"Sysdig. CVE-2022-0492: Privilege escalation vulnerability causing container escape. https:\/\/sysdig.com\/blog\/detecting-mitigating-cve-2022-0492-sysdig\/."},{"key":"e_1_3_2_1_25_1","volume-title":"Docker breakout - privilege escalation","year":"2024","unstructured":"HackTricks. Docker breakout - privilege escalation, 2024. Accessed: 2024-10-30."},{"key":"e_1_3_2_1_26_1","volume-title":"Scarleteel: Operation leveraging terraform, kubernetes, and aws for data theft. https:\/\/www.sysdig.com\/blog\/cloud-breach-terraform-data-theft","year":"2023","unstructured":"Sysdig. Scarleteel: Operation leveraging terraform, kubernetes, and aws for data theft. https:\/\/www.sysdig.com\/blog\/cloud-breach-terraform-data-theft, 2023."},{"key":"e_1_3_2_1_27_1","unstructured":"Docker. OverlayFS Storage Driver. https:\/\/docs.docker.com\/engine\/storage\/drivers\/overlayfs-driver\/."},{"key":"e_1_3_2_1_28_1","unstructured":"Bom Kim Hyeonjun Park and Seungsoo Lee. Kubeteus: An intelligent network policy generation framework for containers."},{"key":"e_1_3_2_1_29_1","unstructured":"Istio. Bookinfo application. https:\/\/istio.io\/latest\/docs\/examples\/bookinfo\/."},{"key":"e_1_3_2_1_30_1","unstructured":"Phil Winder Ian Crosby Alex Giurgiu. Sock Shop : A Microservice Demo Application. https:\/\/github.com\/microservices-demo\/microservices-demo."},{"key":"e_1_3_2_1_31_1","unstructured":"Cedric Ziel Steve Waterworth. Sample Microservice Application. https:\/\/github.com\/instana\/robot-shop."},{"key":"e_1_3_2_1_32_1","unstructured":"Cisco. Martian bank demo. https:\/\/github.com\/cisco-open\/martian-bank-demo."},{"key":"e_1_3_2_1_33_1","unstructured":"Morej\u00f3n Manuel. Cinema - Example of Microservices in Go with Docker Kubernetes and MongoDB. https:\/\/github.com\/mmorejon\/microservices-docker-go-mongodb."},{"key":"e_1_3_2_1_34_1","unstructured":"Carl Knutsson Joakim Heyman et al. Locust: An open source load testing tool. https:\/\/locust.io\/."},{"key":"e_1_3_2_1_35_1","unstructured":"Selenium. Selenium automates browsers. That's it! https:\/\/www.selenium.dev\/."},{"key":"e_1_3_2_1_36_1","unstructured":"Daniel Stenberg. Curl. https:\/\/curl.se\/."},{"key":"e_1_3_2_1_37_1","volume-title":"https:\/\/kubernetes.io\/docs\/concepts\/workloads\/pods\/pod-lifecycle\/","author":"Lifecycle Pod","year":"2024","unstructured":"Kubernetes. Pod Lifecycle. https:\/\/kubernetes.io\/docs\/concepts\/workloads\/pods\/pod-lifecycle\/, 2024."},{"key":"e_1_3_2_1_38_1","volume-title":"Jaccard similarity. https:\/\/www.learndatasci.com\/glossary\/jaccard-similarity\/","author":"Karabiber Fatih","year":"2023","unstructured":"Fatih Karabiber. Jaccard similarity. https:\/\/www.learndatasci.com\/glossary\/jaccard-similarity\/, 2023."},{"key":"e_1_3_2_1_39_1","unstructured":"Xcube LABS. Differences between stateful and stateless containers."},{"key":"e_1_3_2_1_40_1","unstructured":"Linux. inotify(7) \u2014 linux manual page. https:\/\/man7.org\/linux\/man-pages\/man7\/inotify.7.html."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/191177.191183"},{"key":"e_1_3_2_1_42_1","unstructured":"Kubernetes. Container Runtime Interface (CRI). https:\/\/kubernetes.io\/docs\/concepts\/architecture\/cri\/."},{"key":"e_1_3_2_1_43_1","unstructured":"Python. Python is a programming language that lets you work quickly and integrate systems more effectively. https:\/\/www.python.org\/."},{"key":"e_1_3_2_1_44_1","unstructured":"The Kubernetes Authors. Kubeadm. https:\/\/kubernetes.io\/docs\/reference\/setup-tools\/kubeadm\/."},{"key":"e_1_3_2_1_45_1","unstructured":"Andrew Randall. 7 fun flatcar facts from our community survey. https:\/\/www.flatcar.org\/blog\/2021\/09\/7-fun-flatcar-facts-from-our-community-survey."},{"key":"e_1_3_2_1_46_1","unstructured":"Google Cloud Platform. Google Online Boutique. https:\/\/github.com\/GoogleCloudPlatform\/microservices-demo."},{"key":"e_1_3_2_1_47_1","volume-title":"Running distributed services on GKE private clusters using Cloud Service Mesh. https:\/\/cloud.google.com\/service-mesh\/docs\/distributed-services-private-clusters","author":"Cloud Google","year":"2019","unstructured":"Google Cloud. Running distributed services on GKE private clusters using Cloud Service Mesh. https:\/\/cloud.google.com\/service-mesh\/docs\/distributed-services-private-clusters, 2019."},{"key":"e_1_3_2_1_48_1","unstructured":"Azure. Aks store demo. https:\/\/github.com\/Azure-Samples\/aks-store-demo."},{"key":"e_1_3_2_1_49_1","unstructured":"AWS-Containers. Aws containers retail sample. https:\/\/github.com\/aws-containers\/retail-store-sample-app."},{"key":"e_1_3_2_1_50_1","unstructured":"Application Security Cheat Sheet. https:\/\/0xn3va.gitbook.io\/cheat-sheets\/container\/escaping\/sensitive-mounts."},{"key":"e_1_3_2_1_51_1","unstructured":"Asaf Eitani. Threat Actors Using release_agent Container Escape. https:\/\/www.aquasec.com\/blog\/threat-alert-container-escape\/."},{"key":"e_1_3_2_1_52_1","unstructured":"Ben Melamed. An Automated Response to Malicious Pod Activity. https:\/\/www.paloaltonetworks.com\/blog\/security-operations\/an-automated-response-to-malicious-pod-activity\/."},{"key":"e_1_3_2_1_53_1","unstructured":"Falco Talon. List of Actionners. https:\/\/docs.falco-talon.org\/docs\/actionners\/list\/."},{"key":"e_1_3_2_1_54_1","unstructured":"Kubernetes. Pod lifecycle. https:\/\/kubernetes.io\/docs\/concepts\/workloads\/pods\/pod-lifecycle\/."},{"key":"e_1_3_2_1_55_1","unstructured":"Kubernetes. kube-apiserver. https:\/\/kubernetes.io\/docs\/reference\/command-line-tools-reference\/kube-apiserver\/."},{"key":"e_1_3_2_1_56_1","first-page":"29","volume-title":"Sysdig 2023 cloud-native security and usage report","year":"2023","unstructured":"Sysdig. Sysdig 2023 cloud-native security and usage report. pages 1\u201329, 2023."},{"key":"e_1_3_2_1_57_1","unstructured":"BusyBox. Busybox. https:\/\/busybox.net\/."},{"key":"e_1_3_2_1_58_1","unstructured":"Docker. Use the btrfs storage driver. https:\/\/docs.docker.com\/storage\/storagedriver\/btrfs-driver\/."},{"key":"e_1_3_2_1_59_1","unstructured":"Docker. Use the ZFS storage driver. https:\/\/docs.docker.com\/storage\/storagedriver\/zfs-driver\/."},{"key":"e_1_3_2_1_60_1","unstructured":"NeuVector. Full lifecycle container security platform. https:\/\/neuvector.com\/."},{"key":"e_1_3_2_1_61_1","unstructured":"Aquasec. We Stop Attacks on Cloud Native Applications. https:\/\/www.aquasec.com\/."},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23349"},{"key":"e_1_3_2_1_63_1","volume-title":"Automated falco rule tuning. https:\/\/sysdig.com\/blog\/falco-rule-tuning\/","year":"2021","unstructured":"Sysdig. Automated falco rule tuning. https:\/\/sysdig.com\/blog\/falco-rule-tuning\/, 2021."},{"key":"e_1_3_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/3474123.3486762"},{"key":"e_1_3_2_1_65_1","volume-title":"AppArmor Technical Documentation","author":"Gruenbacher Andreas","year":"2007","unstructured":"Andreas Gruenbacher and Seth Arnold. AppArmor Technical Documentation, 2007."},{"key":"e_1_3_2_1_66_1","unstructured":"NVD. CVE-2022-0847 Detail. https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2022-0847."},{"key":"e_1_3_2_1_67_1","unstructured":"NVD. CVE-2022-0492 Detail. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-0492."}],"event":{"name":"ASIA CCS '26: ACM Asia Conference on Computer and Communications Security","location":"Bangalore India","acronym":"ASIA CCS '26","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the ACM Asia Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3779208.3807484","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,6,4]],"date-time":"2026-06-04T15:25:35Z","timestamp":1780586735000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3779208.3807484"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,6]]},"references-count":67,"alternative-id":["10.1145\/3779208.3807484","10.1145\/3779208"],"URL":"https:\/\/doi.org\/10.1145\/3779208.3807484","relation":{},"subject":[],"published":{"date-parts":[[2026,6]]},"assertion":[{"value":"2026-06-04","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}