Forensic Evidence Pipeline for Self-Healing Container Security
Cyber Security
Semester programme:Master Applied IT
Client company:TNO Cyber Security Technologies
Project group members:Liang Yap
Project description
SH4CS (Self-Healing for Cyber Security) detects compromised Kubernetes containers and regenerates them from a clean image. It restores availability but does not record what caused the compromise, so the same attack can succeed again on the next container instance. This project adds a forensic evidence pipeline that collects container state in the seconds before each regeneration: Falco syscall alerts, Apache HTTP access logs, and a filesystem snapshot taken via a Kubernetes preStop lifecycle hook. Evidence is stored in a central Forensic Memory Service deployed inside the cluster. A rule-based analysis script maps the collected evidence to MITRE ATT&CK technique identifiers, assesses root cause, and generates candidate remediations for human review. Approved fixes are applied to the container image, so the baseline improves between attack cycles.
Context
When Kubernetes regenerates a container, it destroys the pod and all in-memory state. Any forensic evidence must be collected in the seconds between the regeneration decision and termination. SH4CS does not use this window. The ACR (Autonomous Cyber Resilience) architecture defines a System I layer for detection and regeneration and a System II layer for adaptation, but System II has no implementation in SH4CS. The forensic pipeline provides the evidence collection layer that makes adaptation possible.
Results
The pipeline was validated across 150+ captures and 150+ pod restarts on the Fontys Educloud cluster with no missed captures. Against the attack chain T1190 → T1059.004 → T1505.003, the analysis script identified all three techniques at high confidence and correctly classified the root cause as insecure input handling. Three candidate remediations were generated for human approval. An end-to-end automated demo completes in approximately 90 seconds