Publication Type

PhD Dissertation

Version

publishedVersion

Publication Date

5-2026

Abstract

Cloud-native systems have become the backbone of modern software infrastructure. However, their dynamic resource orchestration and complex configurability introduce a large attack surface and intricate security challenges. Adversaries can externally exploit vulnerabilities in cloud components or perform insider movement within cloud environments to launch attacks. As these systems increasingly support critical services, security breaches can lead to severe operational and economic consequences.

Despite extensive efforts in vulnerability detection and attack monitoring, existing approaches struggle to remain effective in cloud-native environments characterized by rapid evolution and inherent heterogeneity. In particular, they exhibit three fundamental limitations: (1) Insufficient understanding of defect patterns in critical cloud infrastructure components. (2) Limited robustness of attack detection methods under continuously evolving cloud systems, where frequent application updates and runtime changes alter system execution patterns and shift the distribution of observed system logs, and (3) Lack of realistic, high-fidelity data for representing complex threat scenarios, particularly insider attacks driven by human behaviors, which limits the development and evaluation of generalizable insider threat detection methods. These limitations significantly undermine the effectiveness and practical applicability of current cloud security solutions.

This dissertation adopts a threat-driven, vertically integrated perspective on cloudnative security. It advances the security of cloud-native systems along three complementary dimensions: systematic defect characterization in infrastructure software, robust external attack detection under dynamic environments, and simulation-based data generation for insider threat analysis in data-sensitive scenarios.

Specifically, this dissertation comprises three works: • Defects Characterization in Cloud Runtimes. We conduct a large-scale empirical study of bugs in container runtime systems (CRSs), aiming to uncover defect patterns that may introduce security risks at the infrastructure layer. By analyzing bug-fixing commits across four widely used runtimes, we construct systematic taxonomies of bug symptoms and root causes, revealing recurring defect patterns with potential security implications. Our analysis further shows that existing testing techniques fail to detect nearly 79% of these bugs due to missing drivers, weak test oracles, and ineffective input generation, exposing fundamental limitations in current approaches to cloud bug detection. • Robust Attack Detection under Dynamic Environments. We investigate the robustness of external attack detection under realistic operational dynamics in cloud-native systems. We develop CAShift, a benchmark that captures representative normality shifts, including variations across application versions, application types, and system architectures. CAShift comprises 4.5 billion log entries and 20 attack scenarios. Through comprehensive evaluation, we show that state-of-the-art detection methods experience performance degradation of up to 34% under such shifts. Furthermore, we demonstrate that shift adaptation techniques, such as continual learning, can recover up to 27% of the lost performance, highlighting the importance of robustness in non-stationary environments. • Automated Data Generation for Insider Threat Detection. Insider threat detection is fundamentally limited by the lack of realistic and high-fidelity data for modeling complex insider behaviors. We propose Chimera, an LLM-based multi-agent framework that simulates organizational activities and insider attacks at scale. Based on Chimera, we construct ChimeraLog, a large-scale dataset containing 25 billion log entries across six modalities and 15 attack types. Our evaluation shows that the generated logs exhibit higher realism and greater behavioral complexity than existing datasets, while enabling systematic analysis for defending diverse insider threats.


These studies systematically address key gaps in cloud security, establishing a unified foundation for securing cloud-native systems against both external and insider threats.

Degree Awarded

PhD in Computer Science

Discipline

Information Security | Software Engineering

Supervisor(s)

XIE, Xiaofei

First Page

1

Last Page

153

Publisher

Singapore Management University

City or Country

Singapore

Copyright Owner and License

Author

Share

COinS