The rise of cloud-native applications, containerized environments, and dynamic infrastructure has transformed how organizations deploy and manage workloads. While this evolution accelerates innovation, it also introduces new security challenges. Traditional signature-based detection methods, which rely on pre-defined behavioral patterns or known indicators of compromise (IoCs), often fail to keep pace with novel threats targeting modern systems. Uptycs’ anomaly detection capabilities address these challenges by leveraging eBPF-powered telemetry and machine learning (ML) to detect deviations in expected behavior across containers, hosts, and Kubernetes environments. This blog explores the limitations of traditional detection methods, highlights real-world attack scenarios, and shows how anomaly detection delivers actionable insights for securing dynamic workloads. Signature-based detection has been a cornerstone of cybersecurity, but its reliance on known patterns makes it ineffective against evolving threats. Today’s adversaries exploit this limitation in environments that span containers, hosts, and Kubernetes orchestration layers. Here are some scenarios where behavioral signatures fall short: These examples highlight the need for adaptive defenses like anomaly detection that monitor deviations in behavior across systems, providing visibility into containerized workloads, host activity, and Kubernetes orchestration layers. Uptycs leverages eBPF for telemetry collection and ML models for adaptive baselining, enabling granular insights into behavior. Here’s how it works: 1. Model Definition and Grouping: First security teams can use the out of the models or create their own. They can specify learning times (for example 24 hours to perform baselining) of eBPF Activity. What’s also unique about the Uptycs approach is that it allows flexible definition of models. For example, you can go beyond image digest to group by Kubernetes labels which might define application boundaries (e.g. label frontend vs backend). 2. Inclusion & Exclusion: You can perform the modeling on all or a subset of clusters as well as namespaces with the ability to exclude as well. For example, maybe there is a namespace for which binaries are pulled down in a CI/CD pipeline to run some scripts whose activity you want to ignore in the baseline. 3. Baselining and Anomaly Reporting: Once Uptycs conducts the baselining you can view anomalies found for the model across the platform as well as per model. Anomaly detection focuses on identifying deviations from established baselines of normal behavior, making it ideal for dynamic and distributed environments. Whether it’s detecting unusual process execution on a host or spotting anomalous resource consumption in a container, anomaly detection provides visibility into threats that evade traditional methods. In the following example we’ve created a model against an nginx image whose baseline learning time is set to 5. We see that the model caught anomalies across process, DNS, and network. When anomaly detection is triggered, the investigation begins. Let’s dive into what was uncovered in this scenario, piecing together the suspicious activities to form a coherent narrative. During routine monitoring, we noticed that an nginx container, which typically handles web requests, suddenly executed a curl command. This raised an immediate red flag, as such commands are not part of the usual baseline behavior for this container. Zooming in on the network traffic, additional anomalies emerged. The container initiated outbound connections to unknown IP addresses. Not only were these destinations unrecognized, but the connections occurred across multiple ports, including HTTP and DNS. Delving deeper into DNS logs, further deviations from the baseline were uncovered. While DNS activity was minimal during normal operations, the container suddenly resolved an unusual domain: abc.com. This domain, upon inspection, appeared untrusted and potentially malicious. From process execution to network and DNS anomalies, the evidence points to a likely compromise: Together, these anomalies weave a compelling narrative of an attack in progress, providing invaluable context for security teams. The Uptycs Blast Radius Mitigation Framework is a five-step journey to cloud security resilience. Read the guide to learn more.Why Signature-Based Detections Fall Short
1. Cryptojacking Campaigns in Kubernetes Clusters
2. Supply Chain Attacks via Compromised Images
3. Fileless Malware on Hosts and Containers
How Uptycs Detects Anomalies Across Hosts and Containers
Let’s see how it works in action:
Anomaly Detection in Action
Investigating the Anomalies: A Step-by-Step Analysis
Processes: An Unexpected Command Emerges
Network Activity: Unfamiliar Connections
DNS: Strange Domains Appear
Piecing It All Together