Automatic Adjustment of HPA Parameters and Attack Prevention in Kubernetes Using Random Forests
Hanlin Zhou, Huah Yong Chan, Jingfei Ni, Mengchun Wu, Qing Deng
TL;DR
This work tackles the challenge of Kubernetes Horizontal Pod Autoscaler (HPA) overreacting to attack traffic by using HTTP status codes as custom metrics and a Random Forest classifier to detect directory-scanning attacks. The approach dynamically adjusts HPA maxReplicas and redirects attacking IPs to honeypot pods, thereby preventing resource waste and preserving service availability. The authors implement a two-layer Nginx architecture with Prometheus-compatible metrics, train and deploy a Random Forest model, and demonstrate behavior under several attack scenarios. Overall, the framework provides a practical, adaptable method for integrated attack detection, traffic isolation, and responsive autoscaling in cloud-native environments, though threshold tuning is critical for robust performance.
Abstract
In this paper, HTTP status codes are used as custom metrics within the HPA as the experimental scenario. By integrating the Random Forest classification algorithm from machine learning, attacks are assessed and predicted, dynamically adjusting the maximum pod parameter in the HPA to manage attack traffic. This approach enables the adjustment of HPA parameters using machine learning scripts in targeted attack scenarios while effectively managing attack traffic. All access from attacking IPs is redirected to honeypot pods, achieving a lower incidence of 5XX status codes through HPA pod adjustments under high load conditions. This method also ensures effective isolation of attack traffic, preventing excessive HPA expansion due to attacks. Additionally, experiments conducted under various conditions demonstrate the importance of setting appropriate thresholds for HPA adjustments.
