Jacopo presented his work with A. Blaise at THCON 2025, major conference on System Security for the French community, in Toulouse in April 11, 2025. Watch it out!
SUPPLY CHAIN SECURITY IN KUBERNETES
In recent years, there has been an explosion of attacks directed at microservice-based platforms – a trend that follows closely the massive shift of the digital industries towards these environments. The management and operation of container-based microservices heavily rely on automation, leveraging on container orchestration engines such as Kubernetes. This talk will explore how supply-chain attacks can propagate from a single compromised container or endpoint to an entire Kubernetes cluster. We will begin by showcasing how vulnerabilities can be concealed within container images through malicious compliance of Software Bills of Materials (SBOM). Next, we will illustrate how attackers can exploit this foothold to infiltrate and compromise the broader Kubernetes cluster. We will then present advanced techniques for analyzing and strengthening the security posture of Kubernetes deployments. Key areas include securing the full supply chain, from container configurations to Kubernetes setups, detecting vulnerabilities and misconfigurations, monitoring the system for real-time threats and attacks, and implementing mitigation strategies to safeguard microservice ecosystems.
Agathe Blaise is currently a research engineer at Thales (Gennevilliers, France). She received her engineering degree in computer science from ISEN (Lille, France) in 2017, and the Ph.D. degree in Computer Science from LIP6, Sorbonne University (Paris, France) in 2020. Her research interests focus on data analysis applied to network security (intrusion detection system, anomaly detection and botnet detection), cloud computing security, data dissemination management, and quantum networks. Jacopo Bufalino is a researcher at CNAM (Paris, France) and a doctoral candidate at Aalto University (Espoo, Finland). Previously, he worked for several years in DevOps and DevSecOps. His research interests include cloud network security, container security, and software supply chain security.
Agathe Blaise (Thales) 🎙️, Jacopo Bufalino (CNAM) 🎙️
Related publications
Journal articles
- Agathe Blaise, Mathieu Bouet, Vania Conan, Stefano Secci. Detection of zero-day attacks: An unsupervised port-based approach. Computer Networks, 2020, 180, pp.107391. ⟨10.1016/j.comnet.2020.107391⟩. ⟨hal-02889708⟩
- Agathe Blaise, Mathieu Bouet, Vania Conan, Stefano Secci. Botnet Fingerprinting: a Frequency Distributions Scheme for Lightweight Bot Detection. IEEE Transactions on Network and Service Management, 2020, 17 (3), pp.1701-1714. ⟨10.1109/TNSM.2020.2996502⟩. ⟨hal-02568587⟩
Conference papers
- Jacopo Bufalino, Jose Luis Martin Navarro, Mario Di Francesco, Tuomas Aura. Inside Job: Defending Kubernetes Clusters Against Network Misconfigurations. CoNEXT, Dec 2025, Hong Kong, France. ⟨10.1145/3749220⟩. ⟨hal-05230013⟩
- Jacopo Bufalino, Jose Luis Martin Navarro, Aleksi Peltonen, Tuomas Aura. Helm-ET: Reducing Exposure to Lateral Movement in Kubernetes Artifacts. 2025 IEEE 18th International Conference on Cloud Computing (CLOUD), Jul 2025, Helsinki, Finland. pp.109-120, ⟨10.1109/CLOUD67622.2025.00021⟩. ⟨hal-05231853⟩
- Agathe Blaise, Mathieu Bouet, Vania Conan, Stefano Secci. BotFP: FingerPrints Clustering for Bot Detection. IEEE/IFIP Network Operations and Management Symposium (NOMS), Apr 2020, Budapest, Hungary. ⟨10.1109/NOMS47738.2020.9110420⟩. ⟨hal-02501912⟩
- Agathe Blaise, Mathieu Bouet, Stefano Secci, Vania Conan. Split-and-Merge: Detecting Unknown Botnets. IFIP/IEEE Integrated Management (IM) Conference, Apr 2019, Arlington, United States. pp.153-161. ⟨hal-02119801⟩
Book sections
- Agathe Blaise, Sandra Scott-Hayward, Stefano Secci. Scalable and Collaborative Intrusion Detection and Prevention Systems Based on SDN and NFV. Guide to Disaster-Resilient Communication Networks, Springer, pp.653-673, 2020, Computer Communications and Networks, ⟨10.1007/978-3-030-44685-7_26⟩. ⟨hal-02910290⟩
Other publications
- Agathe Blaise, Mathieu Bouet, Vania Conan, Stefano Secci. DĂ©sanonymisation du jeu de donnĂ©es MAWI. MISC : multi-system & internet security cookbook, 2018. ⟨hal-03188716⟩
Theses
- Agathe Blaise. Novel anomaly detection and classification algorithms for IP and mobile networks. Networking and Internet Architecture [cs.NI]. Sorbonne UniversitĂ©, 2020. English. ⟨NNT : 2020SORUS257⟩. ⟨tel-03190474v2⟩
Powered by HAL 
