Probabilistic Real-Time Intrusion Detection System for Docker Containers

Srinivasan, Siddharth; Kumar, Akshay; Mahajan, Manik; Sitaram, Dinkar; Gupta, S. V.

doi:10.1007/978-981-13-5826-5_26

Cited by 14 publications

(9 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Another solution involves the integration of syscalls with explainable machine learning algorithms, offering a new perspective on how to interpret container anomalies [28]. Yet another approach uses n-grams of syscalls to identify anomalies based on their occurrence probabilities [48]. Contrary to these baselinebased approaches that demand periodic retraining to adapt to normality shifts, our approach effectively detects anomalies by comparing the patterns of replicas while accommodating drifts without the need for retraining.…”

Section: Ixrelated Workmentioning

confidence: 99%

ReplicaWatcher: Training-less Anomaly Detection in Containerized Microservices

El Khairi,

Caselli,

Peter

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Despite its detection capabilities against previously unseen threats, anomaly detection suffers from critical limitations, which often prevent its deployment in real-world settings. In fact, anomaly-based intrusion detection systems rely on comprehensive pre-established baselines for effectively identifying suspicious activities. Unfortunately, prior research showed that these baselines age and gradually lose their effectiveness over time, especially in dynamic deployments such as microservices-based environments, where the concept of "normality" is frequently redefined due to shifting operational conditions. This scenario reinforces the need for periodic retraining to uphold optimal performance -a process that proves challenging, particularly in the context of security applications.We propose a novel, training-less approach to monitoring microservices-based environments. Our system, REPLI-CAWATCHER, observes the behavior of identical container instances (i.e., replicas) and detects anomalies without requiring prior training. Our key insight is that replicas, adopted for fault tolerance or scalability reasons, execute analogous tasks and exhibit similar behavioral patterns, which allow anomalous containers to stand out as a notable deviation from their corresponding replicas, thereby serving as a crucial indicator of security threats. The results of our experimental evaluation show that our approach is resilient against normality shifts and maintains its effectiveness without the necessity for retraining. Besides, despite not relying on a training phase, REPLICAWATCHER performs comparably to state-of-the-art, training-based solutions, achieving an average precision of 91.08% and recall of 98.35%.

show abstract

Section: Ixrelated Workmentioning

confidence: 99%

ReplicaWatcher: Training-less Anomaly Detection in Containerized Microservices

El Khairi,

Caselli,

Peter

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Hence, system call monitoring is a common technique for detecting suspicious behavior in compromised applications because malicious code has to use system calls to perform malicious operations. Tools like strace and ftrace are used to show the sequence of system calls made by a particular command or process [16]. Monitoring system calls can help identify and mitigate problems caused by compromised applications.…”

Section: System Callsmentioning

confidence: 99%

“…Frequency lists are not the sole method for using system call traces in machine learning applications. For instance, Srinivasan et al [16] used sequences of system calls with preserved order to create 𝑛-grams with Maximum Likelihood Estimator for anomaly detection in containers. Karn et al [23] used n-gram representation as well during detecting malicious processes inside containers.…”

Section: System Callsmentioning

confidence: 99%

AI-driven container security approaches for 5G and beyond: A survey

Taha¹,

Kuru²,

Sever³

et al. 2023

ITU J-FET

View full text Add to dashboard Cite

The rising use of microservice-based software deployment on the cloud leverages containerized software extensively. The security of applications running inside containers, as well as the container environment itself, are critical for infrastructure in cloud settings and 5G. To address security concerns, research efforts have been focused on container security with subfields such as intrusion detection, malware detection and container placement strategies. These security efforts are roughly divided into two categories: rule-based approaches and machine learning that can respond to novel threats. In this study, we survey the container security literature focusing on approaches that leverage machine learning to address security challenges.

show abstract

“…Srinivasan et al [24] developed a real-time anomaly identification model that uses n-grams of system calls and the probability of their occurrence in Docker containers. The trace is processed using Maximum Likelihood Estimator (MLE) and Simple Good Turing (SGT) to provide a better estimate of system call sequence values.…”

Section: Related Workmentioning

confidence: 99%

“…Therefore, for this kind of applications, there is a need for a complementary security solution to monitor these malicious activities through intrusion detection tools. Some approaches have been published addressing the problem of intrusion detection at a container level for multi-tenancy applications [1,12,24], as reported in Section 2. However, these approaches present limited performance.…”

Section: Introductionmentioning

confidence: 99%

Performance Evaluation of Container-Level Anomaly-Based Intrusion Detection Systems for Multi-Tenant Applications Using Machine Learning Algorithms

Cavalcanti

Inácio

Freire

2021

Proceedings of the 16th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

The virtualization of computing resources provided by containers has gained increasing attention and has been widely used in cloud computing. This new demand for container technology has been growing and the use of Docker and Kubernetes is considerable. According to recent technology surveys, containers are now mainstream. However, currently, one of the major challenges rises from the fact that multiple containers, with different owners, may cohabit on the same host. In container-based multi-tenant environments, security issues are of major concern. In this paper we investigate the performance of container-level anomaly-based intrusion detection systems for multi-tenant applications. We investigate the use of Bag of System Calls (BoSC) technique and the sliding window with the classifier and we consider eight machine learning algorithms for classification purposes. We show that among the eight machine learning algorithms, the best classification results are obtained with Decision Tree and Random Forest which lead to an F-Measure of 99.8%, using a sliding window with a size of 30 and the BoSC algorithm in both cases. We also show that, although both Decision Tree and Random Forest algorithms leads to the best classification results, the Decision Tree algorithm has a shorter execution time and consumes less CPU and memory than the Random Forest.

show abstract

Probabilistic Real-Time Intrusion Detection System for Docker Containers

Cited by 14 publications

References 10 publications

ReplicaWatcher: Training-less Anomaly Detection in Containerized Microservices

ReplicaWatcher: Training-less Anomaly Detection in Containerized Microservices

AI-driven container security approaches for 5G and beyond: A survey

Performance Evaluation of Container-Level Anomaly-Based Intrusion Detection Systems for Multi-Tenant Applications Using Machine Learning Algorithms

Contact Info

Product

Resources

About