More Web Proxy on the site http://driver.im/

research-article

Towards Unsupervised Introspection of Containerized Application

Authors:

David UmphressAuthors Info & Claims

ICCNS '20: Proceedings of the 2020 10th International Conference on Communication and Network Security

Pages 42 - 51

https://doi.org/10.1145/3442520.3442530

Published: 13 March 2021 Publication History

Abstract

Container (or containerization) as one of the new concepts of virtualization, has attracted increasing attention and occupied a considerable amount of market size owing to the inherent lightweight characteristic. However, the lightweight advantage is achieved at the price of the security. Attacks against weak isolation of the container have been reported, and the use of a shared kernel is another targeted vulnerable point. This work aims to provide secure monitoring of containerized applications, which can help i) the infrastructure owner to ensure the running application is harmless, ii) the application owner to detect anomalous behaviors. We propose to use unsupervised introspection tools to perform the non-intrusive monitoring, which leverages the system call traces to classify the anomalies. Since the traditional dataset used for anomaly detection either only focus on network traces or limited to few attributes of system calls, we crafted and collected various normal and abnormal behaviors of a containerized application, and an optimized and open-source system call based dataset has been built. Unsupervised machine learning classifiers are trained over the proposed dataset, a comprehensive case study has been performed and analyzed. The results show the feasibility of unsupervised introspection of containerized applications.

References

[1]

[n.d.]. Application Container Market. https://www.marketsandmarkets.com/Market-Reports/application-container-market-182079587.html#:~:text=Application%20containers%20usually%20work%20on,32.9%25%20during%20the%20forecast%20period

[2]

[2] 451 Research [n.d.]. https://451research.com/images/Marketing/press_releases/Application-container-market-will-reach-2-7bn-in-2020_final_graphic.pdf.

[3]

Amr S Abed, T Charles Clancy, and David S Levy. 2015. Applying bag of system calls for anomalous behavior detection of applications in linux containers. In 2015 IEEE Globecom Workshops. IEEE.

[4]

ADFA-IDS [n.d.]. ADFA-IDS-Datasets. https://www.unsw.adfa.edu.au/unsw-canberra-cyber/cybersecurity/ADFA-IDS-Datasets/.

[5]

Subutai Ahmad, Alexander Lavin, Scott Purdy, and Zuha Agha. 2017. Unsupervised real-time anomaly detection for streaming data. Neurocomputing 262(2017), 134–147.

[6]

Mennatallah Amer, Markus Goldstein, and Slim Abdennadher. 2013. Enhancing one-class support vector machines for unsupervised anomaly detection. In Proceedings of the ACM SIGKDD Workshop on Outlier Detection and Description. 8–15.

Digital Library

[7]

Erick Bauman, Gbadebo Ayoade, and Zhiqiang Lin. 2015. A Survey on Hypervisor-Based Monitoring: Approaches, Applications, and Evolutions. ACM Comput. Surv. 48, 1, Article 10 (Aug. 2015), 33 pages.

[8]

Thanh Bui. 2015. Analysis of Docker Security. CoRR abs/1501.02967(2015). arxiv:1501.02967

[9]

Pedro Casas, Johan Mazel, and Philippe Owezarski. 2012. Unsupervised network intrusion detection systems: Detecting the unknown without knowledge. Computer Communications 35, 7 (2012), 772–783.

Digital Library

[10]

Varun Chandola, Arindam Banerjee, and Vipin Kumar. 2009. Anomaly Detection: A Survey. ACM Comput. Surv. 41, 3, Article 15 (July 2009), 58 pages. https://doi.org/10.1145/1541880.1541882

Digital Library

[11]

CICIDS [n.d.]. Intrusion Detection Evaluation Dataset (CICIDS2017). https://www.unb.ca/cic/datasets/ids-2017.html.

[12]

R. Cogranne, G. Doyen, N. Ghadban, and B. Hammi. 2018. Detecting Botclouds at Large Scale: A Decentralized and Robust Detection Method for Multi-Tenant Virtualized Environments. IEEE Transactions on Network and Service Management 15, 1 (March 2018), 68–82. https://doi.org/10.1109/TNSM.2017.2785628

[13]

T. Combe, A. Martin, and R. Di Pietro. 2016. To Docker or Not to Docker: A Security Perspective. IEEE Cloud Computing 3, 5 (Sept 2016), 54–62.

[14]

CSE-CIC-IDS2018 [n.d.]. CSE-CIC-IDS2018 on AWS. https://www.unb.ca/cic/datasets/ids-2018.html.

[15]

CVE-2019-5736 [n.d.]. CVE-2019-5736. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736.

[16]

CVE-2019-5736-PoC [n.d.]. CVE-2019-5736-PoC. https://github.com/Frichetten/CVE-2019-5736-PoC.

[17]

DARPA-99 [n.d.]. 1999 DARPA Intrusion Detection Evaluation Dataset. https://www.ll.mit.edu/r-d/datasets/1999-darpa-intrusion-detection-evaluation-dataset.

[18]

Daniel Joseph Dean, Hiep Nguyen, and Xiaohui Gu. 2012. Ubl: Unsupervised behavior learning for predicting performance anomalies in virtualized cloud systems. In Proceedings of the 9th international conference on Autonomic computing. 191–200.

Digital Library

[19]

Brendan Dolan-Gavitt, Tim Leek, Josh Hodosh, and Wenke Lee. 2013. Tappan zee (north) bridge: mining memory accesses for introspection. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 839–850.

Digital Library

[20]

B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee. 2011. Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection. In 2011 IEEE Symposium on Security and Privacy. 297–312. https://doi.org/10.1109/SP.2011.11

Digital Library

[21]

Juliette Dromard, Gilles Roudière, and Philippe Owezarski. 2016. Online and scalable unsupervised network anomaly detection method. IEEE Transactions on Network and Service Management 14, 1(2016), 34–47.

Digital Library

[22]

Qingfeng Du, Tiandi Xie, and Yu He. 2018. Anomaly Detection and Diagnosis for Container-Based Microservices with Performance Monitoring. In International Conference on Algorithms and Architectures for Parallel Processing. Springer, 560–572.

[23]

R. Dua, A. R. Raja, and D. Kakadia. 2014. Virtualization vs Containerization to Support PaaS. In 2014 IEEE International Conference on Cloud Engineering.

[24]

Stephanie Forrest, Steven Hofmeyr, and Anil Somayaji. 2008. The evolution of system-call monitoring. In 2008 annual computer security applications conference (acsac). IEEE, 418–430.

[25]

Tal Garfinkel and Mendel Rosenblum. 2003. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In In Proc. Network and Distributed Systems Security Symposium. 191–206.

[26]

Sepp Hochreiter and Jürgen Schmidhuber. 1997. Long short-term memory. Neural computation 9, 8 (1997).

Digital Library

[27]

Steven A Hofmeyr, Stephanie Forrest, and Anil Somayaji. 1998. Intrusion detection using sequences of system calls. Journal of computer security 6, 3 (1998), 151–180.

Digital Library

[28]

ISCXIDS2012 [n.d.]. Intrusion detection evaluation dataset (ISCXIDS2012). https://www.unb.ca/cic/datasets/ids.html.

[29]

KDD-99 [n.d.]. KDD Cup 1999 Data. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html.

[30]

Christopher Kruegel, Darren Mutz, Fredrik Valeur, and Giovanni Vigna. 2003. On the detection of anomalous system call arguments. In European Symposium on Research in Computer Security. Springer, 326–343.

[31]

Yen-Han Li, Yeu-Ruey Tzeng, and Fang Yu. 2015. Viso: Characterizing malicious behaviors of virtual machines with unsupervised clustering. In 2015 iEEE 7th international conference on cloud computing technology and science (cloudCom). IEEE, 34–41.

[32]

LibVMI [n.d.]. LibVMI. http://libvmi.com/.

[33]

Linux-VServer [n.d.]. Linux-VServer. http://www.linux-vserver.org/.

[34]

Dapeng Liu, Youjian Zhao, Haowen Xu, Yongqian Sun, Dan Pei, Jiao Luo, Xiaowei Jing, and Mei Feng. 2015. Opprentice: Towards practical and automatic anomaly detection through machine learning. In Proceedings of the 2015 Internet Measurement Conference. 211–224.

Digital Library

[35]

Ming Liu, Zhi Xue, Xianghua Xu, Changmin Zhong, and Jinjun Chen. 2018. Host-based intrusion detection system with system calls: Review and future trends. ACM Computing Surveys (CSUR) 51, 5 (2018), 1–36.

Digital Library

[36]

lmctfy [n.d.]. lmctfy - Let Me Contain That For You. https://github.com/google/lmctfy.

[37]

LXC [n.d.]. Linux Containers. https://linuxcontainers.org/.

[38]

A. R. Manu, J. K. Patel, S. Akhtar, V. K. Agrawal, and K. N. B. S. Murthy. 2016. Docker container security via heuristics-based multilateral security-conceptual and pragmatic study. In 2016 International Conference on Circuit, Power and Computing Technologies (ICCPCT). 1–14.

[39]

Mohammad Reza Memarian, Mauro Conti, and Ville Leppänen. 2015. EyeCloud: A BotCloud detection system. In 2015 IEEE Trustcom/BigDataSE/ISPA, Vol. 1. IEEE, 1067–1072.

[40]

Dirk Merkel. 2014. Docker: Lightweight Linux Containers for Consistent Development and Deployment. Linux J. 2014, 239, Article 2 (March 2014).

Digital Library

[41]

Microsoft. 2017. The Identity Security and Protection team has seen a 300 percent increase in user accounts attacked over the past year. https://www.microsoft.com/en-us/security/Intelligence-report.

[42]

Ali H Mirza and Selin Cosan. 2018. Computer network intrusion detection using sequential LSTM neural networks autoencoders. In 2018 26th Signal Processing and Communications Applications Conference (SIU). IEEE, 1–4.

[43]

Darren Mutz, Fredrik Valeur, Giovanni Vigna, and Christopher Kruegel. 2006. Anomalous system call detection. ACM Transactions on Information and System Security (TISSEC) 9, 1(2006), 61–93.

Digital Library

[44]

OpenVZ [n.d.]. OpenVZ. https://openvz.org/.

[45]

OtherData [n.d.]. Intelligence and Security Informatics Data Sets. https://www.azsecure-data.org/other-data.html.

[46]

Areeg Samir and Claus Pahl. 2019. Anomaly Detection and Analysis for Clustered Cloud Computing Reliability. CLOUD COMPUTING 2019(2019), 120.

[47]

V. V. Sarkale, P. Rad, and W. Lee. 2017. Secure Cloud Container: Runtime Behavior Monitoring Using Most Privileged Container (MPC). In 2017 IEEE 4th International Conference on Cyber Security and Cloud Computing (CSCloud). 351–356. https://doi.org/10.1109/CSCloud.2017.68

[48]

Ashish Singh and Kakali Chatterjee. 2017. Cloud security issues and challenges: A survey. Journal of Network and Computer Applications 79 (2017), 88 – 115. https://doi.org/10.1016/j.jnca.2016.11.027

Digital Library

[49]

Sari Sultan, Imtiaz Ahmad, and Tassos Dimitriou. 2019. Container Security: Issues, Challenges, and the Road Ahead. IEEE Access 7(2019), 52976–52996.

[50]

Sysdig [n.d.]. Sysdig. https://github.com/draios/sysdig/.

[51]

Byungchul Tak, Canturk Isci, Sastry Duri, Nilton Bila, Shripad Nadgowda, and James Doran. 2017. Understanding Security Implications of Using Containers in the Cloud. In 2017 USENIX Annual Technical Conference (USENIX ATC 17). USENIX Association, Santa Clara, CA, 313–319.

[52]

UNM-dataset [n.d.]. UNM Sequence-based Intrusion Detection Dataset. https://www.cs.unm.edu/~immsec/systemcalls.htm.

[53]

VirusShare [n.d.]. VirusShare. https://virusshare.com/.

[54]

VirusTotal [n.d.]. VirusTotal. https://www.virustotal.com/.

[55]

Christina Warrender, Stephanie Forrest, and Barak Pearlmutter. 1999. Detecting intrusions using system calls: Alternative data models. In Proceedings of the 1999 IEEE symposium on security and privacy (Cat. No. 99CB36344). IEEE, 133–145.

[56]

Thomas Watts, Ryan Benton, William Glisson, and Jordan Shropshire. 2019. Insight from a Docker Container Introspection. In Proceedings of the 52nd Hawaii International Conference on System Sciences.

[57]

Z. Xiao and Y. Xiao. 2013. Security and Privacy in Cloud Computing. IEEE Communications Surveys Tutorials 15, 2 (Second 2013), 843–859. https://doi.org/10.1109/SURV.2012.060912.00182

[58]

Haowen Xu, Wenxiao Chen, Nengwen Zhao, Zeyan Li, Jiahao Bu, Zhihan Li, Ying Liu, Youjian Zhao, Dan Pei, Yang Feng, 2018. Unsupervised anomaly detection via variational auto-encoder for seasonal kpis in web applications. In Proceedings of the 2018 World Wide Web Conference. 187–196.

Digital Library

[59]

Xu Zhang, Yuanyuan Zou, Shaoyuan Li, and Shenghu Xu. 2019. A weighted auto regressive LSTM based approach for chemical processes modeling. Neurocomputing 367(2019), 64–74.

Digital Library

Cited By

Joraviya NGohil BRao U(2024)DL-HIDS: deep learning-based host intrusion detection system using system calls-to-image for containerized cloud environmentThe Journal of Supercomputing10.1007/s11227-024-05895-380:9(12218-12246)Online publication date: 1-Jun-2024
https://dl.acm.org/doi/10.1007/s11227-024-05895-3
Aly Amin MHarun Dogan ASena Kuru ESever YAngin P(2024)Misuse Detection and Response for Orchestrated Microservices Based SoftwareAdvanced Information Networking and Applications10.1007/978-3-031-57942-4_22(217-226)Online publication date: 10-Apr-2024
https://doi.org/10.1007/978-3-031-57942-4_22
Joraviya NGohil BRao U(2024)Ab‐HIDS: An anomaly‐based host intrusion detection system using frequency of N‐gram system call features and ensemble learning for containerized environmentConcurrency and Computation: Practice and Experience10.1002/cpe.824936:23Online publication date: 6-Aug-2024
https://doi.org/10.1002/cpe.8249
Show More Cited By

Recommendations

AWS EC2 vs. Joyent's Triton: A Comparison of Docker Container-hosting Platforms
ScienceCloud '17: Proceedings of the 8th Workshop on Scientific Cloud Computing

Containers, and in particular Docker, have emerged as promising addition and in some cases, alternative to virtual machines (VMs) for application deployment in cloud environments. Docker containers enable massive scalability and rapid deployment of ...
Detection of quality of service degradation on multi-tenant containerized services
Abstract
Computational services are progressively migrating to container-based solutions due to their faster provision time and lower resource allocation overhead. Service providers rely on container multi-tenancy to share their computing infrastructure ...
A performance comparison of linux containers and virtual machines using Docker and KVM
Abstract
Virtualization is a foundational element of cloud computing. Since cloud computing is slower than a native system, this study analyzes ways to improve performance. We compared the performance of Docker and Kernel-based virtual machine (KVM). KVM ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ICCNS '20: Proceedings of the 2020 10th International Conference on Communication and Network Security

November 2020

145 pages

ISBN:9781450389037

DOI:10.1145/3442520

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 March 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ICCNS 2020

ICCNS 2020: 2020 the 10th International Conference on Communication and Network Security

November 27 - 29, 2020

Tokyo, Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
172
Total Downloads

Downloads (Last 12 months)35
Downloads (Last 6 weeks)6

Reflects downloads up to 09 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Joraviya NGohil BRao U(2024)DL-HIDS: deep learning-based host intrusion detection system using system calls-to-image for containerized cloud environmentThe Journal of Supercomputing10.1007/s11227-024-05895-380:9(12218-12246)Online publication date: 1-Jun-2024
https://dl.acm.org/doi/10.1007/s11227-024-05895-3
Aly Amin MHarun Dogan ASena Kuru ESever YAngin P(2024)Misuse Detection and Response for Orchestrated Microservices Based SoftwareAdvanced Information Networking and Applications10.1007/978-3-031-57942-4_22(217-226)Online publication date: 10-Apr-2024
https://doi.org/10.1007/978-3-031-57942-4_22
Joraviya NGohil BRao U(2024)Ab‐HIDS: An anomaly‐based host intrusion detection system using frequency of N‐gram system call features and ensemble learning for containerized environmentConcurrency and Computation: Practice and Experience10.1002/cpe.824936:23Online publication date: 6-Aug-2024
https://doi.org/10.1002/cpe.8249
Levy Rocha SLopes de Mendonca FStaciarini Puttini RRabelo Nunes RAmvame Nze G(2023)DCIDS—Distributed Container IDSApplied Sciences10.3390/app1316930113:16(9301)Online publication date: 16-Aug-2023
https://doi.org/10.3390/app13169301
Guo SSivanthi TSommer PKabir-Querrec MCoppik NMudgal ERossotti A(2023)A Zero-day Container Attack Detection based on Ensemble Machine Learning2023 IEEE 28th International Conference on Emerging Technologies and Factory Automation (ETFA)10.1109/ETFA54631.2023.10275683(1-8)Online publication date: 12-Sep-2023
https://doi.org/10.1109/ETFA54631.2023.10275683
Iacovazzi ARaza S(2022)Ensemble of Random and Isolation Forests for Graph-Based Intrusion Detection in Containers2022 IEEE International Conference on Cyber Security and Resilience (CSR)10.1109/CSR54599.2022.9850307(30-37)Online publication date: 27-Jul-2022
https://doi.org/10.1109/CSR54599.2022.9850307

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents