Intrusion Detection System for Applications using Linux Containers

Amr S. Abed; Charles Clancy; David S. Levy

arXiv:1611.03056·cs.CR·January 5, 2017

Intrusion Detection System for Applications using Linux Containers

Amr S. Abed, Charles Clancy, David S. Levy

PDF

TL;DR

This paper presents a real-time host-based intrusion detection system for Linux containers that monitors system calls to detect malicious activity, enhancing security in containerized environments.

Contribution

It introduces a novel passive detection method using system call bags to identify anomalous behavior in Linux containers in real-time.

Findings

01

Effective detection of container malfeasance demonstrated with database application

02

System call monitoring achieves real-time performance

03

Applicable to standalone and multi-tenant cloud environments

Abstract

Linux containers are gaining increasing traction in both individual and industrial use, and as these containers get integrated into mission-critical systems, real-time detection of malicious cyber attacks becomes a critical operational requirement. This paper introduces a real-time host-based intrusion detection system that can be used to passively detect malfeasance against applications within Linux containers running in a standalone or in a cloud multi-tenancy environment. The demonstrated intrusion detection system uses bags of system calls monitored from the host kernel for learning the behavior of an application running within a Linux container and determining anomalous container behavior. Performance of the approach using a database application was measured and results are discussed.

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.