Ensemble of Random and Isolation Forests for Graph-Based Intrusion Detection in Containers

TL;DR

This paper introduces an ensemble of random and isolation forests that analyzes system call graphs to detect intrusions in cloud containers, achieving high accuracy and low false positives.

Contribution

It presents a novel graph-based ensemble approach combining supervised and unsupervised models for kernel-level intrusion detection in containers.

Findings

High detection rates for container attacks

Low false positive rates in experiments

Effective graph-based behavior modeling

Abstract

We propose a novel solution combining supervised and unsupervised machine learning models for intrusion detection at kernel level in cloud containers. In particular, the proposed solution is built over an ensemble of random and isolation forests trained on sequences of system calls that are collected at the hosting machine's kernel level. The sequence of system calls are translated into a weighted and directed graph to obtain a compact description of the container behavior, which is given as input to the ensemble model. We executed a set of experiments in a controlled environment in order to test our solution against the two most common threats that have been identified in cloud containers, and our results show that we can achieve high detection rates and low false positives in the tested attacks.