Sliding Window: The Impact of Trace Size in Anomaly Detection System for Containers Through Machine Learning

  • Gabriel Ruschel Castanhel UFPR
  • Tiago Heinrich UFPR
  • Fabrício Ceschin UFPR
  • Carlos A. Maziero UFPR


Anomaly intrusion detection in Host-based Intrusion Detection System (HIDS) is a process intended to monitor operations on a host to identify behaviors that differ from a “normal ” system behavior. System call based HIDS uses traces of calls to represent the behavior of a system. Due to the volume of data generated by applications and the operating system, sliding windows are applied in order to asses an online environment, allowing intrusions to be detected in real time while being still executed. The respective study explores the impact that the size of the observation window has on Machine Learning (ML) one-class algorithms.


Alarifi, S. S. and Wolthusen, S. D. (2012). Detecting anomalies in iaas environments through virtual machine host system call analysis. In 2012 International Conference for Internet Technology and Secured Transactions. IEEE.

Bernaschi, M., Gabrielli, E., and Mancini, L. V. (2002). Remus: a security-enhanced operating system. ACM Transactions on Information and System Security (TISSEC).

Castanhel, G. R., Heinrich, T., Ceschin, F., and Maziero, C. A. (2020). Detecção de anomalias: Estudo de técnicas de identificação de ataques em um ambiente de contêiner. Undergraduate Research Workshop - Brazilian Security Symposium (WTICG - SBSeg).

Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. (1996). A sense of self for unix processes. In IEEE Symposium on Security and Privacy.

Liu, F. T., Ting, K. M., and Zhou, Z.-H. (2008). Isolation forest. In Proceedings of the 2008 Eighth IEEE International Conference on Data Mining, ICDM ’08, page 413–422, USA. IEEE Computer Society.

Liu, M., Xue, Z., Xu, X., Zhong, C., and Chen, J. (2018). Host-based intrusion detection system with system calls: Review and future trends. ACM Computing Surveys (CSUR).

Merkel, D. (2014). Docker: lightweight linux containers for consistent development and deployment. Linux journal.

Mitchell, M., Oldham, J., and Samuel, A. (2001). Advanced linux programming. New Riders Publishing.

NVD (2020). National vulnerability database: Rce wordpress.

Systems, C. I. (1998). Sequence-based intrusion detection.˜immsec/systemcalls.htm.

Wang, K., Parekh, J. J., and Stolfo, S. J. (2006). Anagram: A content anomaly detector resistant to mimicry attack. In International workshop on recent advances in intrusion detection, pages 226–248. Springer.

Xie, M. and Hu, J. (2013). Evaluating host-based anomaly detection systems: A preliminary analysis of adfa-ld. In 2013 6th International Congress on Image and Signal Processing (CISP), volume 03, pages 1711–1716.

Yassin, W., Udzir, N. I., Muda, Z., Sulaiman, M. N., et al. (2013). Anomaly-based intrusion detection through k-means clustering and naives bayes classification. In Proc. 4th Int. Conf. Comput. Informatics, ICOCI, number 49.

Zhang, M., Xu, B., and Gong, J. (2015). An anomaly detection model based on one-class svm to detect network intrusions.
CASTANHEL, Gabriel Ruschel; HEINRICH, Tiago; CESCHIN, Fabrício; A. MAZIERO, Carlos. Sliding Window: The Impact of Trace Size in Anomaly Detection System for Containers Through Machine Learning. In: ESCOLA REGIONAL DE REDES DE COMPUTADORES (ERRC), 18. , 2020, Evento Online. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2020 . p. 141-146. DOI: