Utilizando Estratégias de Monitoramento Leve em Ambientes Conteinerizados para Detecção de Anomalias via HIDS
Resumo
O aumento da implementação de ambientes virtualizados baseados em contêineres tem gerado preocupações de segurança devido à sua proximidade com os sistemas hospedeiros. Nesse cenário, emergiram estratégias que utilizam a detecção de intrusões por meio de anomalias como uma opção para identificar e alertar sobre comportamentos inesperados. Este trabalho propõe o uso de interações entre contêiner e sistema operacional na detecção de anomalias, executando processos de monitoramento leve e interno ao ambiente conteinerizado, gerando dados e traços para o treinamento e emprego de modelos de aprendizado de máquina que visam distinguir comportamentos normais de comportamentos anômalos. Assim, a discussão central deste trabalho versa sobre a adequabilidade dos dados gerados pelas ferramentas de monitoramento leve, representadas pelo sysdig, no treinamento de modelos e subsequente uso dos mesmos em soluções de HIDS. Esse potencial foi avaliado por meio de uma série de testes, nos quais os modelos treinados com dados fornecidos pelo sysdig alcançaram resultados significativos, com altas taxas de acurácia, precisão, recall, F1-Score, além de outros indicadores, nos cenários considerados.
Referências
Abed, A. S., Clancy, C., and Levy, D. S. (2015). Intrusion detection system for applications using Linux containers. In Springer Internationl Workshop on Security and Trust Management, pages 123–135, Vienna, Austria.
Ahmed, M., Mahmood, A. N., and Hu, J. (2016). A survey of network anomaly detection techniques. Elsevier Journal of Network and Computer Applications, 60:19–31.
Barbato, G., Barini, E., Genta, G., and Levi, R. (2011). Features and performance of some outlier detection methods. Taylor & Francis Journal of Applied Statistics, 38(10):2133–2149.
Castanhel, G. R., Heinrich, T., Ceschin, F., and Maziero, C. (2021). Taking a peek: An evaluation of anomaly detection using system calls for containers. In IEEE Symposium on Computers and Communications, pages 1–6, Athens, Greece.
Castanhel, G. R., Heinrich, T., Ceschin, F., and Maziero, C. A. (2020). Sliding window: The impact of trace size in anomaly detection system for containers through machine learning. In SBC Escola Regional de Redes de Computadores, pages 141–146, Porto Alegre, RS, Brazil.
Ceschin, F., Botacin, M., Bifet, A., Pfahringer, B., Oliveira, L. S., Gomes, H. M., and Grégio, A. (2024). Machine learning (in) security: A stream of problems. ACM Digital Threats: Research and Practice, 5(1):1–32.
Chandola, V., Banerjee, A., and Kumar, V. (2009). Anomaly detection: A survey. ACM Computing Surveys, 41(3):1–58.
Docker (2024). Use containers to build, share and run your applications. [link].
Du, Q., Xie, T., and He, Y. (2018). Anomaly detection and diagnosis for container-based microservices with performance monitoring. In Springer International Conference on Algorithms and Architectures for Parallel Processing, pages 560–572, Guangzhou, China.
Eder, M. (2016). Hypervisor-vs. container-based virtualization. Future Internet and Innovative Internet Technologies and Mobile Communications, 1.
Flauzac, O., Mauhourat, F., and Nolot, F. (2020). A review of native container security for running applications. Procedia Computer Science, 175:157–164.
Flora, J. and Antunes, N. (2019). Studying the applicability of intrusion detection to multi-tenant container environments. In IEEE European Dependable Computing Conference, pages 133–136, Naples, Italy.
Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. (1996). A sense of self for Unix processes. In IEEE Symposium on Security and Privacy, pages 120–128, Oakland, CA, USA.
Hat, R. (2024). Docker: Desenvolvimento de aplicações em containers. [link]. Acessado em: 09/06/2024.
Heinrich, T., Will, N. C., Obelheiro, R. R., and Maziero, C. A. (2024). A categorical data approach for anomaly detection in WebAssembly applications. In 10th International Conference on Information Systems Security and Privacy, pages 275–284, Rome, Italy.
Hodge, V. and Austin, J. (2004). A survey of outlier detection methodologies. Springer Artificial Intelligence Review, 22:85–126.
Huang, Y. and Zhang, Q. (2019). Identification of anomaly behavior of ships based on knn and lof combination algorithm. In AIP Conference Proceedings.
Jia, J., Zhu, Y., Williams, D., Arcangeli, A., Canella, C., Franke, H., Feldman-Fitzthum, T., Skarlatos, D., Gruss, D., and Xu, T. (2023). Programmable system call security with ebpf. arXiv preprint arXiv:2302.10366.
Jyothsna, V. and Rama Prasad, V. V. (2011). A review of anomaly based intrusion detection systems. International Journal of Computer Applications, 28(7):26–35.
Kubernetes (2024). Kubernetes components. [link]. Acessado em: 09/06/2024.
Levin, D. et al. (2024). strace: Linux syscall tracer. [link]. Acessado em: 09/06/2024.
Lin, X., Lei, L., Wang, Y., Jing, J., Sun, K., and Zhou, Q. (2018). A measurement study on Linux container security: Attacks and countermeasures. In Annual Computer Security Applications Conference, pages 418–429, San Juan, PR, USA.
LTTng (2024). Lttng: an open source tracing framework for linux. [link].
Martínez-Magdaleno, S., Morales-Rocha, V., and Parra, R. (2021). A review of security risks and countermeasures in containers. International Journal of Security and Networks, 16(3):183–190.
Mishra, P., Varadharajan, V., Tupakula, U., and Pilli, E. S. (2018). A detailed investigation and analysis of using machine learning techniques for intrusion detection. IEEE communications surveys & tutorials, 21(1):686–728.
Pedregosa, F., Varoquaux, G., Gramfort, A., Michel, V., Thirion, B., Grisel, O., Blondel, M., Prettenhofer, P., Weiss, R., Dubourg, V., Vanderplas, J., Passos, A., Cournapeau, D., Brucher, M., Perrot, M., and Duchesnay, E. (2011). Scikit-learn: Machine learning in Python. Journal of Machine Learning Research, 12:2825–2830.
Platform, S. S. D. (2024). Sysdig: a universal system visibility tool with native support for containers:. [link]. Acessado em: 09/06/2024.
Rajagopalan, M., Hiltunen, M. A., Jim, T., and Schlichting, R. D. (2006). System call monitoring using authenticated system calls. IEEE Transactions on Dependable and Secure Computing, 3(3):216–229.
Randal, A. (2020). The ideal versus the real: Revisiting the history of virtual machines and containers. ACM Computing Surveys, 53(1):1–31.
Rocha, S. L., Nze, G. D. A., and de Mendonça, F. L. L. (2022). Intrusion detection in container orchestration clusters: A framework proposal based on real-time system call analysis with machine learning for anomaly detection. In IEEE Iberian Conference on Information Systems and Technologies, pages 1–4, Madrid, Spain.
Röhling, M. M., Grimmer, M., Kreubel, D., Hoffmann, J., and Franczyk, B. (2019). Standardized container virtualization approach for collecting host intrusion detection data. In Federated Conference on Computer Science and Information Systems, pages 459–463, Leipzig, Germany.
Rostedt, S. and Hat, R. (2014). Ftrace kernel hooks: more than just tracing. In Linux Plumbers Conference.
Sarker, I. H. (2021). Machine learning: Algorithms, real-world applications and research directions. Springer Computer Science, 2(3):160.
Shen, J., Zeng, F., Zhang, W., Tao, Y., and Tao, S. (2022). A clustered learning framework for host based intrusion detection in container environment. In IEEE International Conference on Communications Workshops, pages 409–414, Seoul, South Korea.
Srinivasan, S., Kumar, A., Mahajan, M., Sitaram, D., and Gupta, S. (2019). Probabilistic real-time intrusion detection system for Docker containers. In Springer International Symposium on Security in Computing and Communications, pages 336–347, Bangalore, India.
Sturm, R., Pollard, C., and Craig, J. (2017). Application performance management (APM) in the digital enterprise: managing applications for cloud, mobile, iot and eBusiness. Morgan Kaufmann.
Sultan, S., Ahmad, I., and Dimitriou, T. (2019). Container security: Issues, challenges, and the road ahead. IEEE Access, 7:52976–52996.
Tanenbaum, A. S. and Bos, H. J. (2016). Sistemas Operacionais Modernos, 4ª Edição. Pearson.
Xavier, M. G., Neves, M. V., Rossi, F. D., Ferreto, T. C., Lange, T., and De Rose, C. A. (2013). Performance evaluation of container-based virtualization for high performance computing environments. In IEEE Euromicro International Conference on Parallel, Distributed, and Network-Based Processing, pages 233–240, Belfast, United Kingdom.
Zou, Z., Xie, Y., Huang, K., Xu, G., Feng, D., and Long, D. (2019). A Docker container anomaly monitoring system based on optimized isolation forest. IEEE Transactions on Cloud Computing, 10(1):134–145.
Ahmed, M., Mahmood, A. N., and Hu, J. (2016). A survey of network anomaly detection techniques. Elsevier Journal of Network and Computer Applications, 60:19–31.
Barbato, G., Barini, E., Genta, G., and Levi, R. (2011). Features and performance of some outlier detection methods. Taylor & Francis Journal of Applied Statistics, 38(10):2133–2149.
Castanhel, G. R., Heinrich, T., Ceschin, F., and Maziero, C. (2021). Taking a peek: An evaluation of anomaly detection using system calls for containers. In IEEE Symposium on Computers and Communications, pages 1–6, Athens, Greece.
Castanhel, G. R., Heinrich, T., Ceschin, F., and Maziero, C. A. (2020). Sliding window: The impact of trace size in anomaly detection system for containers through machine learning. In SBC Escola Regional de Redes de Computadores, pages 141–146, Porto Alegre, RS, Brazil.
Ceschin, F., Botacin, M., Bifet, A., Pfahringer, B., Oliveira, L. S., Gomes, H. M., and Grégio, A. (2024). Machine learning (in) security: A stream of problems. ACM Digital Threats: Research and Practice, 5(1):1–32.
Chandola, V., Banerjee, A., and Kumar, V. (2009). Anomaly detection: A survey. ACM Computing Surveys, 41(3):1–58.
Docker (2024). Use containers to build, share and run your applications. [link].
Du, Q., Xie, T., and He, Y. (2018). Anomaly detection and diagnosis for container-based microservices with performance monitoring. In Springer International Conference on Algorithms and Architectures for Parallel Processing, pages 560–572, Guangzhou, China.
Eder, M. (2016). Hypervisor-vs. container-based virtualization. Future Internet and Innovative Internet Technologies and Mobile Communications, 1.
Flauzac, O., Mauhourat, F., and Nolot, F. (2020). A review of native container security for running applications. Procedia Computer Science, 175:157–164.
Flora, J. and Antunes, N. (2019). Studying the applicability of intrusion detection to multi-tenant container environments. In IEEE European Dependable Computing Conference, pages 133–136, Naples, Italy.
Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. (1996). A sense of self for Unix processes. In IEEE Symposium on Security and Privacy, pages 120–128, Oakland, CA, USA.
Hat, R. (2024). Docker: Desenvolvimento de aplicações em containers. [link]. Acessado em: 09/06/2024.
Heinrich, T., Will, N. C., Obelheiro, R. R., and Maziero, C. A. (2024). A categorical data approach for anomaly detection in WebAssembly applications. In 10th International Conference on Information Systems Security and Privacy, pages 275–284, Rome, Italy.
Hodge, V. and Austin, J. (2004). A survey of outlier detection methodologies. Springer Artificial Intelligence Review, 22:85–126.
Huang, Y. and Zhang, Q. (2019). Identification of anomaly behavior of ships based on knn and lof combination algorithm. In AIP Conference Proceedings.
Jia, J., Zhu, Y., Williams, D., Arcangeli, A., Canella, C., Franke, H., Feldman-Fitzthum, T., Skarlatos, D., Gruss, D., and Xu, T. (2023). Programmable system call security with ebpf. arXiv preprint arXiv:2302.10366.
Jyothsna, V. and Rama Prasad, V. V. (2011). A review of anomaly based intrusion detection systems. International Journal of Computer Applications, 28(7):26–35.
Kubernetes (2024). Kubernetes components. [link]. Acessado em: 09/06/2024.
Levin, D. et al. (2024). strace: Linux syscall tracer. [link]. Acessado em: 09/06/2024.
Lin, X., Lei, L., Wang, Y., Jing, J., Sun, K., and Zhou, Q. (2018). A measurement study on Linux container security: Attacks and countermeasures. In Annual Computer Security Applications Conference, pages 418–429, San Juan, PR, USA.
LTTng (2024). Lttng: an open source tracing framework for linux. [link].
Martínez-Magdaleno, S., Morales-Rocha, V., and Parra, R. (2021). A review of security risks and countermeasures in containers. International Journal of Security and Networks, 16(3):183–190.
Mishra, P., Varadharajan, V., Tupakula, U., and Pilli, E. S. (2018). A detailed investigation and analysis of using machine learning techniques for intrusion detection. IEEE communications surveys & tutorials, 21(1):686–728.
Pedregosa, F., Varoquaux, G., Gramfort, A., Michel, V., Thirion, B., Grisel, O., Blondel, M., Prettenhofer, P., Weiss, R., Dubourg, V., Vanderplas, J., Passos, A., Cournapeau, D., Brucher, M., Perrot, M., and Duchesnay, E. (2011). Scikit-learn: Machine learning in Python. Journal of Machine Learning Research, 12:2825–2830.
Platform, S. S. D. (2024). Sysdig: a universal system visibility tool with native support for containers:. [link]. Acessado em: 09/06/2024.
Rajagopalan, M., Hiltunen, M. A., Jim, T., and Schlichting, R. D. (2006). System call monitoring using authenticated system calls. IEEE Transactions on Dependable and Secure Computing, 3(3):216–229.
Randal, A. (2020). The ideal versus the real: Revisiting the history of virtual machines and containers. ACM Computing Surveys, 53(1):1–31.
Rocha, S. L., Nze, G. D. A., and de Mendonça, F. L. L. (2022). Intrusion detection in container orchestration clusters: A framework proposal based on real-time system call analysis with machine learning for anomaly detection. In IEEE Iberian Conference on Information Systems and Technologies, pages 1–4, Madrid, Spain.
Röhling, M. M., Grimmer, M., Kreubel, D., Hoffmann, J., and Franczyk, B. (2019). Standardized container virtualization approach for collecting host intrusion detection data. In Federated Conference on Computer Science and Information Systems, pages 459–463, Leipzig, Germany.
Rostedt, S. and Hat, R. (2014). Ftrace kernel hooks: more than just tracing. In Linux Plumbers Conference.
Sarker, I. H. (2021). Machine learning: Algorithms, real-world applications and research directions. Springer Computer Science, 2(3):160.
Shen, J., Zeng, F., Zhang, W., Tao, Y., and Tao, S. (2022). A clustered learning framework for host based intrusion detection in container environment. In IEEE International Conference on Communications Workshops, pages 409–414, Seoul, South Korea.
Srinivasan, S., Kumar, A., Mahajan, M., Sitaram, D., and Gupta, S. (2019). Probabilistic real-time intrusion detection system for Docker containers. In Springer International Symposium on Security in Computing and Communications, pages 336–347, Bangalore, India.
Sturm, R., Pollard, C., and Craig, J. (2017). Application performance management (APM) in the digital enterprise: managing applications for cloud, mobile, iot and eBusiness. Morgan Kaufmann.
Sultan, S., Ahmad, I., and Dimitriou, T. (2019). Container security: Issues, challenges, and the road ahead. IEEE Access, 7:52976–52996.
Tanenbaum, A. S. and Bos, H. J. (2016). Sistemas Operacionais Modernos, 4ª Edição. Pearson.
Xavier, M. G., Neves, M. V., Rossi, F. D., Ferreto, T. C., Lange, T., and De Rose, C. A. (2013). Performance evaluation of container-based virtualization for high performance computing environments. In IEEE Euromicro International Conference on Parallel, Distributed, and Network-Based Processing, pages 233–240, Belfast, United Kingdom.
Zou, Z., Xie, Y., Huang, K., Xu, G., Feng, D., and Long, D. (2019). A Docker container anomaly monitoring system based on optimized isolation forest. IEEE Transactions on Cloud Computing, 10(1):134–145.
Publicado
16/09/2024
Como Citar
FRASÃO, Anderson; HEINRICH, Tiago; FULBER-GARCIA, Vinicius; WILL, Newton C.; OBELHEIRO, Rafael R.; MAZIERO, Carlos A..
Utilizando Estratégias de Monitoramento Leve em Ambientes Conteinerizados para Detecção de Anomalias via HIDS. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 694-708.
DOI: https://doi.org/10.5753/sbseg.2024.241469.
