Using Lightweight Monitoring Strategies in Containerized Environments for Anomaly Detection via HIDS
Abstract
The increased implementation of container-based virtualized environments has raised security concerns due to their proximity to host systems. In this scenario, strategies using intrusion detection through anomalies have emerged as an option to identify and alert about unexpected behaviors. This paper proposes the use of interactions between container and operating system for anomaly detection, executing lightweight and internal monitoring processes within the containerized environment, generating data and traces for the training and execution of machine learning models aimed at distinguishing normal from anomalous behaviors. Thus, the central discussion of this work revolves around the suitability of the data generated by lightweight monitoring tools, represented by sysdig, in the training of models and their subsequent use in HIDS solutions. This potential was assessed through a series of tests, where models trained with data provided by sysdig achieved significant results. They attained high rates of accuracy, precision, recall, F1-Score, and other indicators in the scenarios considered.
References
Abed, A. S., Clancy, C., and Levy, D. S. (2015). Intrusion detection system for applications using Linux containers. In Springer Internationl Workshop on Security and Trust Management, pages 123–135, Vienna, Austria.
Ahmed, M., Mahmood, A. N., and Hu, J. (2016). A survey of network anomaly detection techniques. Elsevier Journal of Network and Computer Applications, 60:19–31.
Barbato, G., Barini, E., Genta, G., and Levi, R. (2011). Features and performance of some outlier detection methods. Taylor & Francis Journal of Applied Statistics, 38(10):2133–2149.
Castanhel, G. R., Heinrich, T., Ceschin, F., and Maziero, C. (2021). Taking a peek: An evaluation of anomaly detection using system calls for containers. In IEEE Symposium on Computers and Communications, pages 1–6, Athens, Greece.
Castanhel, G. R., Heinrich, T., Ceschin, F., and Maziero, C. A. (2020). Sliding window: The impact of trace size in anomaly detection system for containers through machine learning. In SBC Escola Regional de Redes de Computadores, pages 141–146, Porto Alegre, RS, Brazil.
Ceschin, F., Botacin, M., Bifet, A., Pfahringer, B., Oliveira, L. S., Gomes, H. M., and Grégio, A. (2024). Machine learning (in) security: A stream of problems. ACM Digital Threats: Research and Practice, 5(1):1–32.
Chandola, V., Banerjee, A., and Kumar, V. (2009). Anomaly detection: A survey. ACM Computing Surveys, 41(3):1–58.
Docker (2024). Use containers to build, share and run your applications. [link].
Du, Q., Xie, T., and He, Y. (2018). Anomaly detection and diagnosis for container-based microservices with performance monitoring. In Springer International Conference on Algorithms and Architectures for Parallel Processing, pages 560–572, Guangzhou, China.
Eder, M. (2016). Hypervisor-vs. container-based virtualization. Future Internet and Innovative Internet Technologies and Mobile Communications, 1.
Flauzac, O., Mauhourat, F., and Nolot, F. (2020). A review of native container security for running applications. Procedia Computer Science, 175:157–164.
Flora, J. and Antunes, N. (2019). Studying the applicability of intrusion detection to multi-tenant container environments. In IEEE European Dependable Computing Conference, pages 133–136, Naples, Italy.
Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. (1996). A sense of self for Unix processes. In IEEE Symposium on Security and Privacy, pages 120–128, Oakland, CA, USA.
Hat, R. (2024). Docker: Desenvolvimento de aplicações em containers. [link]. Acessado em: 09/06/2024.
Heinrich, T., Will, N. C., Obelheiro, R. R., and Maziero, C. A. (2024). A categorical data approach for anomaly detection in WebAssembly applications. In 10th International Conference on Information Systems Security and Privacy, pages 275–284, Rome, Italy.
Hodge, V. and Austin, J. (2004). A survey of outlier detection methodologies. Springer Artificial Intelligence Review, 22:85–126.
Huang, Y. and Zhang, Q. (2019). Identification of anomaly behavior of ships based on knn and lof combination algorithm. In AIP Conference Proceedings.
Jia, J., Zhu, Y., Williams, D., Arcangeli, A., Canella, C., Franke, H., Feldman-Fitzthum, T., Skarlatos, D., Gruss, D., and Xu, T. (2023). Programmable system call security with ebpf. arXiv preprint arXiv:2302.10366.
Jyothsna, V. and Rama Prasad, V. V. (2011). A review of anomaly based intrusion detection systems. International Journal of Computer Applications, 28(7):26–35.
Kubernetes (2024). Kubernetes components. [link]. Acessado em: 09/06/2024.
Levin, D. et al. (2024). strace: Linux syscall tracer. [link]. Acessado em: 09/06/2024.
Lin, X., Lei, L., Wang, Y., Jing, J., Sun, K., and Zhou, Q. (2018). A measurement study on Linux container security: Attacks and countermeasures. In Annual Computer Security Applications Conference, pages 418–429, San Juan, PR, USA.
LTTng (2024). Lttng: an open source tracing framework for linux. [link].
Martínez-Magdaleno, S., Morales-Rocha, V., and Parra, R. (2021). A review of security risks and countermeasures in containers. International Journal of Security and Networks, 16(3):183–190.
Mishra, P., Varadharajan, V., Tupakula, U., and Pilli, E. S. (2018). A detailed investigation and analysis of using machine learning techniques for intrusion detection. IEEE communications surveys & tutorials, 21(1):686–728.
Pedregosa, F., Varoquaux, G., Gramfort, A., Michel, V., Thirion, B., Grisel, O., Blondel, M., Prettenhofer, P., Weiss, R., Dubourg, V., Vanderplas, J., Passos, A., Cournapeau, D., Brucher, M., Perrot, M., and Duchesnay, E. (2011). Scikit-learn: Machine learning in Python. Journal of Machine Learning Research, 12:2825–2830.
Platform, S. S. D. (2024). Sysdig: a universal system visibility tool with native support for containers:. [link]. Acessado em: 09/06/2024.
Rajagopalan, M., Hiltunen, M. A., Jim, T., and Schlichting, R. D. (2006). System call monitoring using authenticated system calls. IEEE Transactions on Dependable and Secure Computing, 3(3):216–229.
Randal, A. (2020). The ideal versus the real: Revisiting the history of virtual machines and containers. ACM Computing Surveys, 53(1):1–31.
Rocha, S. L., Nze, G. D. A., and de Mendonça, F. L. L. (2022). Intrusion detection in container orchestration clusters: A framework proposal based on real-time system call analysis with machine learning for anomaly detection. In IEEE Iberian Conference on Information Systems and Technologies, pages 1–4, Madrid, Spain.
Röhling, M. M., Grimmer, M., Kreubel, D., Hoffmann, J., and Franczyk, B. (2019). Standardized container virtualization approach for collecting host intrusion detection data. In Federated Conference on Computer Science and Information Systems, pages 459–463, Leipzig, Germany.
Rostedt, S. and Hat, R. (2014). Ftrace kernel hooks: more than just tracing. In Linux Plumbers Conference.
Sarker, I. H. (2021). Machine learning: Algorithms, real-world applications and research directions. Springer Computer Science, 2(3):160.
Shen, J., Zeng, F., Zhang, W., Tao, Y., and Tao, S. (2022). A clustered learning framework for host based intrusion detection in container environment. In IEEE International Conference on Communications Workshops, pages 409–414, Seoul, South Korea.
Srinivasan, S., Kumar, A., Mahajan, M., Sitaram, D., and Gupta, S. (2019). Probabilistic real-time intrusion detection system for Docker containers. In Springer International Symposium on Security in Computing and Communications, pages 336–347, Bangalore, India.
Sturm, R., Pollard, C., and Craig, J. (2017). Application performance management (APM) in the digital enterprise: managing applications for cloud, mobile, iot and eBusiness. Morgan Kaufmann.
Sultan, S., Ahmad, I., and Dimitriou, T. (2019). Container security: Issues, challenges, and the road ahead. IEEE Access, 7:52976–52996.
Tanenbaum, A. S. and Bos, H. J. (2016). Sistemas Operacionais Modernos, 4ª Edição. Pearson.
Xavier, M. G., Neves, M. V., Rossi, F. D., Ferreto, T. C., Lange, T., and De Rose, C. A. (2013). Performance evaluation of container-based virtualization for high performance computing environments. In IEEE Euromicro International Conference on Parallel, Distributed, and Network-Based Processing, pages 233–240, Belfast, United Kingdom.
Zou, Z., Xie, Y., Huang, K., Xu, G., Feng, D., and Long, D. (2019). A Docker container anomaly monitoring system based on optimized isolation forest. IEEE Transactions on Cloud Computing, 10(1):134–145.
Ahmed, M., Mahmood, A. N., and Hu, J. (2016). A survey of network anomaly detection techniques. Elsevier Journal of Network and Computer Applications, 60:19–31.
Barbato, G., Barini, E., Genta, G., and Levi, R. (2011). Features and performance of some outlier detection methods. Taylor & Francis Journal of Applied Statistics, 38(10):2133–2149.
Castanhel, G. R., Heinrich, T., Ceschin, F., and Maziero, C. (2021). Taking a peek: An evaluation of anomaly detection using system calls for containers. In IEEE Symposium on Computers and Communications, pages 1–6, Athens, Greece.
Castanhel, G. R., Heinrich, T., Ceschin, F., and Maziero, C. A. (2020). Sliding window: The impact of trace size in anomaly detection system for containers through machine learning. In SBC Escola Regional de Redes de Computadores, pages 141–146, Porto Alegre, RS, Brazil.
Ceschin, F., Botacin, M., Bifet, A., Pfahringer, B., Oliveira, L. S., Gomes, H. M., and Grégio, A. (2024). Machine learning (in) security: A stream of problems. ACM Digital Threats: Research and Practice, 5(1):1–32.
Chandola, V., Banerjee, A., and Kumar, V. (2009). Anomaly detection: A survey. ACM Computing Surveys, 41(3):1–58.
Docker (2024). Use containers to build, share and run your applications. [link].
Du, Q., Xie, T., and He, Y. (2018). Anomaly detection and diagnosis for container-based microservices with performance monitoring. In Springer International Conference on Algorithms and Architectures for Parallel Processing, pages 560–572, Guangzhou, China.
Eder, M. (2016). Hypervisor-vs. container-based virtualization. Future Internet and Innovative Internet Technologies and Mobile Communications, 1.
Flauzac, O., Mauhourat, F., and Nolot, F. (2020). A review of native container security for running applications. Procedia Computer Science, 175:157–164.
Flora, J. and Antunes, N. (2019). Studying the applicability of intrusion detection to multi-tenant container environments. In IEEE European Dependable Computing Conference, pages 133–136, Naples, Italy.
Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. (1996). A sense of self for Unix processes. In IEEE Symposium on Security and Privacy, pages 120–128, Oakland, CA, USA.
Hat, R. (2024). Docker: Desenvolvimento de aplicações em containers. [link]. Acessado em: 09/06/2024.
Heinrich, T., Will, N. C., Obelheiro, R. R., and Maziero, C. A. (2024). A categorical data approach for anomaly detection in WebAssembly applications. In 10th International Conference on Information Systems Security and Privacy, pages 275–284, Rome, Italy.
Hodge, V. and Austin, J. (2004). A survey of outlier detection methodologies. Springer Artificial Intelligence Review, 22:85–126.
Huang, Y. and Zhang, Q. (2019). Identification of anomaly behavior of ships based on knn and lof combination algorithm. In AIP Conference Proceedings.
Jia, J., Zhu, Y., Williams, D., Arcangeli, A., Canella, C., Franke, H., Feldman-Fitzthum, T., Skarlatos, D., Gruss, D., and Xu, T. (2023). Programmable system call security with ebpf. arXiv preprint arXiv:2302.10366.
Jyothsna, V. and Rama Prasad, V. V. (2011). A review of anomaly based intrusion detection systems. International Journal of Computer Applications, 28(7):26–35.
Kubernetes (2024). Kubernetes components. [link]. Acessado em: 09/06/2024.
Levin, D. et al. (2024). strace: Linux syscall tracer. [link]. Acessado em: 09/06/2024.
Lin, X., Lei, L., Wang, Y., Jing, J., Sun, K., and Zhou, Q. (2018). A measurement study on Linux container security: Attacks and countermeasures. In Annual Computer Security Applications Conference, pages 418–429, San Juan, PR, USA.
LTTng (2024). Lttng: an open source tracing framework for linux. [link].
Martínez-Magdaleno, S., Morales-Rocha, V., and Parra, R. (2021). A review of security risks and countermeasures in containers. International Journal of Security and Networks, 16(3):183–190.
Mishra, P., Varadharajan, V., Tupakula, U., and Pilli, E. S. (2018). A detailed investigation and analysis of using machine learning techniques for intrusion detection. IEEE communications surveys & tutorials, 21(1):686–728.
Pedregosa, F., Varoquaux, G., Gramfort, A., Michel, V., Thirion, B., Grisel, O., Blondel, M., Prettenhofer, P., Weiss, R., Dubourg, V., Vanderplas, J., Passos, A., Cournapeau, D., Brucher, M., Perrot, M., and Duchesnay, E. (2011). Scikit-learn: Machine learning in Python. Journal of Machine Learning Research, 12:2825–2830.
Platform, S. S. D. (2024). Sysdig: a universal system visibility tool with native support for containers:. [link]. Acessado em: 09/06/2024.
Rajagopalan, M., Hiltunen, M. A., Jim, T., and Schlichting, R. D. (2006). System call monitoring using authenticated system calls. IEEE Transactions on Dependable and Secure Computing, 3(3):216–229.
Randal, A. (2020). The ideal versus the real: Revisiting the history of virtual machines and containers. ACM Computing Surveys, 53(1):1–31.
Rocha, S. L., Nze, G. D. A., and de Mendonça, F. L. L. (2022). Intrusion detection in container orchestration clusters: A framework proposal based on real-time system call analysis with machine learning for anomaly detection. In IEEE Iberian Conference on Information Systems and Technologies, pages 1–4, Madrid, Spain.
Röhling, M. M., Grimmer, M., Kreubel, D., Hoffmann, J., and Franczyk, B. (2019). Standardized container virtualization approach for collecting host intrusion detection data. In Federated Conference on Computer Science and Information Systems, pages 459–463, Leipzig, Germany.
Rostedt, S. and Hat, R. (2014). Ftrace kernel hooks: more than just tracing. In Linux Plumbers Conference.
Sarker, I. H. (2021). Machine learning: Algorithms, real-world applications and research directions. Springer Computer Science, 2(3):160.
Shen, J., Zeng, F., Zhang, W., Tao, Y., and Tao, S. (2022). A clustered learning framework for host based intrusion detection in container environment. In IEEE International Conference on Communications Workshops, pages 409–414, Seoul, South Korea.
Srinivasan, S., Kumar, A., Mahajan, M., Sitaram, D., and Gupta, S. (2019). Probabilistic real-time intrusion detection system for Docker containers. In Springer International Symposium on Security in Computing and Communications, pages 336–347, Bangalore, India.
Sturm, R., Pollard, C., and Craig, J. (2017). Application performance management (APM) in the digital enterprise: managing applications for cloud, mobile, iot and eBusiness. Morgan Kaufmann.
Sultan, S., Ahmad, I., and Dimitriou, T. (2019). Container security: Issues, challenges, and the road ahead. IEEE Access, 7:52976–52996.
Tanenbaum, A. S. and Bos, H. J. (2016). Sistemas Operacionais Modernos, 4ª Edição. Pearson.
Xavier, M. G., Neves, M. V., Rossi, F. D., Ferreto, T. C., Lange, T., and De Rose, C. A. (2013). Performance evaluation of container-based virtualization for high performance computing environments. In IEEE Euromicro International Conference on Parallel, Distributed, and Network-Based Processing, pages 233–240, Belfast, United Kingdom.
Zou, Z., Xie, Y., Huang, K., Xu, G., Feng, D., and Long, D. (2019). A Docker container anomaly monitoring system based on optimized isolation forest. IEEE Transactions on Cloud Computing, 10(1):134–145.
Published
2024-09-16
How to Cite
FRASÃO, Anderson; HEINRICH, Tiago; FULBER-GARCIA, Vinicius; WILL, Newton C.; OBELHEIRO, Rafael R.; MAZIERO, Carlos A..
Using Lightweight Monitoring Strategies in Containerized Environments for Anomaly Detection via HIDS. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 694-708.
DOI: https://doi.org/10.5753/sbseg.2024.241469.
