Detecção de Anomalias: Estudo de Técnicas de Identificação de Ataques em um Ambiente de Contêiner
Resumo
A execução de aplicações em um ambiente isolado e com manuseio prático é a tecnologia oferecida pelos contêineres. Devido à sua popularidade, questionamentos sobre a segurança da ferramenta e proximidade do contêiner com o host são elencados. A detecção de intrusão por anomalias oferece uma via para o monitoramento do comportamento do sistema, possibilitando a detecção de comportamentos que diferem do que é considerado normal para a aplicação. Este artigo visa analisar e comparar métodos utilizados para a detecção de anomalias em tempo real com uma abordagem voltada a aplicações executando em um ambiente de um contêiner, cujo intuito é identificar o impacto na detecção em um ambiente isolado para um host sem isolamento. Métodos de aprendizado de máquina foram utilizados como detectores para classificar se um comportamento em determinada janela é uma ameaça.
Referências
Abed, A. S., Clancy, T. C., and Levy, D. S. (2015). Applying bag of system calls for anomalous behavior detection of applications in linux containers. In 2015 IEEE Globecom Workshops (GC Wkshps).
Alarifi, S. S. and Wolthusen, S. D. (2012). Detecting anomalies in iaas environments through virtual machine host system call analysis. In 2012 International Conference for Internet Technology and Secured Transactions. IEEE.
Bernaschi, M., Gabrielli, E., and Mancini, L. V. (2002). Remus: a security-enhanced operating system. ACM Transactions on Information and System Security (TISSEC).
Bridges, R. A., Glass-Vanderlan, T. R., Iannacone, M. D., Vincent, M. S., and Chen, Q. (2019). A survey of intrusion detection systems leveraging host data. ACM Computing Surveys (CSUR).
Brown, D. J., Suckow, B., and Wang, T. (2002). A survey of intrusion detection systems. Department of Computer Science, University of California.
Cespedes, J. and Machata, P. (2013). ltrace(1), linux manual page. https://man7.org/linux/man-pages/man1/ltrace.1.html.
Chandola, V., Banerjee, A., and Kumar, V. (2009). Anomaly detection: A survey. ACM computing surveys (CSUR).
Combe, T., Martin, A., and Di Pietro, R. (2016). To docker or not to docker: A security perspective. IEEE Cloud Computing.
Debar, H., Dacier, M., and Wespi, A. (1999). Towards a taxonomy of intrusion-detection systems. Computer Networks.
Deshpande, P., Sharma, S. C., Peddoju, S. K., and Junaid, S. (2018). Hids: A host based intrusion detection system for cloud computing environment. International Journal of System Assurance Engineering and Management.
Durairaju, S. S. (2018). Intrusion detection in containerized environments.
Flora, J. and Antunes, N. (2019). Studying the applicability of intrusion detection to multi-tenant container environments. In 2019 15th European Dependable Computing Conference (EDCC).
Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. (1996). A sense of self for unix processes. In IEEE Symposium on Security and Privacy.
Freund, Y. and Schapire, R. E. (1997). A decision-theoretic generalization of on-line learning and an application to boosting. J. Comput. Syst. Sci.
ftrace (2018). perf-ftrace(1) — linux manual page. https://man7.org/linux/man-pages/man1/perf-ftrace.1.html.
Garfinkel, T., Pfaff, B., Rosenblum, M., et al. (2004). Ostia: A delegating architecture for secure system call interposition. In NDSS.
Hickman, A. (2018). Container intrusions: Assessing the efficacy of intrusion detection and analysis methods for linux container environments.
Jain, K. and Sekar, R. (2000). User-level infrastructure for system call interposition: A platform for intrusion detection and confinement. In NDSS.
Kumar, S. (2007). Survey of current network intrusion detection techniques. Washington Univ. in St. Louis.
Kwon, S. and Lee, J. (2020). Divds: Docker image vulnerability diagnostic system. IEEE Access.
Lam, A. (2005). New ips to boost security, reliability and performance of the campus network. Newsletter of Computing Services Center.
Liao, Y. and Vemuri, V. R. (2002). Using text categorization techniques for intrusion detection. In USENIX Security Symposium.
Litty, L. (2005). Hypervisor-based intrusion detection. University of Toronto.
Liu, M., Xue, Z., Xu, X., Zhong, C., and Chen, J. (2018). Host-based intrusion detection system with system calls: Review and future trends. ACM Computing Surveys (CSUR).
Merkel, D. (2014). Docker: lightweight linux containers for consistent development and deployment. Linux journal.
Mitchell, M., Oldham, J., and Samuel, A. (2001). Advanced linux programming. New Riders Publishing.
NVD (2020). National vulnerability database: Rce wordpress. [link].
Pfoh, J., Schneider, C., and Eckert, C. (2011). Nitro: Hardware-based system call tracing for virtual machines. In Int. Workshop on Security. Springer.
Rajagopalan, M., Hiltunen, M. A., Jim, T., and Schlichting, R. D. (2006). System call monitoring using authenticated system calls. IEEE Transactions on Dependable and Secure Computing.
Sharma, P., Chaufournier, L., Shenoy, P., and Tay, Y. (2016). Containers and virtual machines at scale: A comparative study. In Proceedings of the 17th International Middleware Conference.
Srinivasan, S., Kumar, A., Mahajan, M., Sitaram, D., and Gupta, S. (2018). Probabilistic real-time intrusion detection system for docker containers. In International Symposium on Security in Computing and Communication. Springer.
Systems, C. I. (1998). Sequence-based intrusion detection. https://www.cs.unm.edu/~immsec/systemcalls.htm.
Taha, A. and Hadi, A. S. (2019). Anomaly detection methods for categorical data: A review. ACM Computing Surveys (CSUR).
Tien, C.-W., Huang, T.-Y., Tien, C.-W., Huang, T.-C., and Kuo, S.-Y. (2019). Kubanomaly: Anomaly detection for the docker orchestration platform with neural network approaches. Engineering Reports.
Wang, W., Guan, X.-H., and Zhang, X.-L. (2004). Modeling program behaviors by hidden markov models for intrusion detection. In Proceedings of 2004 International Conference on Machine Learning and Cybernetics. IEEE.
Xavier, M. G., De Oliveira, I. C., Rossi, F. D., Dos Passos, R. D., Matteussi, K. J., and De Rose, C. A. (2015). A performance isolation analysis of diskintensive workloads on container-based clouds. In 2015 23rd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing. IEEE.
Yassin, W., Udzir, N. I., Muda, Z., Sulaiman, M. N., et al. (2013). Anomaly-based intrusion detection through k-means clustering and naives bayes classification. In Proc. 4th Int. Conf. Comput. Informatics, ICOCI, number 49.
Yuxin, D., Xuebing, Y., Di, Z., Li, D., and Zhanchao, A. (2011). Feature representation and selection in malicious code detection methods based on static system calls. Computers & Security.
Zhang, M., Xu, B., and Gong, J. (2015). An anomaly detection model based on one-class svm to detect network intrusions.