Amr S. Abed,T. Charles Clancy,David S. Levy

DOI: https://doi.org/10.1109/GLOCOMW.2015.7414047

2016-11-10

Abstract:In this paper, we present the results of using bags of system calls for learning the behavior of Linux containers for use in anomaly-detection based intrusion detection system. By using system calls of the containers monitored from the host kernel for anomaly detection, the system does not require any prior knowledge of the container nature, neither does it require altering the container or the host kernel.

Cryptography and Security

Jingfei Shen,Fanping Zeng,Weikang Zhang,Yufan Tao,Shengkun Tao

DOI: https://doi.org/10.1109/iccworkshops53468.2022.9814620

2022-01-01

Abstract:Container technology has been widely deployed in edge computing environments. Using the OS-level resource isolation and management, it can achieve incomparable high efficiency in contrast to the traditional virtual machine approach. However, recent studies have shown that the container environment is vulnerable to various security attacks. Furthermore, the highly customizable and dynamic change nature of the container exacerbated its vulnerability. In this paper, we propose a new anomaly detection framework combining cluster algorithm to improve anomaly detection efficiency in the edge computing environment that contains a large number of containers. It utilizes cluster algorithm to automatically identify containers that running the same application, and builds an anomaly detection model for each category separately. We investigated 8 real-world vulnerabilities from several frequently used applications and evaluated our framework on them. Experiment results show that our proposed framework can effectively identify containers built on the same application image without any manual labeling, reduce the FPR of anomaly detection from 0.61% to 0.09%, and increase TPR from 90.3% to 96.2% compared to the traditional method.

Nidhi Joraviya,Bhavesh N. Gohil,Udai Pratap Rao

DOI: https://doi.org/10.1002/cpe.8249

2024-08-08

Concurrency and Computation Practice and Experience

Abstract:Summary Cloud's operating‐system‐level virtualization has introduced a new phase of lightweight virtualization through containers. The architecture of cloud‐native and microservices‐based application development strongly advocates for the use of containers due to their swift and convenient deployment capabilities. However, the security of applications within containers is important, as malicious or vulnerable content could jeopardize the container and the host system. This vulnerability also extends to neighboring containers and may compromise data integrity and confidentiality. The article focuses on developing an intrusion detection system tailored to containerized cloud environments by identifying system call analysis techniques and also proposes an anomaly‐based host intrusion detection system (Ab‐HIDS). This system employs the frequency of N‐grams system calls as distinctive features. To enhance performance, two ensemble learning models, namely voting‐based ensemble learning and XGBoost ensemble learning, are employed for training and testing the data. The proposed system is evaluated using the Leipzig Intrusion Detection Data Set (LID‐DS), demonstrating substantial performance compared to existing state‐of‐the‐art methods. Ab‐HIDS is validated for class imbalance using the imbalance ratio and synthetic minority over‐sampling technique methods. Our system achieved significant improvements in detection accuracy with 4% increase for the voting‐based ensemble model and 6% increase for the XGBoost ensemble model. Additionally, we observed reductions in the false positive rate by 0.9% and 0.8% for these models, respectively, compared to existing state‐of‐the‐art methods. These results illustrate the potential of our proposed approach in improving security measures within containerized environments.

computer science, theory & methods, software engineering

Lu Lv,Wenhai Wang,Zeyin Zhang,Xinggao Liu

DOI: https://doi.org/10.1016/j.knosys.2020.105648

IF: 8.139

2020-01-01

Knowledge-Based Systems

Abstract:Intrusion detection is a challenging technology in the area of cyberspace security for protecting a system from malicious attacks. A novel accurate and effective misuse intrusion detection system that relies on specific attack signatures to distinguish between normal and malicious activities is therefore presented to detect various attacks based on an extreme learning machine with a hybrid kernel function (HKELM). First, the derivation and proof of the proposed hybrid kernel are given. A combination of the gravitational search algorithm (GSA) and differential evolution (DE) algorithm is employed to optimize the parameters of HKELM, which improves its global and local optimization abilities during prediction attacks. In addition, the kernel principal component analysis (KPCA) algorithm is introduced for dimensionality reduction and feature extraction of the intrusion detection data. Then, a novel intrusion detection approach, KPCA-DEGSA-HKELM, is obtained. The proposed approach is eventually applied to the classic benchmark KDD99 dataset, the real modern UNSW-NB15 dataset and the industrial intrusion detection dataset from the Tennessee Eastman process. The numerical results validate both the high accuracy and the time-saving benefit of the proposed approach.

Yue Shen,Fei Yu,Ling-Fen Zhang,Ji-Yao An,Miao-Liang Zhu

DOI: https://doi.org/10.1109/CANET.2005.1598184

2005-01-01

Abstract:Intrusion detection is an efficient way to protect information system. This paper puts forward a new method of anomalous intrusion detection based on system call. It uses system calls regarded as input, and creates a FSA for the functions in the program. Then the FSA is used to detect the attack. Moreover, It can find the place of the vulnerability which exists in the program. This can help to alter the source program. Results are shown that this method is effective for some intrusion events.

Nidhi Joraviya,Bhavesh N. Gohil,Udai Pratap Rao

DOI: https://doi.org/10.1007/s11227-024-05895-3

IF: 3.3

2024-02-12

The Journal of Supercomputing

Abstract:In the rapidly evolving IT industry, containerization has introduced new security challenges including cloud data breaches. DL-HIDS explores the application of Deep Learning (DL) techniques for detecting such attacks. Various system call-based features, including the sequence, frequency, and metadata of system calls, as well as images, derived from these calls were explored. While using images as features is effective for DL models, determining the optimal image feature size can be challenging and requires extensive experimentation. The existing approach uses pre-trained Convolutional Neural Networks (CNNs) that incorporate system call parameters with metadata that are redundant resulting in a low detection rate. To address these limitations, we employ a deep CNN that takes images generated from system call logs as input. Our experimentation involves varying image size, system call parameters, and CNN architecture using the Leipzig Intrusion Detection DataSet-2019 dataset containing recent containerized cloud environment attack data. Our results demonstrate improvement over state-of-the-art methods toward accuracy, precision, recall, F1 score, and false-positive rate.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Samuel P. Mullinix,Erikton Konomi,Renee Davis Townsend,Reza M. Parizi

DOI: https://doi.org/10.48550/arXiv.2008.04814

2020-08-12

Abstract:Linux containers have risen in popularity in the last few years, making their way to commercial IT service offerings (such as PaaS), application deployments, and Continuous Delivery/Integration pipelines within various development teams. Along with the wide adoption of Docker, security vulnerabilities and concerns have also surfaced. In this survey, we examine the state of security for the most popular container system at the moment: Docker. We will also look into its origins stemming from the Linux technologies built into the OS itself; examine intrinsic vulnerabilities, such as the Docker Image implementation; and provide an analysis of current tools and modern methodologies used in the field to evaluate and enhance its security. For each section, we pinpoint metrics of interest, as they have been revealed by researchers and experts in the domain and summarize their findings to paint a holistic picture of the efforts behind those findings. Lastly, we look at tools utilized in the industry to streamline Docker security scanning and analytics which provide built-in aggregation of key metrics.

Cryptography and Security,Software Engineering

LiuMing,XueZhi,XuXianghua,ZhongChangmin,ChenJinjun

IF: 16.6

2018-01-01

ACM Computing Surveys

Abstract:In a contemporary data center, Linux applications often generate a large quantity of real-time system call traces, which are not suitable for traditional host-based intrusion detection systems depl...

Yawen Xue,Jie Pan,Yangyang Geng,Zeyu Yang,Mengxiang Liu,Ruilong Deng

DOI: https://doi.org/10.1109/ticps.2024.3406505

2024-01-01

Abstract:Industrial control systems (ICSs) are becoming increasingly interconnected as the rapid convergence of information technology (IT) and operation technology (OT) networks, and meanwhile massive attack surfaces have been exposed. However, traditional intrusion detection systems (IDSs) are difficult to be directly deployed in ICSs due to the hard real-time requirement and rare patching chance. Besides, the design of effective and practical IDSs is hampered by the lack of benchmarking ICS cybersecurity datasets. To bridge the gaps, this paper makes the first attempt by open-sourcing the developed ICS cybersecurity datasets and proposing a decision fusion based real-time IDS. Firstly, we design a customized cybersecurity dataset in a full-hardware and high-fidelity platform, including 7 types of cyber threats tailored for ICSs. The collected dataset includes network traffic, sensor readings, actuator status, and system parameters, providing the state-of-the-art benchmark dataset for ICSs consisting of cross-layer characteristics. Furthermore, we design an online decision fusion-based IDS by strategically integrating 4 widely-used machine learning models. The proposed IDS is deployed on a real-time running ethanol distillation, surpassing the performance of single detection models in terms of precision and F1-score, which substantially enhances intrusion detection accuracy and cybersecurity of ICS.

Yulong Wang,Qixu Wang,Xue Qin,Xingshu Chen,Bangzhou Xin,Run Yang

DOI: https://doi.org/10.1007/s00500-022-07546-2

IF: 3.732

2022-10-05

Soft Computing

Abstract:As an emerging virtualization technology, the Linux container provides a more lightweight, flexible, and high-performance operating-system-level virtual run-time environment. Its appearance has profoundly changed the development and deployment of multi-tier distributed applications. However, the imperfect system resource isolation features and the kernel-sharing mechanism will introduce significant security risks to the cloud platform. In this paper, we present DockerWatch, a real-time detection system for malware detection in the container-based cloud platform. DockerWatch uses a non-intrusive manner to extract executable files inside the containers, then uses the ensemble of various static features and behavior-based graphs as the analysis vector to learn the robust representations of malicious patterns. Consequently, a two-phase hybrid detection method based on deep learning is proposed to accelerate and enhance the detection performance, aiming to address the trade-off between fast and high-performance real-time detection. Extensive experiments are conducted and compared with extensive existing related methods using real-world datasets to validate the effectiveness of our system. The results show that DockerWatch achieves excellent detection performance with acceptable run-time performance overhead introduced into the platform.

computer science, artificial intelligence, interdisciplinary applications

Mohamed Azab,Bassem Mokhtar,Amr S. Abed,Mohamed Eltoweissy

DOI: https://doi.org/10.48550/arXiv.1611.03065

2016-11-09

Cryptography and Security

Abstract:This paper presents ESCAPE, an informed moving target defense mechanism for cloud containers. ESCAPE models the interaction between attackers and their target containers as a "predator searching for a prey" search game. Live migration of Linux-containers (prey) is used to avoid attacks (predator) and failures. The entire process is guided by a novel host-based behavior-monitoring system that seamlessly monitors containers for indications of intrusions and attacks. To evaluate ESCAPE effectiveness, we simulated the attack avoidance process based on a mathematical model mimicking the prey-vs-predator search game. Simulation results show high container survival probabilities with minimal added overhead.

Yulong Wang,Qixu Wang,Xingshu Chen,Dajiang Chen,Xiaojie Fang,Mingyong Yin,Ning Zhang

DOI: https://doi.org/10.1109/tii.2020.3047416

IF: 12.3

2022-05-01

IEEE Transactions on Industrial Informatics

Abstract:As a lightweight, flexible, and high-performance operating system virtualization, containers are used to speed up the big data platform. However, due to the imperfection of the resource isolation mechanism and the property of shared kernel, the meltdown and spectre attacks can lead to information leakage of kernel space and coresident containers. In this article, a noise-resilient and real-time detection system, named ContainerGuard, is proposed to detect meltdown and spectre attacks in the container-based big data platform. ContainerGuard uses a nonintrusive manner to collect lifecycle multivariate time-series performance event data of processes in containers and then uses ensemble of variational autoencoders as generative neural networks to learn the robust representations of normal patterns. Therefore, ContainerGuard meets the urgent need for information protection in the container-based big data platform. Our evaluations using real-world datasets show that ContainerGuard achieves excellent detection performance and only introduces about 4.5% of running performance overhead to the platform.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Amod Pandit,R Joe Stanley,Bruce McMillin

Abstract:Intrusion detection systems (IDS) attempt to address the vulnerability of computer-based systems for abuse by insiders and to penetration by outsiders. An IDS is required to examine an enormous amount of data generated by computer networks to assist in the abuse detection process. Thus, there is a need to develop automated tools that address these requirements to assist system operators in the detection of violations of existing security policies. In this research, an automated IDS is proposed for insider threats in a distributed system. The proposed IDS functions as an anomaly detector for insider system operations based on the analysis of the system's log files. The approach integrates dynamic programming and adaptive resonance theory (ART1) clustering. The integrated approach aligns sequences of log events with prototypical sequences of events for performing tasks and classifies the aligned sequences for intrusion detection. The system examined for this research is a Boots System for controlling the movement of boots from one place to another under specific security restrictions related to the boot orders. We present the proposed model, the results achieved and the analysis of an implemented prototype.

Omar Javed,Salman Toor

DOI: https://doi.org/10.48550/arXiv.2101.03844

2021-01-11

Cryptography and Security

Abstract:Virtualization enables information and communications technology industry to better manage computing resources. In this regard, improvements in virtualization approaches together with the need for consistent runtime environment, lower overhead and smaller package size has led to the growing adoption of containers. This is a technology, which packages an application, its dependencies and Operating System (OS) to run as an isolated unit. However, the pressing concern with the use of containers is its susceptibility to security attacks. Consequently, a number of container scanning tools are available for detecting container security vulnerabilities. Therefore, in this study, we investigate the quality of existing container scanning tools by proposing two metrics that reflects coverage and accuracy. We analyze 59 popular public container images for Java applications hosted on DockerHub using different container scanning tools (such as Clair, Anchore, and Microscanner). Our findings show that existing container scanning approach does not detect application package vulnerabilities. Furthermore, existing tools do not have high accuracy, since 34% vulnerabilities are being missed by the best performing tool. Finally, we also demonstrate quality of Docker images for Java applications hosted on DockerHub by assessing complete vulnerability landscape i.e., number of vulnerabilities detected in images.

Tahir Alyas,Sikandar Ali,Habib Ullah Khan,Ali Samad,Khalid Alissa,Muhammad Asif Saleem

DOI: https://doi.org/10.1155/2022/6819002

IF: 1.968

2022-08-13

Security and Communication Networks

Abstract:Containers have evolved to support microservice architecture as a low-cost alternative to virtual machines. Containers are increasingly prevalent in the virtualization landscape because of better working; containers can bear considerably less overhead than the conventional hypervisor-based component virtual machines. However, containers directly communicate with the host kernel, and attackers can co-locate containers in the host system quicker than virtual machines. This causes significant security issues in container technology. The security hardening system is currently targeted at implementing universal access management regulations that make it difficult to assess the required procedure for accessing containers. Security mechanisms include an explicit awareness of the purpose and actions of the container and entail manual interaction and configuration. A user-friendly container protection scheme implemented an access policy to comply with its anticipated and legitimate application performance. In this study, container technology constraints have been overcome by proposing a unique Docker-sec mechanism. Docker-sec uses four mechanisms; the original collection has been improved during container runtime by additional rules that constrain the capacity of the container, further representing the applications in practice, file system, processes, network isolation, and vulnerability scanning of Docker images over different workload. Different vulnerabilities have been scanned with a CVE severity level. Results showed that inter-container communication with the system is more secure containers from zero vulnerabilities with an overhead of 3.45%.

computer science, information systems,telecommunications

CHEN Zhu-Hong,CUI Chao-Yuan,WANG Ru-Jing,ZHOU Ji-Dong

DOI: https://doi.org/10.3969/j.issn.1003-3254.2013.07.015

2013-01-01

Abstract:As the foundation of cloud computing,virtualization technology’s security problems are gained more and more attention of the specialists with the development of cloud computing.This paper presents a virtual machine system kernel intrusion detection system,which use the introspection technology provided by Xen hypervisor to get internal states of kernel of the virtual machine.To achieve the goal of monitoring the kernel and preventing it from being compromised.This system can effectively defend the case of attack that dynamically modifies the kernel code and kernel unchanged data structure.

Ming Liu,Zhi Xue,Xiangjian He

DOI: https://doi.org/10.1109/mce.2020.3048314

2020-01-01

IEEE Consumer Electronics Magazine

Abstract:The embedded system is an essential component of the Internet of Everything. Recently, host-based intrusion detection techniques have been widely applied to embedded systems effectively. However, the traditional standalone intrusion detection system has several shortcomings in terms of efficiency and scalability. In this article, a two-tier scalable intrusion detection framework is designed for embedded systems to address these shortcomings. The framework is based on Spark and is deployed in the cloud environment. The experiments show that the proposed framework can effectively improve the detection efficiency and scalability.

Ammar Aldallal

DOI: https://doi.org/10.3390/sym14091916

2022-09-14

Symmetry

Abstract:The increased adoption of cloud computing resources produces major loopholes in cloud computing for cybersecurity attacks. An intrusion detection system (IDS) is one of the vital defenses against threats and attacks to cloud computing. Current IDSs encounter two challenges, namely, low accuracy and a high false alarm rate. Due to these challenges, additional efforts are required by network experts to respond to abnormal traffic alerts. To improve IDS efficiency in detecting abnormal network traffic, this work develops an IDS using a recurrent neural network based on gated recurrent units (GRUs) and improved long short-term memory (LSTM) through a computing unit to form Cu-LSTMGRU. The proposed system efficiently classifies the network flow instances as benign or malevolent. This system is examined using the most up-to-date dataset CICIDS2018. To further optimize computational complexity, the dataset is optimized through the Pearson correlation feature selection algorithm. The proposed model is evaluated using several metrics. The results show that the proposed model remarkably outperforms benchmarks by up to 12.045%. Therefore, the Cu-LSTMGRU model provides a high level of symmetry between cloud computing security and the detection of intrusions and malicious attacks.

Andrea Pinto,Luis-Carlos Herrera,Yezid Donoso,Jairo A Gutierrez

DOI: https://doi.org/10.3390/s23052415

2023-02-22

Abstract:Industrial control systems (ICSs), supervisory control and data acquisition (SCADA) systems, and distributed control systems (DCSs) are fundamental components of critical infrastructure (CI). CI supports the operation of transportation and health systems, electric and thermal plants, and water treatment facilities, among others. These infrastructures are not insulated anymore, and their connection to fourth industrial revolution technologies has expanded the attack surface. Thus, their protection has become a priority for national security. Cyber-attacks have become more sophisticated and criminals are able to surpass conventional security systems; therefore, attack detection has become a challenging area. Defensive technologies such as intrusion detection systems (IDSs) are a fundamental part of security systems to protect CI. IDSs have incorporated machine learning (ML) techniques that can deal with broader kinds of threats. Nevertheless, the detection of zero-day attacks and having technological resources to implement purposed solutions in the real world are concerns for CI operators. This survey aims to provide a compilation of the state of the art of IDSs that have used ML algorithms to protect CI. It also analyzes the security dataset used to train ML models. Finally, it presents some of the most relevant pieces of research on these topics that have been developed in the last five years.