Applying Bag of System Calls for Anomalous Behavior Detection of Applications in Linux Containers

Abed, Amr S.; Clancy, T. Charles; Levy, David S.

doi:10.1109/glocomw.2015.7414047

Cited by 36 publications

(21 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Administrative privileges are only required if the process to monitor belongs to a different user than the monitoring process. Several technologies rely on ptrace, as it is a stable and widely available interface for runtime process monitoring . During monitoring, the monitored process is halted every time it issues a syscall to the kernel.…”

Section: Related Workmentioning

confidence: 99%

“…Several technologies rely on ptrace, as it is a stable and widely available interface for runtime process monitoring. [10][11][12][13] During monitoring, the monitored process is halted every time it issues a syscall to the kernel. The kernel redirects the request and the result of the syscall to the monitoring process before it resumes the monitored process with the syscall result.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Sandboxing of biomedical applications in Linux containers based on system call evaluation

Witt

Jansen

Krefting

et al. 2018

Concurrency and Computation

View full text Add to dashboard Cite

Summary Applications for biomedical data processing often integrate external libraries and frameworks for common algorithmic tasks. It typically reduces development time and increases overall code quality. With the introduction of lightweight container‐based virtualization, the bundling of applications and their required dependencies has become feasible, and containers can be transferred and executed in distributed environments. However, the incorporation of unreviewed code poses a security threat as it might contain malicious components. In this paper, measures to minimize risks of untrusted application execution are presented. Based on the system calls issued during sample execution of the application, both the container itself and the container runtime configuration are restricted to the set of actions the application requires. It is shown that the employed security measures are suited to counteract different attacks while application runtime is not affected.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Sandboxing of biomedical applications in Linux containers based on system call evaluation

Witt

Jansen

Krefting

et al. 2018

Concurrency and Computation

View full text Add to dashboard Cite

show abstract

“…In this paper, we use live migration of cloud containers as a moving target defense (MTD) [2] mechanism against hostbased persistent attacks. The MTD mechanism is guided by a host-based intrusion detection system (HIDS) [3] [4] that monitors operating containers to detect potential anomalies or misbehaviors. The HIDS learns the behavior of all the containers running on the host, and upon detection of a change of behavior of one or more container, the HIDS signals the MTD module of the system to ESCAPE the affected container.…”

Section: Introuctionmentioning

confidence: 99%

Toward Smart Moving Target Defense for Linux Container Resiliency

Azab

Mokhtar

Abed

et al. 2016

2016 IEEE 41st Conference on Local Computer Networks (LCN)

Self Cite

View full text Add to dashboard Cite

Abstract-This paper presents ESCAPE, an informed moving target defense mechanism for cloud containers. ESCAPE models the interaction between attackers and their target containers as a "predator searching for a prey" search game. Live migration of Linux-containers (prey) is used to avoid attacks (predator) and failures. The entire process is guided by a novel host-based behavior-monitoring system that seamlessly monitors containers for indications of intrusions and attacks. To evaluate ESCAPE effectiveness, we simulated the attack avoidance process based on a mathematical model mimicking the prey-vs-predator search game. Simulation results show high container survival probabilities with minimal added overhead.c 2016 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. I. INTROUCTIONLinux containers running in a commercial cloud environments share the same kernel with containers from other customers, which increases the attack surface compared to the case of VM-based virtualization. To protect Linux containers in a shared environment, service providers are expected to monitor the behavior of the containers running on their system for suspicious activity. Upon detection of a possible threat, the service provider should take an action to protect the guest containers. While the most straightforward action is to kill the misbehaving container and inform the owner of the detected anomaly, such action may not be cost effective especially for long running stateful applications.A more cost-effective alternative [1] is to take a snapshot of the running application while in safe state. Upon attack detection, the system simply rolls back to the most recent safe state saved. One drawback with this approach is when the last saved safe state is a vulnerable state and/or the attack is persistent, in which case the container will go into a continuous loop of restores. To overcome such limitations, we propose a nature inspired approach that aims at changing the container execution environment in order to mislead a persistent attack. The system aims to equip the attacker target (prey) with the tools needed to ESCAPE from the attacker (predator), e.g. by moving the container to a random remote host.In this paper, we use live migration of cloud containers as a moving target defense (MTD) [2] mechanism against hostbased persistent attacks. The MTD mechanism is guided by a host-based intrusion detection system (HIDS) [3] [4] that monitors operating containers to detect potential anomalies or misbehaviors. The HIDS learns the behavior of all the containers running on the host, and upon detection of a change of behavior of one or more container, the HIDS signals the MTD module of the system to ESCAPE the affected contai...

show abstract

“…if tx > thr then (8) accessed.append (1) (9) else (10) accessed.append (0) (11) end if (12) wait () (13) end while (14) return accessed (15) end procedure Algorithm 3: Flush + Flush.…”

Section: Flush + Flushmentioning

confidence: 99%

“…Some of the common techniques to monitor the guest VM in a nonintrusive way are computation metric observation [5,6], system-call observation [7][8][9], and Virtual Machine Introspection [10][11][12].…”

Section: Security and Communication Networkmentioning

confidence: 99%

Leveraging KVM Events to Detect Cache-Based Side Channel Attacks in a Virtualization Environment

Paundu

Fall

Miyamoto

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

Cache-based side channel attack (CSCa) techniques in virtualization systems are becoming more advanced, while defense methods against them are still perceived as nonpractical. The most recent CSCa variant called Flush + Flush has showed that the current detection methods can be easily bypassed. Within this work, we introduce a novel monitoring approach to detect CSCa operations inside a virtualization environment. We utilize the Kernel Virtual Machine (KVM) event data in the kernel and process this data using a machine learning technique to identify any CSCa operation in the guest Virtual Machine (VM). We evaluate our approach using Receiver Operating Characteristic (ROC) diagram of multiple attack and benign operation scenarios. Our method successfully separate the CSCa datasets from the non-CSCa datasets, on both trained and nontrained data scenarios. The successful classification also include the Flush + Flush attack scenario. We are also able to explain the classification results by extracting the set of most important features that separate both classes using their Fisher scores and show that our monitoring approach can work to detect CSCa in general. Finally, we evaluate the overhead impact of our CSCa monitoring method and show that it has a negligible computation overhead on the host and the guest VM.

show abstract

Applying Bag of System Calls for Anomalous Behavior Detection of Applications in Linux Containers

Cited by 36 publications

References 10 publications

Sandboxing of biomedical applications in Linux containers based on system call evaluation

Sandboxing of biomedical applications in Linux containers based on system call evaluation

Toward Smart Moving Target Defense for Linux Container Resiliency

Leveraging KVM Events to Detect Cache-Based Side Channel Attacks in a Virtualization Environment

Contact Info

Product

Resources

About