CDL: Classified Distributed Learning for Detecting Security Attacks in Containerized Applications

Lin, Yuhang; Tunde-Onadele, Olufogorehan; Gu, Xiaohui

doi:10.1145/3427228.3427236

Cited by 14 publications

(16 citation statements)

References 18 publications

(15 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…At the start of the 5th minute, the authors started the attack; some attacks caused the container to crash which ended the experiment, but for the rest, the attack completed and the experiment ran until the 7th minute. The authors compared their proposed framework against CDL [41], selfpatch, a supervised random forest approach and a supervised CNN. They used 41 real world attacks with assigned CVEs, encompassing 28 applications.…”

Section: Attack Detectionmentioning

confidence: 99%

“…They used containerized applications with application vulnerabilities, not container-speci ic attacks. Lin et al [41] presented a classi ied distributed learning framework, namely CDL, to detect anomalies in containerized applications. The framework achieves anomaly detection in four major steps: system call feature extraction, application classi ication, system call data grouping, classi ied learning, and detection.…”

Section: Attack Detectionmentioning

confidence: 99%

See 1 more Smart Citation

AI-driven container security approaches for 5G and beyond: A survey

Taha¹,

Kuru²,

Sever³

et al. 2023

ITU J-FET

View full text Add to dashboard Cite

The rising use of microservice-based software deployment on the cloud leverages containerized software extensively. The security of applications running inside containers, as well as the container environment itself, are critical for infrastructure in cloud settings and 5G. To address security concerns, research efforts have been focused on container security with subfields such as intrusion detection, malware detection and container placement strategies. These security efforts are roughly divided into two categories: rule-based approaches and machine learning that can respond to novel threats. In this study, we survey the container security literature focusing on approaches that leverage machine learning to address security challenges.

show abstract

Section: Attack Detectionmentioning

confidence: 99%

Section: Attack Detectionmentioning

confidence: 99%

AI-driven container security approaches for 5G and beyond: A survey

Taha¹,

Kuru²,

Sever³

et al. 2023

ITU J-FET

View full text Add to dashboard Cite

show abstract

“…Another method, called Classified Distributed Learning (CDL), which is developed by Lin et al [99], uses the machine learning algorithm to detect anomalous behaviour of the system calls and to raise an alert if it differs from the normal pattern. The system calls are collected from running containers and they are classified by application class using the random forest technique and subsequently grouped together.…”

Section: Minimise Administrative Privilegesmentioning

confidence: 99%

“…The system calls are collected from running containers and they are classified by application class using the random forest technique and subsequently grouped together. The autoencoder neural network is then used to train on the system calls data set and the model is applied to new system calls flow to detect anomalous behaviour [99]. The accuracy rate is 74% when applied to 24 commonly used applications with 33 known vulnerabilities.…”

Section: Minimise Administrative Privilegesmentioning

confidence: 99%

Threat Modeling and Security Analysis of Containers: A Survey

Wong¹,

Chekole²,

Ochoa³

et al. 2021

Preprint

View full text Add to dashboard Cite

Traditionally, applications that are used in large and small enterprises were deployed on "bare metal" servers installed with operating systems. Recently, the use of multiple virtual machines (VMs) on the same physical server was adopted due to cost reduction and flexibility. Nowadays, containers have become popular for application deployment due to smaller footprints than the VMs, their ability to start and stop more quickly, and their capability to pack the application binaries and their dependencies/libraries in standalone units for seamless portability. A typical container ecosystem includes a code repository (e.g., GitHub) where the container images are built from the codes and libraries and then pushed to the image registry (e.g., Docker Hub) for subsequent deployment as application containers. However, the pervasive use of containers also leads to a wide-range of security breaches such as attackers stealing credentials, source codes and sensitive data from image registry and code repository, carrying out DoS attacks on application containers, and gaining root access to misuse the underlying host resources, among others. In this paper, we first perform threat modeling on the containers ecosystem using the popular threat modeling framework, called STRIDE. Using STRIDE, we identify the vulnerabilities in each system component, and investigate potential security threats and their consequences. Then, we conduct a comprehensive survey on the existing countermeasures designed against the identified threats and vulnerabilities in containers. In particular, we assess the strengths and weaknesses of the existing mitigation strategies designed against such threats. We believe that this work will help researchers and practitioners to gain a deeper understanding of the threat landscape in containers and the state-of-the-art countermeasures. We also discuss open research problems, the research gaps and future research directions in containers security, which may ignite further research to be done in this area.

show abstract

“…One noteworthy approach [1] utilizes the frequency of syscalls within a sliding window to define container behavior as ngram syscall sequences, and it then employs a mismatch-based threshold to detect anomalies. Another work [33] leverages machine learning techniques to model the frequency of syscalls in short time-based sequences. In a different approach, a recent work [14] combines machine learning and graph modeling to analyze the context around various syscall properties (e.g., frequency, arguments) to unveil abnormal behavior.…”

Section: Introductionmentioning

confidence: 99%

ReplicaWatcher: Training-less Anomaly Detection in Containerized Microservices

El Khairi,

Caselli,

Peter

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Despite its detection capabilities against previously unseen threats, anomaly detection suffers from critical limitations, which often prevent its deployment in real-world settings. In fact, anomaly-based intrusion detection systems rely on comprehensive pre-established baselines for effectively identifying suspicious activities. Unfortunately, prior research showed that these baselines age and gradually lose their effectiveness over time, especially in dynamic deployments such as microservices-based environments, where the concept of "normality" is frequently redefined due to shifting operational conditions. This scenario reinforces the need for periodic retraining to uphold optimal performance -a process that proves challenging, particularly in the context of security applications.We propose a novel, training-less approach to monitoring microservices-based environments. Our system, REPLI-CAWATCHER, observes the behavior of identical container instances (i.e., replicas) and detects anomalies without requiring prior training. Our key insight is that replicas, adopted for fault tolerance or scalability reasons, execute analogous tasks and exhibit similar behavioral patterns, which allow anomalous containers to stand out as a notable deviation from their corresponding replicas, thereby serving as a crucial indicator of security threats. The results of our experimental evaluation show that our approach is resilient against normality shifts and maintains its effectiveness without the necessity for retraining. Besides, despite not relying on a training phase, REPLICAWATCHER performs comparably to state-of-the-art, training-based solutions, achieving an average precision of 91.08% and recall of 98.35%.

show abstract

CDL: Classified Distributed Learning for Detecting Security Attacks in Containerized Applications

Cited by 14 publications

References 18 publications

AI-driven container security approaches for 5G and beyond: A survey

AI-driven container security approaches for 5G and beyond: A survey

Threat Modeling and Security Analysis of Containers: A Survey

ReplicaWatcher: Training-less Anomaly Detection in Containerized Microservices

Contact Info

Product

Resources

About