Resilient intrusion detection system for cloud containers

Abed, Amr S.; Azab, Mohamed; Clancy, T. Charles; Kashkoush, Mona S.

doi:10.1504/ijcnds.2020.10025197

Cited by 3 publications

(4 citation statements)

References 23 publications

(29 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…[10,11] state that intrusion detection has been widely used in multiple contexts, however, its application to containers is still sparse and has been neglected. The same observation is highlighted by [12], who states that while many IDSs have been introduced to ensure the security of VM-based cloud environments, few efforts have been directed towards container security in the cloud. According to [22], the dynamic nature of the development and operation of containerized applications makes it difficult to secure these environments.…”

Section: Related Workmentioning

confidence: 70%

“…The study presented by [24] was continued in [12], where a Resilient IDS (RIDS) was developed for container-based clouds. The RIDS uses an intelligent real-time behavior monitoring mechanism to detect malicious containers and a defense approach that can migrate containers at runtime to a quarantine zone, aiming to minimize the spread of an attack.…”

Section: Related Workmentioning

confidence: 99%

“…Intrusion detection through the sequence of system calls was first presented in 1996 by [30] and is still used in conjunction with probabilistic analysis techniques in works such as [28], as well as neural networks in [18]. Other works such as [12,26,27,31] use approaches based on the analysis of system call frequency, and joint use with neural networks is also possible, as in [32].…”

Section: Related Workmentioning

confidence: 99%

“…However, with the evolution of these environments and the use of new technologies, security flaws, threats, and risks of attacks targeting these technologies emerge as new challenges for intrusion detection. In this sense, approaches focused on container platforms have been neglected and advances in this context are still sparse [10][11][12]. Moreover, the high computational cost of host-based intrusion detection remains a challenge in the face of the large volume of system calls generated [13].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

DCIDS—Distributed Container IDS

et al. 2023

View full text Add to dashboard Cite

Intrusion Detection Systems (IDS) still prevail as an important line of defense in modern computing environments. Cloud environment characteristics such as resource sharing, extensive connectivity, and agility in deploying new applications pose security risks that are increasingly exploited. New technologies like container platforms require IDS to evolve to effectively detect intrusive activities in these environments, and advancements in this regard are still necessary. In this context, this work proposes a framework for implementing an IDS focused on container platforms using machine learning techniques for anomaly detection in system calls. We contribute with the ability to build a dataset of system calls and share it with the community; the generation of anomaly detection alerts in open-source applications to support the SOC through the analysis of these system calls; the possibility of implementing different machine learning algorithms and approaches to detect anomalies in system calls (such as frequency, sequence, and arguments among other type of data) aiming greater detection efficiency; and the ability to integrate the framework with other tools, improving collaborative security. A five-layer architecture was built using free tools and tested in a corporate environment emulated in the GNS3 software version 2.2.29. In an experiment conducted with a public system call dataset, it was possible to validate the operation and integration of the framework layers, achieving detection results superior to the work that originated the dataset.

show abstract

Section: Related Workmentioning

confidence: 70%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

DCIDS—Distributed Container IDS

et al. 2023

View full text Add to dashboard Cite

show abstract

Ab‐HIDS: An anomaly‐based host intrusion detection system using frequency of N‐gram system call features and ensemble learning for containerized environment

Joraviya,

Gohil,

Rao

2024

Concurrency and Computation

View full text Add to dashboard Cite

SummaryCloud's operating‐system‐level virtualization has introduced a new phase of lightweight virtualization through containers. The architecture of cloud‐native and microservices‐based application development strongly advocates for the use of containers due to their swift and convenient deployment capabilities. However, the security of applications within containers is important, as malicious or vulnerable content could jeopardize the container and the host system. This vulnerability also extends to neighboring containers and may compromise data integrity and confidentiality. The article focuses on developing an intrusion detection system tailored to containerized cloud environments by identifying system call analysis techniques and also proposes an anomaly‐based host intrusion detection system (Ab‐HIDS). This system employs the frequency of N‐grams system calls as distinctive features. To enhance performance, two ensemble learning models, namely voting‐based ensemble learning and XGBoost ensemble learning, are employed for training and testing the data. The proposed system is evaluated using the Leipzig Intrusion Detection Data Set (LID‐DS), demonstrating substantial performance compared to existing state‐of‐the‐art methods. Ab‐HIDS is validated for class imbalance using the imbalance ratio and synthetic minority over‐sampling technique methods. Our system achieved significant improvements in detection accuracy with 4% increase for the voting‐based ensemble model and 6% increase for the XGBoost ensemble model. Additionally, we observed reductions in the false positive rate by 0.9% and 0.8% for these models, respectively, compared to existing state‐of‐the‐art methods. These results illustrate the potential of our proposed approach in improving security measures within containerized environments.

show abstract