Intrusion Detection System for Applications using Linux Containers
This addresses security for users of Linux containers in mission-critical and cloud environments, but it is incremental as it applies an existing method (bags of system calls) to a new context.
The paper tackles the problem of detecting malicious cyber attacks on applications in Linux containers by introducing a real-time host-based intrusion detection system that uses bags of system calls from the host kernel to learn application behavior and identify anomalies, with performance measured for a database application.
Linux containers are gaining increasing traction in both individual and industrial use, and as these containers get integrated into mission-critical systems, real-time detection of malicious cyber attacks becomes a critical operational requirement. This paper introduces a real-time host-based intrusion detection system that can be used to passively detect malfeasance against applications within Linux containers running in a standalone or in a cloud multi-tenancy environment. The demonstrated intrusion detection system uses bags of system calls monitored from the host kernel for learning the behavior of an application running within a Linux container and determining anomalous container behavior. Performance of the approach using a database application was measured and results are discussed.