Abstract
The use of containers has become mainstream and ubiquitous in cloud environments. A container is a way to abstract processes and file systems into a single unit separate from the kernel. They provide a lightweight virtual environment that groups and isolates a set of processes and resources such as memory, CPU, disk, etc., from the host and any other containers. Docker is an example of container-based technologies for application containers. However, there are security issues that affect the widespread and confident usage of container platform. This paper proposes a model for a real-time intrusion detection system (IDS) that can be used to detect malicious applications running in Docker containers. Our IDS uses n-grams of system calls and the probability of occurrence of this n-gram is then calculated. Further the trace is processed using Maximum Likelihood Estimator (MLE) and Simple Good Turing (SGT) to provide a better estimation of unseen values of system call sequences. UNM dataset has been used to validate the approach and a comparison of the results obtained using MLE and SGT has been done. We got an accuracy ranging from 87–97% for different UNM datasets.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Gupta, S., Kumar, P.: System cum program-wide lightweight malicious program execution detection scheme for cloud. Inf. Secur. J. Global Perspect. 23(3), 86–99 (2014)
Gupta, S., Kumar, P.: An immediate system call sequence-based approach for detecting malicious program executions in cloud environment. Wireless Pers. Commun. 81(1), 405–425 (2015)
Abed, A.S., Clancy, C., Levy, D.S.: Intrusion detection system for applications using linux containers. In: Foresti, S. (ed.) STM 2015. LNCS, vol. 9331, pp. 123–135. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24858-5_8
Koucham, O., Rachidi, T., Assem, N.: Host intrusion detection using system call argument-based clustering combined with Bayesian classification. In: 2015 SAI Intelligent Systems Conference (IntelliSys), London, pp. 1010–1016 (2015)
Jurafsky, D., Martin, J.H.: “Language Modeling with Ngrams” Speech and Language Processing, Chap. 4 (2016)
Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30143-1_11
Rachidi, T., Koucham, O., Assem, N.: Combined data and execution flow host intrusion detection using machine learning. In: Bi, Y., Kapoor, S., Bhatia, R. (eds.) Intelligent Systems and Applications. SCI, vol. 650, pp. 427–450. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33386-1_21
Assem, N., Rachidi, T., El Graini, M.T.: Intrusion detection using Bayesian classifier for arbitrarily long system call sequences. IADIS Int. J. Comput. Sci. Inf. Syst. 9, 71–81 (2014)
Computer Science Department, Farris Engineering Center. Computer Immune Systems Data Sets (1998) http://cs.unm.edu/~immsec/data/synth-sm.html. Accessed 21 Apr 2013
Chiba, Z., Abghour, N., Moussaid, K., El Omri, A., Rida, M.: A survey of intrusion detection systems for cloud computing environment. In: 2016 International Conference on Engineering & MIS (ICEMIS), Agadir, pp. 1–13 (2016)
Sukhanov, A.V., Kovalev, S.M., Stýskala, V.: Advanced temporal-difference learning for intrusion detection. IFAC-PapersOnLine 48, 43–48 (2015). https://doi.org/10.1016/j.ifacol.2015.07.005. This work was supported by the Russian Foundation for Basic Research (Grants No. 13–07-00183 A, 13-08-12151 ofi_m_RZHD, 13-07-00226 A, 14-01-00259 A and 13-07-13109 ofi_m_RZHD) and partially supported by Grant of SGS No. SP2015/151, VŠB - Technical University of Ostrava, Czech Republic
Hubballi, N., Biswas, S., Nandi, S.: Sequencegram: n-gram modeling of system calls for program-based anomaly detection. In: 2011 Third International Conference on Communication Systems and Networks (COMSNETS 2011), Bangalore, pp. 1–10 (2011)
Jurafsky, D., Martin, J.H.: Speech and Language Processing. Copyright \( \copyright \) 14. All rights reserved. Draft of September 1, 2014 (2014)
Gale, W.A., Sampson, G.: Good-turing frequency estimation without tears. J. Quant. Linguist. 2(3), 217–237 (1995)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Srinivasan, S., Kumar, A., Mahajan, M., Sitaram, D., Gupta, S. (2019). Probabilistic Real-Time Intrusion Detection System for Docker Containers. In: Thampi, S., Madria, S., Wang, G., Rawat, D., Alcaraz Calero, J. (eds) Security in Computing and Communications. SSCC 2018. Communications in Computer and Information Science, vol 969. Springer, Singapore. https://doi.org/10.1007/978-981-13-5826-5_26
Download citation
DOI: https://doi.org/10.1007/978-981-13-5826-5_26
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-5825-8
Online ISBN: 978-981-13-5826-5
eBook Packages: Computer ScienceComputer Science (R0)