Abstract
As an emerging virtualization technology, the Linux container provides a more lightweight, flexible, and high-performance operating-system-level virtual run-time environment. Its appearance has profoundly changed the development and deployment of multi-tier distributed applications. However, the imperfect system resource isolation features and the kernel-sharing mechanism will introduce significant security risks to the cloud platform. In this paper, we present DockerWatch, a real-time detection system for malware detection in the container-based cloud platform. DockerWatch uses a non-intrusive manner to extract executable files inside the containers, then uses the ensemble of various static features and behavior-based graphs as the analysis vector to learn the robust representations of malicious patterns. Consequently, a two-phase hybrid detection method based on deep learning is proposed to accelerate and enhance the detection performance, aiming to address the trade-off between fast and high-performance real-time detection. Extensive experiments are conducted and compared with extensive existing related methods using real-world datasets to validate the effectiveness of our system. The results show that DockerWatch achieves excellent detection performance with acceptable run-time performance overhead introduced into the platform.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Data availability
Enquiries about data availability should be directed to the authors.
Notes
The Anchore project can be found on GitHub: https://github.com/anchore/anchore-engine.
The Clair project can be found on GitHub: https://github.com/quay/clair.
The UnixBench project can be found on GitHub: https://github.com/kdlucas/byte-unixbench.
References
Aafer Y, Du W, Yin H (2013) Droidapiminer: mining api-level features for robust malware detection in android. In: International conference on security and privacy in communication systems, Springer, pp 86–103
Abadi M, Barham P, Chen J, et al (2016) Tensorflow: a system for large-scale machine learning. In: 12th USENIX symposium on operating systems design and implementation (OSDI 16), pp 265–283
Abed AS, Clancy TC, Levy DS (2015) Applying bag of system calls for anomalous behavior detection of applications in linux containers. In: 2015 IEEE globecom workshops (GC Wkshps), pp 1–5. https://doi.org/10.1109/GLOCOMW.2015.7414047
Alasmary H, Khormali A, Anwar A et al (2019) Analyzing and detecting emerging internet of things malware: a graph-based approach. IEEE Internet Things J 6(5):8977–8988. https://doi.org/10.1109/JIOT.2019.2925929
Amer E, Zelinka I, El-Sappagh S (2021) A multi-perspective malware detection approach through behavioral fusion of api call sequence. Comput Secur 110:102449
Cai M, Jiang Y, Gao C et al (2021) Learning features from enhanced function call graphs for android malware detection. Neurocomputing 423:301–307. https://doi.org/10.1016/j.neucom.2020.10.054
Chen D, Zhang N, Cheng N et al (2018) Physical layer based message authentication with secure channel codes. IEEE Trans Dependable Secur Comput 17(5):1079–1093
Chen D, Zhao Z, Qin X et al (2020) Magleak: a learning-based side-channel attack for password recognition with multiple sensors in iiot environment. IEEE Trans Ind Inf 18(1):467–476
Chhikara P, Tekchandani R, Kumar N et al (2020) An efficient container management scheme for resource constrained intelligent iot devices. IEEE Internet Things J. https://doi.org/10.1109/JIOT.2020.3037181
Combe T, Martin A, Di Pietro R (2016) To docker or not to docker: a security perspective. IEEE Cloud Comput 3(5):54–62. https://doi.org/10.1109/MCC.2016.100
Cozzi E, Graziano M, Fratantonio Y, et al (2018) Understanding linux malware. In: 2018 IEEE symposium on security and privacy (SP), pp 161–175. https://doi.org/10.1109/SP.2018.00054
Cui Z, Xue F, Cai X et al (2018) Detection of malicious code variants based on deep learning. IEEE Trans Ind Inf 14(7):3187–3196. https://doi.org/10.1109/TII.2018.2822680
Ding F, Zhu G, Alazab M, et al (2020) Deep-learning-empowered digital forensics for edge consumer electronics in 5g hetnets. IEEE Consum Electron Mag
Du Q, Xie T, He Y (2018) Anomaly detection and diagnosis for container-based microservices with performance monitoring. In: International conference on algorithms and architectures for parallel processing, Springer, pp 560–572
Elhadi AE, Maarof MA, Barry BI et al (2014) Enhancing the detection of metamorphic malware using call graphs. Comput Secur 46:62–78
Felter W, Ferreira A, Rajamony R, et al (2015) An updated performance comparison of virtual machines and linux containers. In: 2015 IEEE international symposium on performance analysis of systems and software (ISPASS), pp 171–172. https://doi.org/10.1109/ISPASS.2015.7095802
Flora J, Antunes N (2019) Studying the applicability of intrusion detection to multi-tenant container environments. In: 2019 15th european dependable computing conference (EDCC), IEEE, pp 133–136
Gantikow H, Zöhner T, Reich C (2020) Container anomaly detection using neural networks analyzing system calls. In: 2020 28th euromicro international conference on parallel. Distributed and network-based processing (PDP), IEEE, pp 408–412
Gao X, Gu Z, Kayaalp M, et al (2017) Containerleaks: Emerging security threats of information leakages in container clouds. In: 2017 47th Annual IEEE/IFIP international conference on dependable systems and networks (DSN), pp 237–248, https://doi.org/10.1109/DSN.2017.49
Gao X, Steenkamer B, Gu Z et al (2021) A study on the security implications of information leakages in container clouds. IEEE Trans Dependable Secur Comput 18(1):174–191. https://doi.org/10.1109/TDSC.2018.2879605
Guo Z, Yu K, Jolfaei A, et al (2021) Fuz-spam: Label smoothing-based fuzzy detection of spammers in internet of things. IEEE Trans Fuzzy Syst
Han KS, Lim JH, Kang B et al (2015) Malware analysis using visualized images and entropy graphs. Int J Inf Secur 14(1):1–14
Haralick RM, Shanmugam K, Dinstein IH (1973) Textural features for image classification. IEEE Trans Syst Man Cybern 6:610–621
Ioffe S, Szegedy C (2015) Batch normalization: accelerating deep network training by reducing internal covariate shift. In: International conference on machine learning, PMLR, pp 448–456
Ji S, Ye K, Xu CZ (2019) Cmonitor: a monitoring and alarming platform for container-based clouds. In: International conference on cloud computing, Springer, pp 324–339
Kang B, Yerima SY, McLaughlin K, et al (2016) N-opcode analysis for android malware classification and categorization. In: 2016 International conference on cyber security and protection of digital services (cyber security), IEEE, pp 1–7
Karn RR, Kudva P, Huang H et al (2021) Cryptomining detection in container clouds using system calls and explainable machine learning. IEEE Trans Parallel Distrib Syst 32(3):674–691. https://doi.org/10.1109/TPDS.2020.3029088
Kaur K, Dhand T, Kumar N et al (2017) Container-as-a-service at the edge: trade-off between energy efficiency and service availability at fog nano data centers. IEEE Wirel Commun 24(3):48–56. https://doi.org/10.1109/MWC.2017.1600427
Kim T, Kang B, Rho M et al (2019) A multimodal deep learning method for android malware detection using various features. IEEE Trans Inf Forensics Secur 14(3):773–788. https://doi.org/10.1109/TIFS.2018.2866319
Kwon I, Im EG (2017) Extracting the representative api call patterns of malware families using recurrent neural network. In: Proceedings of the international conference on research in adaptive and convergent systems, pp 202–207
LeCun Y, Bengio Y, Hinton G (2015) Deep learning. Nature 521(7553):436–444
Lin X, Lei L, Wang Y, et al (2018) A measurement study on linux container security: attacks and countermeasures. In: Proceedings of the 34th annual computer security applications conference, pp 418–429
Mikolov T, Sutskever I, Chen K, et al (2013) Distributed representations of words and phrases and their compositionality. In: Advances in neural information processing systems, pp 3111–3119
Nataraj L, Karthikeyan S, Jacob G, et al (2011) Malware images: visualization and automatic classification. In: Proceedings of the 8th international symposium on visualization for cyber security, pp 1–7
Nix R, Zhang J (2017) Classification of android apps and malware using deep neural networks. In: 2017 International joint conference on neural networks (IJCNN), IEEE, pp 1871–1878
Ojala T, Pietikäinen M, Mäenpää T (2000) Gray scale and rotation invariant texture classification with local binary patterns. In: European conference on computer vision, Springer, pp 404–420
Ojala T, Pietikainen M, Maenpaa T (2002) Multiresolution gray-scale and rotation invariant texture classification with local binary patterns. IEEE Trans Pattern Anal Mach Intell 24(7):971–987
Pascanu R, Stokes JW, Sanossian H et al (2015) Malware classification with recurrent networks. In: 2015 IEEE international conference on acoustics. Speech and signal processing (ICASSP), IEEE, pp 1916–1920
Quigley D, Sipek J, Wright CP, et al (2006) Unionfs: User-and community-oriented development of a unification filesystem. In: Proceedings of the 2006 linux symposium, pp 349–362
Santos I, Brezo F, Ugarte-Pedrero X et al (2013) Opcode sequences as representation of executables for data-mining-based unknown malware detection. Inf Sci 231:64–82
Saracino A, Sgandurra D, Dini G et al (2018) Madam: effective and efficient behavior-based android malware detection and prevention. IEEE Trans Dependable Secur Comput 15(1):83–97. https://doi.org/10.1109/TDSC.2016.2536605
Shannon CE (1948) A mathematical theory of communication. Bell Syst Tech J 27(3):379–423
Sharma A, Dash SK (2014) Mining api calls and permissions for android malware detection. In: International conference on cryptology and network security, Springer, pp 191–205
Shoshitaishvili Y, Wang R, Salls C, et al (2016) Sok: (state of) the art of war: offensive techniques in binary analysis. In: 2016 IEEE symposium on security and privacy (SP), pp 138–157, https://doi.org/10.1109/SP.2016.17
Srinivasan S, Kumar A, Mahajan M, et al (2018) Probabilistic real-time intrusion detection system for docker containers. In: International symposium on security in computing and communication, Springer, pp 336–347
Srivastava N, Hinton G, Krizhevsky A et al (2014) Dropout: a simple way to prevent neural networks from overfitting. J Mach Learn Res 15(1):1929–1958
Sun G, Qian Q (2021) Deep learning and visualization for identifying malware families. IEEE Trans Dependable Secur Comput 18(1):283–295. https://doi.org/10.1109/TDSC.2018.2884928
Tunde-Onadele O, He J, Dai T, et al (2019) A study on container vulnerability exploit detection. In: 2019 ieee international conference on cloud engineering (IC2E), pp 121–127. https://doi.org/10.1109/IC2E.2019.00026
VirusShare (2011) Analyze suspicious files, domains, ips and urls to detect malware and other breaches, automatically share them with the security community. [EB/OL], https://virusshare.com/ Accessed July 09, 2021
VirusTotal (2004) A repository of malware samples to provide security researchers. [EB/OL], https://www.virustotal.com/gui/ Accessed July 09, 2021
Wang Q, Chen X, Jin X, et al (2021) Enhancing trustworthiness of internet of vehicles in space-air-ground integrated networks: attestation approach. IEEE Internet Things J
Wang Y, Wang Q, Chen X et al (2022) Containerguard: a real-time attack detection system in container-based big data platform. IEEE Trans Ind Inf 18(5):3327–3336. https://doi.org/10.1109/TII.2020.3047416
Yin L, Luo J, Luo H (2018) Tasks scheduling and resource allocation in fog computing based on containers for smart manufacturing. IEEE Trans Ind Inf 14(10):4712–4721. https://doi.org/10.1109/TII.2018.2851241
Yu K, Tan L, Mumtaz S et al (2021) Securing critical infrastructures: deep-learning-based threat detection in iiot. IEEE Commun Mag 59(10):76–82
Yu K, Tan L, Yang C, et al (2021b) A blockchain-based shamir’s threshold cryptography scheme for data protection in industrial internet of things settings. IEEE Internet Things J
Yuan Z, Lu Y, Wang Z, et al (2014) Droid-sec: deep learning in android malware detection. In: Proceedings of the 2014 ACM conference on SIGCOMM, pp 371–372
Zhang J, Qin Z, Yin H, et al (2016a) Irmd: malware variant detection using opcode image recognition. In: 2016 IEEE 22nd international conference on parallel and distributed systems (ICPADS), IEEE, pp 1175–1180
Zhang J, Qin Z, Yin H, et al (2016b) Malware variant detection using opcode image recognition with small training sets. In: 2016 25th International conference on computer communication and networks (ICCCN), IEEE, pp 1–9
Zhang J, Qin Z, Yin H et al (2019) A feature-hybrid malware variants detection using cnn based opcode embedding and bpnn based api embedding. Comput Secur 84:376–392
Zhang N, Cheng N, Gamage AT et al (2015) Cloud assisted hetnets toward 5g wireless networks. IEEE Commun Mag 53(6):59–65
Zhang X, Zhang Y, Zhong M, et al (2020) Enhancing state-of-the-art classifiers with api semantics to detect evolved android malware. In: Proceedings of the 2020 ACM SIGSAC conference on computer and communications security. Association for computing machinery, New York, NY, USA, CCS ’20, p 757–770. https://doi.org/10.1145/3372297.3417291,
Zhu HJ, You ZH, Zhu ZX et al (2018) Droiddet: effective and robust detection of android malware using static analysis along with rotation forest model. Neurocomputing 272:638–646
Zou Z, Xie Y, Huang K et al (2019) A docker container anomaly monitoring system based on optimized isolation forest. IEEE Trans Cloud Comput. https://doi.org/10.1109/TCC.2019.2935724
Zou Z, Xie Y, Huang K, et al (2019b) A docker container anomaly monitoring system based on optimized isolation forest. IEEE Trans Cloud Comput
Acknowledgements
This work was supported in part by the National Natural Science Foundation of China under Grant U19A2081.
Funding
The authors have not disclosed any funding.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors of this article declare that they have no conflict of interest.
Ethical approval
The authors of this article declare that this article does not contain any studies with human participants or animals.
Informed consent
Informed consent was obtained from all individual participants included in the study.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Wang, Y., Wang, Q., Qin, X. et al. DockerWatch: a two-phase hybrid detection of malware using various static features in container cloud. Soft Comput 27, 1015–1031 (2023). https://doi.org/10.1007/s00500-022-07546-2
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00500-022-07546-2