Skip to main content
SpringerLink
Log in

Intrusion Detection System for Applications Using Linux Containers

  • Conference paper
  • First Online:
Security and Trust Management (STM 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9331))

Included in the following conference series:

Abstract

Linux containers are gaining increasing traction in both individual and industrial use, and as these containers get integrated into mission-critical systems, real-time detection of malicious cyber attacks becomes a critical operational requirement. This paper introduces a real-time host-based intrusion detection system that can be used to passively detect malfeasance against applications within Linux containers running in a standalone or in a cloud multi-tenancy environment. The demonstrated intrusion detection system uses bags of system calls monitored from the host kernel for learning the behavior of an application running within a Linux container and determining anomalous container behavior. Performance of the approach using a database application was measured and results are discussed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Alarifi, S., Wolthusen, S.: Detecting anomalies in IaaS environments through virtual machine host system call analysis. In: International Conference for Internet Technology and Secured Transactions, pp. 211–218. IEEE (2012)

    Google Scholar 

  2. Alarifi, S., Wolthusen, S.: Anomaly detection for ephemeral cloud IaaS virtual machines. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 321–335. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  3. Chen, Y., Ghorbanzadeh, M., Ma, K., Clancy, C., McGwier, R.: A hidden markov model detection of malicious android applications at runtime. In: 2014 23rd Wireless and Optical Communication Conference (WOCC), pp. 1–6, May 2014

    Google Scholar 

  4. Cho, S.B., Park, H.J.: Efficient anomaly detection by modeling privilege flows using hidden markov model. Comput. Secur. 22(1), 45–55 (2003)

    Article  Google Scholar 

  5. Cohen, W.W.: Fast effective rule induction. In: Proceedings of the Twelfth International Conference on Machine Learning, Lake Tahoe, California (1995)

    Google Scholar 

  6. Damele, B., Stampar, M.: sqlmap: Automatic SQL injection and database takeover tool (2015). http://sqlmap.org

  7. Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, pp. 120–128, May 1996

    Google Scholar 

  8. Fuller, D., Honavar, V.: Learning classifiers for misuse and anomaly detection using a bag of system calls representation. In: Proceedings of the Sixth Annual IEEE Systems, Man and Cybernetics (SMC) Information Assurance Workshop, pp. 118–125. IEEE (2005)

    Google Scholar 

  9. Helsley, M.: LXC: Linux container tools. IBM developerWorks Technical Library (2009)

    Google Scholar 

  10. Hoang, X.D., Hu, J., Bertok, P.: A multi-layer model for anomaly intrusion detection using program sequences of system calls. In: Proceedings of the 11th IEEE International Conference on Networks, pp. 531–536 (2003)

    Google Scholar 

  11. Hofmeyr, S., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151–180 (1998)

    Article  Google Scholar 

  12. Lee, W., Stolfo, S.J.: Data mining approaches for intrusion detection. In: Usenix Security (1998)

    Google Scholar 

  13. Merkel, D.: Docker: lightweight linux containers for consistent development and deployment. Linux J. 2014(239), 2 (2014)

    Google Scholar 

  14. Murtaza, S.S., Khreich, W., Hamou-Lhadj, A., Couture, M.: A host-based anomaly detection approach by representing system calls as states of kernel modules. In: 2013 IEEE 24th International Symposium onSoftware Reliability Engineering (ISSRE), pp. 431–440. IEEE (2013)

    Google Scholar 

  15. Mutz, D., Valeur, F., Vigna, G., Kruegel, C.: Anomalous system call detection. ACM Trans. Inf. Syst. Secur. (TISSEC) 9(1), 61–93 (2006)

    Article  Google Scholar 

  16. Oracle Corporation: mysqlslap - Load Emulation Client (2015). http://dev.mysql.com/doc/refman/5.6/en/mysqlslap.html

  17. Petazzoni, J.: Containers & Docker: How Secure Are They? (2013). http://blog.docker.com/2013/08/containers-docker-how-secure-are-they

  18. Wang, W., Guan, X.H., Zhang, X.L.: Modeling program behaviors by hidden markov models for intrusion detection. In: Proceedings of 2004 International Conference on Machine Learning and Cybernetics, vol. 5, pp. 2830–2835. IEEE (2004)

    Google Scholar 

  19. Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: alternative data models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 133–145 (1999)

    Google Scholar 

  20. Yeung, D.Y., Ding, Y.: Host-based intrusion detection using dynamic and static behavioral models. Pattern Recogn. 36(1), 229–243 (2003)

    Article  MATH  Google Scholar 

Download references

Acknowledgment

This work was funded by Northrop Grumman Corporation via a partnership agreement through S2ERC; an NSF Industry/University Cooperative Research Center. We would like to express our appreciation to Donald Steiner and Joshua Shapiro for their support and collaboration efforts in this work

Author information

Authors and Affiliations

  1. Department of Electrical & Computer Engineering, Virginia Tech, Blacksburg, VA, USA

    Amr S. Abed

  2. Hume Center for National Security & Technology, Virginia Tech, Arlington, VA, USA

    Charles Clancy

  3. The MITRE Corporation, Annapolis Junction, MD, USA

    David S. Levy

Authors
  1. Amr S. Abed
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Charles Clancy
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. David S. Levy
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Amr S. Abed .

Editor information

Editors and Affiliations

  1. Dipartimento di Informatica, Università degli Studi di Milano, Crema, Italy

    Sara Foresti

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Abed, A.S., Clancy, C., Levy, D.S. (2015). Intrusion Detection System for Applications Using Linux Containers. In: Foresti, S. (eds) Security and Trust Management. STM 2015. Lecture Notes in Computer Science(), vol 9331. Springer, Cham. https://doi.org/10.1007/978-3-319-24858-5_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-24858-5_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-24857-8

  • Online ISBN: 978-3-319-24858-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation