Abstract
Linux containers are gaining increasing traction in both individual and industrial use, and as these containers get integrated into mission-critical systems, real-time detection of malicious cyber attacks becomes a critical operational requirement. This paper introduces a real-time host-based intrusion detection system that can be used to passively detect malfeasance against applications within Linux containers running in a standalone or in a cloud multi-tenancy environment. The demonstrated intrusion detection system uses bags of system calls monitored from the host kernel for learning the behavior of an application running within a Linux container and determining anomalous container behavior. Performance of the approach using a database application was measured and results are discussed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alarifi, S., Wolthusen, S.: Detecting anomalies in IaaS environments through virtual machine host system call analysis. In: International Conference for Internet Technology and Secured Transactions, pp. 211–218. IEEE (2012)
Alarifi, S., Wolthusen, S.: Anomaly detection for ephemeral cloud IaaS virtual machines. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 321–335. Springer, Heidelberg (2013)
Chen, Y., Ghorbanzadeh, M., Ma, K., Clancy, C., McGwier, R.: A hidden markov model detection of malicious android applications at runtime. In: 2014 23rd Wireless and Optical Communication Conference (WOCC), pp. 1–6, May 2014
Cho, S.B., Park, H.J.: Efficient anomaly detection by modeling privilege flows using hidden markov model. Comput. Secur. 22(1), 45–55 (2003)
Cohen, W.W.: Fast effective rule induction. In: Proceedings of the Twelfth International Conference on Machine Learning, Lake Tahoe, California (1995)
Damele, B., Stampar, M.: sqlmap: Automatic SQL injection and database takeover tool (2015). http://sqlmap.org
Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, pp. 120–128, May 1996
Fuller, D., Honavar, V.: Learning classifiers for misuse and anomaly detection using a bag of system calls representation. In: Proceedings of the Sixth Annual IEEE Systems, Man and Cybernetics (SMC) Information Assurance Workshop, pp. 118–125. IEEE (2005)
Helsley, M.: LXC: Linux container tools. IBM developerWorks Technical Library (2009)
Hoang, X.D., Hu, J., Bertok, P.: A multi-layer model for anomaly intrusion detection using program sequences of system calls. In: Proceedings of the 11th IEEE International Conference on Networks, pp. 531–536 (2003)
Hofmeyr, S., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151–180 (1998)
Lee, W., Stolfo, S.J.: Data mining approaches for intrusion detection. In: Usenix Security (1998)
Merkel, D.: Docker: lightweight linux containers for consistent development and deployment. Linux J. 2014(239), 2 (2014)
Murtaza, S.S., Khreich, W., Hamou-Lhadj, A., Couture, M.: A host-based anomaly detection approach by representing system calls as states of kernel modules. In: 2013 IEEE 24th International Symposium onSoftware Reliability Engineering (ISSRE), pp. 431–440. IEEE (2013)
Mutz, D., Valeur, F., Vigna, G., Kruegel, C.: Anomalous system call detection. ACM Trans. Inf. Syst. Secur. (TISSEC) 9(1), 61–93 (2006)
Oracle Corporation: mysqlslap - Load Emulation Client (2015). http://dev.mysql.com/doc/refman/5.6/en/mysqlslap.html
Petazzoni, J.: Containers & Docker: How Secure Are They? (2013). http://blog.docker.com/2013/08/containers-docker-how-secure-are-they
Wang, W., Guan, X.H., Zhang, X.L.: Modeling program behaviors by hidden markov models for intrusion detection. In: Proceedings of 2004 International Conference on Machine Learning and Cybernetics, vol. 5, pp. 2830–2835. IEEE (2004)
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: alternative data models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 133–145 (1999)
Yeung, D.Y., Ding, Y.: Host-based intrusion detection using dynamic and static behavioral models. Pattern Recogn. 36(1), 229–243 (2003)
Acknowledgment
This work was funded by Northrop Grumman Corporation via a partnership agreement through S2ERC; an NSF Industry/University Cooperative Research Center. We would like to express our appreciation to Donald Steiner and Joshua Shapiro for their support and collaboration efforts in this work
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Abed, A.S., Clancy, C., Levy, D.S. (2015). Intrusion Detection System for Applications Using Linux Containers. In: Foresti, S. (eds) Security and Trust Management. STM 2015. Lecture Notes in Computer Science(), vol 9331. Springer, Cham. https://doi.org/10.1007/978-3-319-24858-5_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-24858-5_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-24857-8
Online ISBN: 978-3-319-24858-5
eBook Packages: Computer ScienceComputer Science (R0)