Probabilistic Real-Time Intrusion Detection System for Docker Containers

  • Siddharth Srinivasan
  • Akshay KumarEmail author
  • Manik Mahajan
  • Dinkar Sitaram
  • Sanchika Gupta
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 969)


The use of containers has become mainstream and ubiquitous in cloud environments. A container is a way to abstract processes and file systems into a single unit separate from the kernel. They provide a lightweight virtual environment that groups and isolates a set of processes and resources such as memory, CPU, disk, etc., from the host and any other containers. Docker is an example of container-based technologies for application containers. However, there are security issues that affect the widespread and confident usage of container platform. This paper proposes a model for a real-time intrusion detection system (IDS) that can be used to detect malicious applications running in Docker containers. Our IDS uses n-grams of system calls and the probability of occurrence of this n-gram is then calculated. Further the trace is processed using Maximum Likelihood Estimator (MLE) and Simple Good Turing (SGT) to provide a better estimation of unseen values of system call sequences. UNM dataset has been used to validate the approach and a comparison of the results obtained using MLE and SGT has been done. We got an accuracy ranging from 87–97% for different UNM datasets.


Intrusion detection Containers Cloud computing 


  1. 1.
    Gupta, S., Kumar, P.: System cum program-wide lightweight malicious program execution detection scheme for cloud. Inf. Secur. J. Global Perspect. 23(3), 86–99 (2014)CrossRefGoogle Scholar
  2. 2.
    Gupta, S., Kumar, P.: An immediate system call sequence-based approach for detecting malicious program executions in cloud environment. Wireless Pers. Commun. 81(1), 405–425 (2015)CrossRefGoogle Scholar
  3. 3.
    Abed, A.S., Clancy, C., Levy, D.S.: Intrusion detection system for applications using linux containers. In: Foresti, S. (ed.) STM 2015. LNCS, vol. 9331, pp. 123–135. Springer, Cham (2015). Scholar
  4. 4.
    Koucham, O., Rachidi, T., Assem, N.: Host intrusion detection using system call argument-based clustering combined with Bayesian classification. In: 2015 SAI Intelligent Systems Conference (IntelliSys), London, pp. 1010–1016 (2015)Google Scholar
  5. 5.
    Jurafsky, D., Martin, J.H.: “Language Modeling with Ngrams” Speech and Language Processing, Chap. 4 (2016)Google Scholar
  6. 6.
    Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004). Scholar
  7. 7.
    Rachidi, T., Koucham, O., Assem, N.: Combined data and execution flow host intrusion detection using machine learning. In: Bi, Y., Kapoor, S., Bhatia, R. (eds.) Intelligent Systems and Applications. SCI, vol. 650, pp. 427–450. Springer, Cham (2016). Scholar
  8. 8.
    Assem, N., Rachidi, T., El Graini, M.T.: Intrusion detection using Bayesian classifier for arbitrarily long system call sequences. IADIS Int. J. Comput. Sci. Inf. Syst. 9, 71–81 (2014)Google Scholar
  9. 9.
    Computer Science Department, Farris Engineering Center. Computer Immune Systems Data Sets (1998) Accessed 21 Apr 2013
  10. 10.
    Chiba, Z., Abghour, N., Moussaid, K., El Omri, A., Rida, M.: A survey of intrusion detection systems for cloud computing environment. In: 2016 International Conference on Engineering & MIS (ICEMIS), Agadir, pp. 1–13 (2016)Google Scholar
  11. 11.
    Sukhanov, A.V., Kovalev, S.M., Stýskala, V.: Advanced temporal-difference learning for intrusion detection. IFAC-PapersOnLine 48, 43–48 (2015). This work was supported by the Russian Foundation for Basic Research (Grants No. 13–07-00183 A, 13-08-12151 ofi_m_RZHD, 13-07-00226 A, 14-01-00259 A and 13-07-13109 ofi_m_RZHD) and partially supported by Grant of SGS No. SP2015/151, VŠB - Technical University of Ostrava, Czech RepublicCrossRefGoogle Scholar
  12. 12.
    Hubballi, N., Biswas, S., Nandi, S.: Sequencegram: n-gram modeling of system calls for program-based anomaly detection. In: 2011 Third International Conference on Communication Systems and Networks (COMSNETS 2011), Bangalore, pp. 1–10 (2011)Google Scholar
  13. 13.
    Jurafsky, D., Martin, J.H.: Speech and Language Processing. Copyright \( \copyright \) 14. All rights reserved. Draft of September 1, 2014 (2014)Google Scholar
  14. 14.
    Gale, W.A., Sampson, G.: Good-turing frequency estimation without tears. J. Quant. Linguist. 2(3), 217–237 (1995)CrossRefGoogle Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  • Siddharth Srinivasan
    • 1
  • Akshay Kumar
    • 1
    Email author
  • Manik Mahajan
    • 1
  • Dinkar Sitaram
    • 1
  • Sanchika Gupta
    • 1
  1. 1.PES UniversityBangaloreIndia

Personalised recommendations