Intrusion Detection System for Applications Using Linux Containers

  • Amr S. Abed
  • Charles Clancy
  • David S. Levy
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9331)


Linux containers are gaining increasing traction in both individual and industrial use, and as these containers get integrated into mission-critical systems, real-time detection of malicious cyber attacks becomes a critical operational requirement. This paper introduces a real-time host-based intrusion detection system that can be used to passively detect malfeasance against applications within Linux containers running in a standalone or in a cloud multi-tenancy environment. The demonstrated intrusion detection system uses bags of system calls monitored from the host kernel for learning the behavior of an application running within a Linux container and determining anomalous container behavior. Performance of the approach using a database application was measured and results are discussed.


Intrusion detection Anomaly detection System call monitoring Container security Security in cloud computing 



This work was funded by Northrop Grumman Corporation via a partnership agreement through S2ERC; an NSF Industry/University Cooperative Research Center. We would like to express our appreciation to Donald Steiner and Joshua Shapiro for their support and collaboration efforts in this work


  1. 1.
    Alarifi, S., Wolthusen, S.: Detecting anomalies in IaaS environments through virtual machine host system call analysis. In: International Conference for Internet Technology and Secured Transactions, pp. 211–218. IEEE (2012)Google Scholar
  2. 2.
    Alarifi, S., Wolthusen, S.: Anomaly detection for ephemeral cloud IaaS virtual machines. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 321–335. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  3. 3.
    Chen, Y., Ghorbanzadeh, M., Ma, K., Clancy, C., McGwier, R.: A hidden markov model detection of malicious android applications at runtime. In: 2014 23rd Wireless and Optical Communication Conference (WOCC), pp. 1–6, May 2014Google Scholar
  4. 4.
    Cho, S.B., Park, H.J.: Efficient anomaly detection by modeling privilege flows using hidden markov model. Comput. Secur. 22(1), 45–55 (2003)CrossRefGoogle Scholar
  5. 5.
    Cohen, W.W.: Fast effective rule induction. In: Proceedings of the Twelfth International Conference on Machine Learning, Lake Tahoe, California (1995)Google Scholar
  6. 6.
    Damele, B., Stampar, M.: sqlmap: Automatic SQL injection and database takeover tool (2015).
  7. 7.
    Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, pp. 120–128, May 1996Google Scholar
  8. 8.
    Fuller, D., Honavar, V.: Learning classifiers for misuse and anomaly detection using a bag of system calls representation. In: Proceedings of the Sixth Annual IEEE Systems, Man and Cybernetics (SMC) Information Assurance Workshop, pp. 118–125. IEEE (2005)Google Scholar
  9. 9.
    Helsley, M.: LXC: Linux container tools. IBM developerWorks Technical Library (2009)Google Scholar
  10. 10.
    Hoang, X.D., Hu, J., Bertok, P.: A multi-layer model for anomaly intrusion detection using program sequences of system calls. In: Proceedings of the 11th IEEE International Conference on Networks, pp. 531–536 (2003)Google Scholar
  11. 11.
    Hofmeyr, S., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151–180 (1998)CrossRefGoogle Scholar
  12. 12.
    Lee, W., Stolfo, S.J.: Data mining approaches for intrusion detection. In: Usenix Security (1998)Google Scholar
  13. 13.
    Merkel, D.: Docker: lightweight linux containers for consistent development and deployment. Linux J. 2014(239), 2 (2014)Google Scholar
  14. 14.
    Murtaza, S.S., Khreich, W., Hamou-Lhadj, A., Couture, M.: A host-based anomaly detection approach by representing system calls as states of kernel modules. In: 2013 IEEE 24th International Symposium onSoftware Reliability Engineering (ISSRE), pp. 431–440. IEEE (2013)Google Scholar
  15. 15.
    Mutz, D., Valeur, F., Vigna, G., Kruegel, C.: Anomalous system call detection. ACM Trans. Inf. Syst. Secur. (TISSEC) 9(1), 61–93 (2006)CrossRefGoogle Scholar
  16. 16.
    Oracle Corporation: mysqlslap - Load Emulation Client (2015).
  17. 17.
    Petazzoni, J.: Containers & Docker: How Secure Are They? (2013).
  18. 18.
    Wang, W., Guan, X.H., Zhang, X.L.: Modeling program behaviors by hidden markov models for intrusion detection. In: Proceedings of 2004 International Conference on Machine Learning and Cybernetics, vol. 5, pp. 2830–2835. IEEE (2004)Google Scholar
  19. 19.
    Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: alternative data models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 133–145 (1999)Google Scholar
  20. 20.
    Yeung, D.Y., Ding, Y.: Host-based intrusion detection using dynamic and static behavioral models. Pattern Recogn. 36(1), 229–243 (2003)CrossRefzbMATHGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Department of Electrical & Computer EngineeringVirginia TechBlacksburgUSA
  2. 2.Hume Center for National Security & TechnologyVirginia TechArlingtonUSA
  3. 3.The MITRE CorporationAnnapolis JunctionUSA

Personalised recommendations