Container intrusion detection method based on host system call frequency
JI Yimu, LIU Shangdong,
YANG Weidong, LI Kui, LIU Qiang, SHAO Sisi,YOU Shuai, HUANG Naijiao
Affiliations
JI Yimu, LIU Shangdong
School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210023, China ; Nanjing Center of HPC, Nanjing 210023, China ;Institute of High Performance Computing and Big Data Processing, Nanjing University of Posts and Telecommunications, Nanjing 210023, China ; Research Center for High Performance Computing and Intelligent Processing Engineering, Nanjing University of Posts and Telecommunications, Nanjing 210023, China
YANG Weidong, LI Kui, LIU Qiang, SHAO Sisi,YOU Shuai, HUANG Naijiao
School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210023, China;Institute of High Performance Computing and Big Data Processing, Nanjing University of Posts and Telecommunications, Nanjing 210023, China
Container technology has become a widely used virtualization technology in cloud platform due to its lightweight virtualization characteristics. However, it shares the kernel with the host, so it has poor security and isolation, and is vulnerable to flood, denial of service, and escape attacks. In order to effectively detect whether the container is attacked or not, an intrusion detection method based on host system call frequency was proposed. This method took advantage of the different frequency of system call between different attack behaviors, collected the system call generated when the container was running, extracted the system call features by combining the sliding window and TF-IDF algorithm, and classified by comparing the feature similarity. The experimental results show that the detection rate of this method can reach 97%, and the false alarm rate is less than 4%.
