DL-HIDS: deep learning-based host intrusion detection system using system calls-to-image for containerized cloud environment
Pages 12218 - 12246
Abstract
In the rapidly evolving IT industry, containerization has introduced new security challenges including cloud data breaches. DL-HIDS explores the application of Deep Learning (DL) techniques for detecting such attacks. Various system call-based features, including the sequence, frequency, and metadata of system calls, as well as images, derived from these calls were explored. While using images as features is effective for DL models, determining the optimal image feature size can be challenging and requires extensive experimentation. The existing approach uses pre-trained Convolutional Neural Networks (CNNs) that incorporate system call parameters with metadata that are redundant resulting in a low detection rate. To address these limitations, we employ a deep CNN that takes images generated from system call logs as input. Our experimentation involves varying image size, system call parameters, and CNN architecture using the Leipzig Intrusion Detection DataSet-2019 dataset containing recent containerized cloud environment attack data. Our results demonstrate improvement over state-of-the-art methods toward accuracy, precision, recall, F1 score, and false-positive rate.
References
[1]
Sultan S, Ahmad I, and Dimitriou T Container security: issues, challenges, and the road ahead IEEE Access 2019 7 52976-52996
[2]
Moore S (2021) gartner prediction newsroom Sydney Australia. https://www.gartner.com/en/newsroom/press-releases/2020-06-25-gartner-forecasts-strong-revenue-growth-for-global-co. Accessed 05 Jul
[3]
bleepingcomputer news. https://www.bleepingcomputer.com/news/security/over-900-000kubernetes-instances-found-exposed-online/. Accessed 05 Jul 2021
[4]
Ahuje M (2020) New vulnerability exposes kubernetes to man-in-the-middle attacks. https://www.tigera.io/blog/new-vulnerability-exposes-kubernetes-to-man-in-the-middle-attacks-heres-how-to-mitigate/. Accessed 10 Dec
[5]
Prizmant D (2021) Siloscape: first known malware targeting windows containers to compromise cloud environments. https://unit42.paloaltonetworks.com/siloscape/. Accessed 10 Jun
[6]
Karn RR, Kudva P, Huang H, Suneja S, and Elfadel IM Cryptomining detection in container clouds using system calls and explainable machine learning IEEE Trans Parall Distrib Syst 2021 32 3 674-691
[7]
Knowledge D.C (2021) aws-outage-that-broke. https://www.datacenterknowledge.com/archives/2017/03/02. Accessed 15 Dec
[8]
Gamage W.H (2021) common-container-security-threats. https://www.wwt.com/article/common-container-security-threats. Accessed 12 Dec
[9]
Maggi F, Matteucci M, and Zanero S Detecting intrusions through system call sequence and argument analysis IEEE Trans Depend Secure Comput 2010 7 4 381-395
[10]
Common-container-security-threats. https://www.cvedetails.com/vulnerability-list. Accessed 15 Dec 2021
[11]
Martin A, Raponi S, Combe T, and Di Pietro R Docker ecosystem—vulnerability analysis Comput Commun 2018 122 30-43
[12]
Stopel D, Bernstein B (2021) Runtime detection of vulnerabilities in an application layer of software containers. Google Patents. US Patent 10,915,628
[13]
Abed A.S, Clancy T.C, Levy D.S (2015) Applying bag of system calls for anomalous behavior detection of applications in linux containers. In: 2015 IEEE Globecom Workshops (GC Wkshps), pp 1–5.
[14]
Azab M, Mokhtar B, Abed A.S, Eltoweissy M(2016) Toward smart moving target defense for linux container resiliency. In: 2016 IEEE 41st Conference on Local Computer Networks (LCN), pp 619–622.
[15]
Liang H, Hao Q, Li M, Zhang Y (2016) Semantics-based anomaly detection of processes in linux containers. In: 2016 International Conference on Identification, Information and Knowledge in the Internet of Things (IIKI), pp 60–63.
[16]
Aljebreen M.J (2018) Towards intelligent intrusion detection systems for cloud computing. PhD thesis, Florida Institute of Technology, Melbourne, Florida
[17]
Srinivasan S, Kumar A, Mahajan M, Sitaram D, Gupta S (2019) Probabilistic real-time intrusion detection system for docker containers. In: Thampi, S.M., Madria, S., Wang, G., Rawat, D.B., Alcaraz Calero, J.M. (eds.) Security in Computing and Communications, pp 336–347. Springer, Singapore.
[18]
Li Z, Zhang Z, Liu X, Zhu C (2019) Anomaly detection for container cluster based on jointcloud platform. In: Proceedings of the 2019 3rd International Conference on Compute and Data Analysis. ICCDA 2019, pp 26–30. Association for Computing Machinery, New York, NY, USA.
[19]
Gantikow H, Zöhner T, Reich C (2020) Container anomaly detection using neural networks analyzing system calls. In: 2020 28th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP), pp 408–412.
[20]
Kashkoush M, Clancy C, Abed A, and Azab M Resilient intrusion detection system for cloud containers Int J Commun Netw Distrib Syst 2020 24 1
[21]
Cui P, Umphress D (2020) Towards unsupervised introspection of containerized application. In: 2020 the 10th International Conference on Communication and Network Security. ICCNS 2020, pp 42–51. Association for Computing Machinery, New York, NY, USA.
[22]
Park D, Kim S, Kwon H, Shin D, and Shin D Host-based intrusion detection model using siamese network IEEE Access 2021 9 76614-76623
[23]
Wang Y, Chen X, Wang Q, Yang R, Xin B (2022) Unsupervised anomaly detection for container cloud via bilstm-based variational auto-encoder. In: ICASSP 2022—2022 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pp 3024–3028.
[24]
Röhling M.M, Grimmer M, Kreubel D, Hoffmann J, Franczyk B (2019) Standardized container virtualization approach for collecting host intrusion detection data. In: 2019 Federated Conference on Computer Science and Information Systems (FedCSIS), pp 459–463.
[25]
Jolak R, Rosenstatter T, Mohamad M, Strandberg K, Sangchoolie B, Nowdehi N, and Scandariato R Conserve: a framework for the selection of techniques for monitoring containers security J Syst Softw 2022 186
[26]
Modi C, Patel D, Borisaniya B, Patel H, Patel A, and Rajarajan M A survey of intrusion detection techniques in cloud J Netw Comput Appl 2013 36 1 42-57
[27]
Srivastava N, Chaudhari A, Joraviya N, Gohil B.N, Ray S, Rao UP (2022) A review of machine learning-based intrusion detection systems on the cloud. In: Rao, U.P., Patel, S.J., Raj, P., Visconti, A. (eds.) Security, privacy and data analytics, pp 303–317. Springer, Singapore.
[28]
Chaudhari AR, Gohil BN, and Rao UP A review on cloud security issues and solutions J Comput Security 2023 31 4 365-391
[29]
Jian Z, Chen L (2017) A defense method against docker escape attack. In: Proceedings of the 2017 International Conference on Cryptography, Security and Privacy. ICCSP ’17, pp 142–146. Association for Computing Machinery, New York, NY, USA.
[30]
Souppaya M, Morello J, Scarfone K (2017) Application container security guide. National Institute of Standards and Technology.
[31]
Barlev S, Basil Z, Kohanim S, Peleg R, Regev S, and Shulman-Peleg A Secure yet usable: protecting servers and linux containers IBM J Res Develop 2016 60 4 12-11210
[32]
Chelladhurai J, Chelliah P.R, Kumar S.A (2016) Securing docker containers from denial of service (dos) attacks. In: 2016 IEEE International Conference on Services Computing (SCC), pp 856–859.
[33]
Kim J, Kim J, Kim H, Shim M, and Choi E Cnn-based network intrusion detection against denial-of-service attacks Electronics 2020 9 6 916
[34]
Upadhyay R, Pantiukhin D (2017) Application of convolutional neural network to intrusion type recognition. In: Proceedings of the 2017 International Conference on Advances in Computing, Communications and Informatics, Udupi, India, pp 13–16
[35]
Khan R.U, Zhang X, Alazab M, Kumar R (2019) An improved convolutional neural network model for intrusion detection in networks. In: 2019 Cybersecurity and Cyberforensics Conference (CCC), pp 74–77.
[36]
Ni S, Qian Q, and Zhang R Malware identification using visualization images and deep learning Comput Security 2018 77 871-885
[37]
Vinayakumar R, Alazab M, Soman KP, Poornachandran P, Al-Nemrat A, and Venkatraman S Deep learning approach for intelligent intrusion detection system IEEE Access 2019 7 41525-41550
[38]
Mohamed S and Ejbali R Deep sarsa-based reinforcement learning approach for anomaly network intrusion detection system Int J Inf Security 2023 22 1 235-247
[39]
Shojafar M, Taheri R, Pooranian Z, Javidan R, Miri A, Jararweh Y (2019) Automatic clustering of attacks in intrusion detection systems. In: 2019 IEEE/ACS 16th International Conference on Computer Systems and Applications (AICCSA), pp 1–8. IEEE
[40]
Sysdig: Security for containers, Kubernetes, and clouds. https://sysdig.com. Accessed 12 Dec (2021)
[41]
Melo A.C.D (2022) The new linux‘perf’tools—Slides from Linux Kongress. www.linux-kongress.org/2010/slides/lk2010-perf-acme.pdf. Accessed 11 Jan
[42]
Lei L, Sun J, Sun K, Shenefiel C, Ma R, Wang Y, Li Q (2017) Speaker: Split-phase execution of application containers. In: Polychronakis, M., Meier, M. (eds.) Detection of intrusions and malware, and vulnerability assessment, pp 230–251. Springer, Cham
[43]
Forrest S, Hofmeyr SA, and Somayaji A Computer immunology Commun ACM 1997 40 10 88-96
[44]
Tavallaee M, Bagheri E, Lu W, Ghorbani A.A (2009) A detailed analysis of the kdd cup 99 data set. In: 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, pp 1–6.
[45]
Creech G and Hu J A semantic approach to host-based intrusion detection systems using contiguous and discontiguous system call patterns IEEE Trans Comput 2014 63 4 807-819
[46]
Haider W, Hu J, Slay J, Turnbull BP, and Xie Y Generating realistic intrusion detection system dataset based on fuzzy qualitative modeling J Netw Comput Appl 2017 87 185-192
[47]
Hossin M, Sulaiman M.N (2015) A review on evaluation metrics for data classification evaluations. Int J Data Min Knowl Manage Process 5(2).
Recommendations
Host-Based Intrusion Detection System with System Calls: Review and Future Trends
In a contemporary data center, Linux applications often generate a large quantity of real-time system call traces, which are not suitable for traditional host-based intrusion detection systems deployed on every single host. Training data mining models ...
The Design and Implementation of Host-Based Intrusion Detection System
IITSI '10: Proceedings of the 2010 Third International Symposium on Intelligent Information Technology and Security InformaticsIntrusion detection is the process of identifying and responding to suspicious activities targeted at computing and communication resources, and it has become the mainstream of information assurance as the dramatic increase in the number of attacks. ...
Intrusion detection system in cloud computing environment
ICWET '11: Proceedings of the International Conference & Workshop on Emerging Trends in TechnologyIn recent years, with the growing popularity of cloud computing, security in cloud has become an important issue. As "Prevention is better than cure", detecting and blocking an attack is better than responding to an attack after a system has been ...
Comments
Information & Contributors
Information
Published In
© The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature 2024. Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
Publisher
Kluwer Academic Publishers
United States
Publication History
Published: 09 February 2024
Accepted: 04 January 2024
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 13 Nov 2024
Other Metrics
Citations
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in