research-article

Open access

Contextualizing System Calls in Containers for Anomaly-Based Intrusion Detection

Authors:

Asbat El Khairi,

Christian Knierim,

Andrea ContinellaAuthors Info & Claims

CCSW'22: Proceedings of the 2022 on Cloud Computing Security Workshop

Pages 9 - 21

https://doi.org/10.1145/3560810.3564266

Published: 07 November 2022 Publication History

Abstract

Container technology has gained ground in the industry for its scalability and lightweight virtualization, especially in cloud environments. Nevertheless, research has shown that containerized applications are an appealing target for cyberattacks, which may lead to interruption of business-critical services and financial damage. State-of-the-art anomaly-based host intrusion detection systems (HIDS) may enhance container runtime security. However, they were not designed to deal with the characteristics of containerized environments. Specifically, they cannot effectively cope with the scalability of containers and the diversity of anomalies. To address these challenges, we introduce a novel anomaly-based HIDS that relies on monitoring heterogeneous properties of system calls. Our key idea is that anomalies can be accurately detected when those properties are examined jointly within their context. To this end, we model system calls leveraging a graph-based structure that emphasizes their dependencies within their relative context, allowing us to precisely discern between normal and malicious activities. We evaluate our approach on two datasets of 20 different attack scenarios containing 11,700 normal and 1,980 attack system call traces. The achieved results show that our solution effectively detects various anomalies with reasonable runtime overhead, outperforming state-of-the-art tools.

Supplementary Material

MP4 File (CCSW22-011.mp4)

Asbat El Khairi - Contextualizing System Calls in Containers for Anomaly-Based Intrusion Detection (CCSW'22)

Download
113.86 MB

References

[1]

Martín Abadi et al. 2015. TensorFlow: Large-Scale Machine Learning on Heterogeneous Systems. https://www.tensorflow.org/

[2]

Amr S Abed, Charles Clancy, and David S Levy. 2015. Intrusion detection system for applications using linux containers. In International Workshop on Security and Trust Management. Springer, 123--135.

Digital Library

[3]

Rancher Admin. 2020. Runtime Security in Rancher with Falco.

[4]

Aqua. 2021. Cloud Native Threat Report: Evolution of Attacks in the Wild on Container Infrastructure.

[5]

Jason Avery. 2018. CVE-2022-0847: "Dirty Pipe" Linux Local Privilege Escalation.

[6]

Stephen P Borgatti. 2005. Centrality and network flow. Social networks (2005).

[7]

Stephen P Borgatti and Martin G Everett. 2006. A graph-theoretic perspective on centrality. Social networks, Vol. 28, 4 (2006), 466--484.

[8]

Eric A Brewer. 2015. Kubernetes and the path to cloud native. In Proceedings of the sixth ACM symposium on cloud computing. 167--167.

Digital Library

[9]

Claudio Canella, Mario Werner, Daniel Gruss, and Michael Schwarz. 2021. Automating Seccomp Filter Generation for Linux Applications. In Proceedings of the 2021 on Cloud Computing Security Workshop. 139--151.

Digital Library

[10]

Eric Carter, Ferenc Hámori, Steven J Vaughan-Nichols, Kalyan Ramanathan, Diego Ongaro, John Ousterhout, Abhishek Verma, Luis Pedrosa, Madhukar R Korupolu, David Oppenheimer, et al. 2019. Sysdig 2019 container usage report: New kubernetes and security insights.

[11]

Stefano Chierici. 2019. How to detect the containers' escape capabilities with Falco.

[12]

Stefano Chierici. 2022. CVE-2022-0492: Privilege escalation vulnerability causing container escape.

[13]

Francois Chollet et al. 2015. Keras. https://github.com/fchollet/keras

[14]

CNCF. 2020. CNCF SURVEY 2020. https://www.cncf.io/wp-content/uploads/2020/11/CNCF_Survey_Report_2020.pdf.

[15]

Theo Combe, Antony Martin, and Roberto Di Pietro. 2016. To docker or not to docker: A security perspective. IEEE Cloud Computing, Vol. 3, 5 (2016), 54--62.

[16]

Gideon Creech and Jiankun Hu. 2013. A semantic approach to host-based intrusion detection systems using contiguousand discontiguous system call patterns. IEEE Trans. Comput., Vol. 63, 4 (2013), 807--819.

Digital Library

[17]

National Vulnerability Database. 2012. CVE-2012--2122 Detail.

[18]

National Vulnerability Database. 2018. CVE-2018--3760 Detail.

[19]

Loris Degioanni. 2014. Interpreting Sysdig Output.

[20]

Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, et al. 2014. The matter of heartbleed. In Proceedings of the 2014 conference on internet measurement conference. 475--488.

Digital Library

[21]

Stephanie Forrest, Steven A Hofmeyr, Anil Somayaji, and Thomas A Longstaff. 1996. A sense of self for unix processes. In Proceedings 1996 IEEE Symposium on Security and Privacy. IEEE, 120--128.

[22]

Geeksforgeeks. 2019. Introduction of syscall.

[23]

Seyedhamed Ghavamnia, Tapti Palit, Azzedine Benameur, and Michalis Polychronakis. 2020. Confine: Automated system call policy generation for container attack surface reduction. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020). 443--458.

[24]

Martin Grimmer, Martin Max Röhling, D Kreusel, and Simon Ganz. 2019. A modern and sophisticated host based intrusion detection data set. IT-Sicherheit als Voraussetzung für eine erfolgreiche Digitalisierung (2019), 135--145.

[25]

Andreas Gruenbacher and Seth Arnold. 2007. AppArmor technical documentation.

[26]

Carlos Polop HackTricks. 2022. Docker Breakout / Privilege Escalation.

[27]

Serge E Hallyn and Andrew G Morgan. 2008. Linux capabilities: making them work. (2008).

[28]

Xuan Dau Hoang, Jiankun Hu, and Peter Bertok. 2003. A multi-layer model for anomaly intrusion detection using program sequences of system calls. In Proc. 11th IEEE Int'l. Conf. Citeseer.

[29]

Steven A Hofmeyr, Stephanie Forrest, and Anil Somayaji. 1998. Intrusion detection using sequences of system calls. Journal of computer security, Vol. 6, 3 (1998).

Digital Library

[30]

Joab Jackson. 2016. Q&A James Turnbull: The Art of Monitoring in the Age of Microservices.

[31]

Keshani Jayasinghe and Guhanathan Poravi. 2020. A survey of attack instances of cryptojacking targeting cloud infrastructure. In Proceedings of the 2020 2nd Asia pacific information technology conference. 100--107.

Digital Library

[32]

VVRPV Jyothsna, Rama Prasad, and K Munivara Prasad. 2011. A review of anomaly based intrusion detection systems. International Journal of Computer Applications, Vol. 28, 7 (2011), 26--35.

[33]

Dae-Ki Kang, Doug Fuller, and Vasant Honavar. 2005. Learning classifiers for misuse and anomaly detection using a bag of system calls representation. In Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[34]

David Karns, Katy Protin, and Justin Wolf. 2012. iSSH v. Auditd: Intrusion Detection in High Performance Computing. Technical Report. Los Alamos National Lab.(LANL), Los Alamos, NM (United States).

[35]

Max Kellermann. 2022. The Dirty Pipe Vulnerability.

[36]

Christopher Kruegel, Darren Mutz, Fredrik Valeur, and Giovanni Vigna. 2003. On the detection of anomalous system call arguments. In European Symposium on Research in Computer Security. Springer, 326--343.

[37]

Vinod Kumar and Om Prakash Sangwan. 2012. Signature based intrusion detection system using SNORT. International Journal of Computer Applications & Information Technology, Vol. 1, 3 (2012), 35--41.

[38]

Wenke Lee and Salvatore Stolfo. 1998. Data mining approaches for intrusion detection. (1998).

[39]

Yuhang Lin, Olufogorehan Tunde-Onadele, and Xiaohui Gu. 2020. Cdl: Classified distributed learning for detecting security attacks in containerized applications. In Annual Computer Security Applications Conference. 179--188.

Digital Library

[40]

Ming Liu, Zhi Xue, Xianghua Xu, Changmin Zhong, and Jinjun Chen. 2018. Host-based intrusion detection system with system calls: Review and future trends. ACM Computing Surveys (CSUR), Vol. 51, 5 (2018), 1--36.

Digital Library

[41]

Mairi MacLeod. 2021. Escaping from a Virtualised Environment: An Evaluation of Container Breakout Techniques. (2021).

[42]

Massimiliano Mattetti, Alexandra Shulman-Peleg, Yair Allouche, Antonio Corradi, Shlomi Dolev, and Luca Foschini. 2015. Security hardening of Linux containers and their workloads. (2015).

[43]

HD Moore. 2012. CVE-2012--2122: A Tragically Comedic Security Flaw in MySQL.

[44]

Anna Mpanti, Stavros D Nikolopoulos, and Iosif Polenakis. 2018. Malicious Software Detection and Classification utilizing Temporal-Graphs of System-call Group Relations. arXiv preprint arXiv:1812.10748 (2018).

[45]

Sarang Narkhede. 2018. Understanding auc-roc curve. Towards Data Science, Vol. 26, 1 (2018), 220--227.

[46]

NetworkX. 2022. Graph.size.

[47]

Marcus Pendleton. 2017. System Call Anomaly Detection in Multi-threaded Programs. Ph.,D. Dissertation. UNIVERSITY OF TEXAS AT SAN ANTONIO.

[48]

James Powell. 2015. A librarian's guide to graphs, data and the semantic web. Elsevier.

[49]

Razvan Raducu, Ricardo J Rodr'iguez, and Pedro Álvarez. 2022. Defense and Attack Techniques against File-based TOCTOU Vulnerabilities: a Systematic Review. IEEE Access (2022).

[50]

Michael J Reeves. 2021. INVESTIGATING ESCAPE VULNERABILITIES IN CONTAINER RUNTIMES. Ph.,D. Dissertation. Purdue University Graduate School.

[51]

Elsa Riachi and Frank Rudzicz. 2020. Understanding Adversarial Attacks on Autoencoders. (2020).

[52]

Rami Rosen. 2016. Namespaces and cgroups, the basis of Linux containers. Seville, Spain, Feb (2016).

[53]

Areeg Samir and Claus Pahl. 2020. Detecting and localizing anomalies in container clusters using Markov models. Electronics, Vol. 9, 1 (2020), 64.

[54]

Rafath Samrin and D Vasumathi. 2017. Review on anomaly based network intrusion detection system. In 2017 international conference on electrical, electronics, communication, computer, and optimization techniques (ICEECCOT). IEEE, 141--147.

[55]

Rushank Shetty, Kim-Kwang Raymond Choo, and Robert Kaufman. 2017. Shellshock vulnerability exploitation and mitigation: a demonstration. In International Conference on Applications and Techniques in Cyber Security and Intelligence. Springer, 338--350.

[56]

Stephen Smalley, Chris Vance, and Wayne Salamon. 2001. Implementing SELinux as a Linux security module. NAI Labs Report, Vol. 1, 43 (2001), 139.

[57]

Roopak Surendran and Tony Thomas. 2022. Detection of malware applications from centrality measures of syscall graph. Concurrency and Computation: Practice and Experience, Vol. 34, 10 (2022), e6835.

[58]

Sysdig. 2017. Secure DevOps Platform. https://github.com/draios/sysdig.

[59]

Sysdig. 2021. Sysdig 2021 Container Security and Usage Report.

[60]

Sysdig. 2022. Falco: Open Source Security Tool for containers, Kubernetes and Cloud.

[61]

Chin-Wei Tien, Tse-Yung Huang, Chia-Wei Tien, Ting-Chun Huang, and Sy-Yen Kuo. 2019. Kubanomaly: anomaly detection for the docker orchestration platform with neural network approaches. Engineering reports, Vol. 1, 5 (2019), e12080.

[62]

Wei Wang, Yan Huang, Yizhou Wang, and Liang Wang. 2014. Generalized autoencoder: A neural network framework for dimensionality reduction. In Proceedings of the IEEE conference on computer vision and pattern recognition workshops. 490--497.

Digital Library

[63]

Christina Warrender, Stephanie Forrest, and Barak Pearlmutter. 1999. Detecting intrusions using system calls: Alternative data models. In Proceedings of the 1999 IEEE symposium on security and privacy (Cat. No. 99CB36344). IEEE, 133--145.

[64]

Yanjun Wen and Ji Wang. 2019. Analysis and Remodeling of the DirtyCOW Vulnerability by Debugging and Abstraction. In International Workshop on Structured Object-Oriented Formal Language and Method. Springer, 3--12.

[65]

Fei Yu, Cheng Xu, Yue Shen, Ji-yao An, and Lin-feng Zhang. 2005. Intrusion detection based on system call finite-state automation machine. In 2005 IEEE International Conference on Industrial Technology. IEEE, 63--68.

[66]

Zhuping Zou, Yulai Xie, Kai Huang, Gongming Xu, Dan Feng, and Darrell Long. 2019. A docker container anomaly monitoring system based on optimized isolation forest. IEEE Transactions on Cloud Computing (2019).

Cited By

Guo P(2024)Intrusion Detection Based on Complete System Call InformationProceedings of the 2024 International Conference on Digital Society and Artificial Intelligence10.1145/3677892.3677893(1-5)Online publication date: 24-May-2024
https://dl.acm.org/doi/10.1145/3677892.3677893
Kotenko IMelnik MAbramenko G(2024)Anomaly Detection in Container Systems: Using Histograms of Normal Processes and an Autoencoder2024 IEEE 25th International Conference of Young Professionals in Electron Devices and Materials (EDM)10.1109/EDM61683.2024.10615118(1930-1934)Online publication date: 28-Jun-2024
https://doi.org/10.1109/EDM61683.2024.10615118
Chen ZSimsek MKantarci BBagheri MDjukic P(2024)Machine learning-enabled hybrid intrusion detection system with host data transformation and an advanced two-stage classifierComputer Networks10.1016/j.comnet.2024.110576250(110576)Online publication date: Aug-2024
https://doi.org/10.1016/j.comnet.2024.110576
Show More Cited By

Index Terms

Contextualizing System Calls in Containers for Anomaly-Based Intrusion Detection
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems

Recommendations

An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks

In this paper, we propose a novel Intrusion Detection System (IDS) architecture utilizing both anomaly and misuse detection approaches. This hybrid Intrusion Detection System architecture consists of an anomaly detection module, a misuse detection ...
Unknown Attacks Detection Using Feature Extraction from Anomaly-Based IDS Alerts
SAINT '12: Proceedings of the 2012 IEEE/IPSJ 12th International Symposium on Applications and the Internet

Intrusion Detection Systems (IDSs) play an important role detecting various kinds of attacks and defend our computer systems from them. There are basically two main types of detection techniques: signature-based and anomaly-based. A signature-based IDS ...
A Neural Network Based Anomaly Intrusion Detection System
DESE '11: Proceedings of the 2011 Developments in E-systems Engineering

Security system is the immune system for computers which is similar to the immune system in the human body. This includes all operations required to protect computer and systems from intruders. The aim of this work is to develop an anomaly-based ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCSW'22: Proceedings of the 2022 on Cloud Computing Security Workshop

November 2022

81 pages

ISBN:9781450398756

DOI:10.1145/3560810

Program Chairs:
Francesco Regazzoni
University of Amsterdam, Netherlands and Università della Svizzera italiana, Switzerland
,
Marten van Dijk
Centrum Wiskunde & Informatica - CWI, Netherlands

Copyright © 2022 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

European Union's Horizon 2020 research and innovation program

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 37 of 108 submissions, 34%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
1,934
Total Downloads

Downloads (Last 12 months)1,265
Downloads (Last 6 weeks)93

Reflects downloads up to 01 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Guo P(2024)Intrusion Detection Based on Complete System Call InformationProceedings of the 2024 International Conference on Digital Society and Artificial Intelligence10.1145/3677892.3677893(1-5)Online publication date: 24-May-2024
https://dl.acm.org/doi/10.1145/3677892.3677893
Kotenko IMelnik MAbramenko G(2024)Anomaly Detection in Container Systems: Using Histograms of Normal Processes and an Autoencoder2024 IEEE 25th International Conference of Young Professionals in Electron Devices and Materials (EDM)10.1109/EDM61683.2024.10615118(1930-1934)Online publication date: 28-Jun-2024
https://doi.org/10.1109/EDM61683.2024.10615118
Chen ZSimsek MKantarci BBagheri MDjukic P(2024)Machine learning-enabled hybrid intrusion detection system with host data transformation and an advanced two-stage classifierComputer Networks10.1016/j.comnet.2024.110576250(110576)Online publication date: Aug-2024
https://doi.org/10.1016/j.comnet.2024.110576
Gupta CVan Ede TContinella A(2023)HoneyKube: Designing and Deploying a Microservices-based Web Honeypot2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00005(1-11)Online publication date: May-2023
https://doi.org/10.1109/SPW59333.2023.00005
Song SSuneja SLe MTak B(2023)On the Value of Sequence-Based System Call Filtering for Container Security2023 IEEE 16th International Conference on Cloud Computing (CLOUD)10.1109/CLOUD60044.2023.00043(296-307)Online publication date: Jul-2023
https://doi.org/10.1109/CLOUD60044.2023.00043

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents