网络与信息安全学报 ›› 2021, Vol. 7 ›› Issue (4): 18-29.doi: 10.11959/j.issn.2096-109x.2021073

• 专栏Ⅰ:网络攻防技术 • 上一篇    下一篇

基于主机系统调用频率的容器入侵检测方法

季一木1,2,3,4, 杨卫东1,3, 李奎1,3, 刘尚东1,2,3,4, 刘强1,3, 邵思思1,3, 尤帅1,3, 黄乃娇1,3   

  1. 1 南京邮电大学计算机学院,江苏 南京 210023
    2 国家高性能计算中心南京分中心,江苏 南京 210023
    3 南京邮电大学高性能计算与大数据处理研究所,江苏 南京 210023
    4 南京邮电大学高性能计算与智能处理工程研究中心,江苏 南京 210023
  • 修回日期:2021-01-11 出版日期:2021-08-15 发布日期:2021-08-01
  • 作者简介:季一木(1978− ),男,江苏南京人,南京邮电大学计算机院教授、博士生导师,主要研究方向为 P2P 网络、云计算和大数据安全等
    杨卫东(1994− ),男,河南周口人,南京邮电大学硕士生,主要研究方向为容器安全
    李奎(1988− ),男,江苏南通人,南京邮电大学博士生,主要研究领域为高性能计算、大数据理论与技术
    刘尚东(1979− ),男,甘肃永靖人,南京邮电大学讲师,主要研究方向为网络行为分析、大数据处理等
    刘强(1985− ),男,安徽蚌埠人,南京邮电大学讲师,主要研究方向为图计算、大数据处理等
    邵思思(1997− ),女,江苏东海人,南京邮电大学硕士生,主要研究方向为边缘计算、云计算和大数据安全
    尤帅(1995− ),男,安徽芜湖人,南京邮电大学硕士生,主要研究领域为高性能计算、大数据和边缘计算
    黄乃娇(1995− ),女,河南信阳人,南京邮电大学硕士生,主要研究方向为机器学习和云计算安全
  • 基金资助:
    国家自然科学基金(62076139);江苏省(高校)自然科学基金(BK20170900);江苏省六大人才高峰项目(JY02);之江实验室开放课题(2021KF0AB05);南京邮电大学鼎山人才培养对象项目和南京邮电大学人才启动基金(NY219132);江苏省研究生创新计划项目(KYCX19_0921)

Container intrusion detection method based on host system call frequency

Yimu JI1,2,3,4, Weidong YANG1,3, Kui LI1,3, Shangdong LIU1,2,3,4, Qiang LIU1,3, Sisi SHAO1,3, Shuai YOU1,3, Naijiao HUANG1,3   

  1. 1 School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210023, China
    2 Nanjing Center of HPC, Nanjing 210023, China
    3 Institute of High Performance Computing and Big Data Processing, Nanjing University of Posts and Telecommunications, Nanjing 210023, China
    4 Research Center for High Performance Computing and Intelligent Processing Engineering, Nanjing University of Posts and Telecommunications, Nanjing 210023, China
  • Revised:2021-01-11 Online:2021-08-15 Published:2021-08-01
  • Supported by:
    The National Natural Science Foundation of China(62076139);The Natural Science Foundation of Jiangsu Province (Higher Education Institutions)(BK20170900);Six talent peak projects in Jiangsu Province(JY02);Zhejiang Lab(2021KF0AB05);NUPT DingShan Scholar Project and NUPTSF(NY219132);Postgra-duate Research & Practice Innovation Program of Jiangsu Province(KYCX19_0921)

摘要:

容器技术由于其轻量级虚拟化的特点,已成为云平台中广泛使用的虚拟化技术,但它与宿主机共享内核,安全性和隔离性较差,易遭受泛洪、拒绝服务、逃逸攻击。为了有效检测容器是否遭受攻击,提出了一种基于主机系统调用频率的入侵检测方法,该方法利用不同攻击行为之间系统调用频率不同的特点,收集容器运行时产生的系统调用,结合滑动窗口和 TF-IDF 算法提取系统调用特征,通过对比特征相似度进行分类。通过实验验证,该方法的检测率可达97%,误报率低于4%。

关键词: 主机系统调用, 入侵检测, Docker容器, ADFA-LD数据集

Abstract:

Container technology has become a widely used virtualization technology in cloud platform due to its lightweight virtualization characteristics.However, it shares the kernel with the host, so it has poor security and isolation, and is vulnerable to flood, denial of service, and escape attacks.In order to effectively detect whether the container is attacked or not, an intrusion detection method based on host system call frequency was proposed.This method took advantage of the different frequency of system call between different attack behaviors, collected the system call generated when the container was running, extracted the system call features by combining the sliding window and TF-IDF algorithm, and classified by comparing the feature similarity.The experimental results show that the detection rate of this method can reach 97%, and the false alarm rate is less than 4%.

Key words: host system call, intrusion detection, Docker container, ADFA-LD data set

中图分类号: 

No Suggested Reading articles found!