基于主机系统调用频率的容器入侵检测方法

doi:10.11959/j.issn.2096-109x.2021073

Abstract

Abstract:

Container technology has become a widely used virtualization technology in cloud platform due to its lightweight virtualization characteristics.However, it shares the kernel with the host, so it has poor security and isolation, and is vulnerable to flood, denial of service, and escape attacks.In order to effectively detect whether the container is attacked or not, an intrusion detection method based on host system call frequency was proposed.This method took advantage of the different frequency of system call between different attack behaviors, collected the system call generated when the container was running, extracted the system call features by combining the sliding window and TF-IDF algorithm, and classified by comparing the feature similarity.The experimental results show that the detection rate of this method can reach 97%, and the false alarm rate is less than 4%.

Key words: host system call, intrusion detection, Docker container, ADFA-LD data set

CLC Number:

TP399

Yimu JI, Weidong YANG, Kui LI, Shangdong LIU, Qiang LIU, Sisi SHAO, Shuai YOU, Naijiao HUANG. Container intrusion detection method based on host system call frequency[J]. Chinese Journal of Network and Information Security, 2021, 7(4): 18-29.

Figures/Tables 13

References 21

[1]	GAO X , GU Z , KAYAALP M ,et al. ContainerLeaks:Emerging security threats of information leakages in container clouds[C]// 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 2017: 237-248.
[2]	COMBE T , MARTIN A , DI PIETRO R . To docker or not to docker:A security perspective[J]. IEEE Cloud Computing, 2016,3(5): 54-62.
[3]	SHU R , GU X , ENCK W . A study of security vulnerabilities on docker hub[C]// Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy. 2017: 269-280.
[4]	周天昱, 申文博, 杨男子 ,等. Docker组件间标准输入输出复制的DoS攻击分析[J]. 网络与信息安全学报, 2020,6(6): 45-56.
	ZHOU T Y , SHEN W B , YANG N Z ,et al. Analysis of DoS attacks on Docker inter-component stdio copy[J]. Chinese Journal of Network and Information Security, 2020,6(6): 45-56.
[5]	MARTIN A , RAPONI S , COMBE T ,et al. Docker ecosystem–vulnerability analysis[J]. Computer Communications, 2018,122: 30-43.
[6]	FLORA J , ANTUNES N . Studying the applicability of intrusion detection to multi-tenant container environments[C]// 2019 15th European Dependable Computing Conference (EDCC). 2019: 133-136.
[7]	MANU A R , PATEL J K , AKHTAR S ,et al. A study,analysis and deep dive on cloud PaaS security in terms of Docker container security[C]// 2016 international conference on circuit,power and computing technologies (ICCPCT). 2016: 1-13.
[8]	YASRAB R . Mitigating docker security issues[J]. arXiv preprint arXiv:1804.05039, 2018.
[9]	ALARIFI S S , WOLTHUSEN S D . Detecting anomalies in IaaS environments through virtual machine host system call analysis[C]// 2012 International Conference for Internet Technology and Secured Transactions. 2012: 211-218.
[10]	MASKE S A , PARVAT T J . Advanced anomaly intrusion detection technique for host based system using system call patterns[C]// 2016 International Conference on Inventive Computation Technologies (ICICT). 2016,2: 1-4.
[11]	JIAN Z , CHEN L . A defense method against docker escape attack[C]// Proceedings of the 2017 International Conference on Cryptography,Security and Privacy. 2017: 142-146.
[12]	FORREST S , HOFMEYR S A , SOMAYAJI A ,et al. A sense of self for unix processes[C]// Proceedings 1996 IEEE Symposium on Security and Privacy. 1996: 120-128.
[13]	WARRENDER C , FORREST S , PEARLMUTTER B . Detecting intrusions using system calls:alternative data models[C]// Proceedings of the 1999 IEEE symposium on security and privacy (Cat.No.99CB36344). 1999: 133-145.
[14]	HOFMEYR S A , FORREST S , SOMAYAJI A . Intrusion detection using sequences of system calls[J]. Journal of computer security, 1998,6(3): 151-180.
[15]	KANG D K , FULLER D , HONAVAR V . Learning classifiers for misuse and anomaly detection using a bag of system calls representation[C]// Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop. 2005: 118-125.
[16]	ABED A S , CLANCY C , LEVY D S . Intrusion detection system for applications using linux containers[C]// International Workshop on Security and Trust Management. 2015: 123-135.
[17]	SRINIVASAN S , KUMAR A , MAHAJAN M ,et al. Probabilistic real-time intrusion detection system for docker containers[C]// International Symposium on Security in Computing and Communication. 2018: 336-347.
[18]	KHREICH W , KHOSRAVIFAR B , HAMOU-LHADJ A , ,et al. An anomaly detection system based on variable N-gram features and one-class SVM[J]. Information and Software Technology, 2017,91: 186-197.
[19]	董玲, 张宏莉, 叶麟 . 基于系统调用序列分析入侵检测的层次化模型[J]. 智能计算机与应用, 2014,4(4): 13-16.
	DONG L , ZHANG H L , YE L . A new study of the system call sequence analysis method[J]. Intelligent Computer and Applications, 2014,4(4): 13-16.
[20]	张东, 张尧, 刘刚 ,等. 基于机器学习算法的主机恶意代码检测技术研究[J]. 网络与信息安全学报, 2017,3(7): 25-32.
	ZHANG D , ZHANG Y , LIU G ,et al. Research on host malcode detection using machine learning[J]. Chinese Journal of Network and Information Security, 2017,3(7): 25-32.
[21]	AZAB M , MOKHTAR B M , ABED A S ,et al. Smart moving target defense for linux container resiliency[C]// 2016 IEEE 2nd International Conference on Collaboration and Internet Computing (CIC). 2016: 122-130.

Metrics

Recommended 0

No Suggested Reading articles found!

处理前	处理后
epoll_ctl(8,EPOLL_CTL_ADD,11,{EPOLLIN\|EPOLLRDHUP\|EPOLLET,{u32=1998754273,u64=1}})	214
recvftom(3，"GET / RTTP/1.1rAmHost: 192.168.2."...,1024，0, NULL, NULL)=602	45
stat("/usr/share/nginx/html/index.html",{st_mode=S_IFREG\|0644,st_size=612})=0	4
openat(AT_FDCWD, "/usr/share/nginx/html/index.html",O_RDONLY\|O_NONBLOCK)=12	257
fastat(12,{st_mode=S_IFREG\|0644,st_size=612,..})=0	5
writev(3,[{iov_base="HTTP/1.1 304Not Modilied\r\nServe"..,iov_len=181}], 1)=181	20
write(5,"192.168.2.176 - -[14/May/2020:0...]", 196)=196	1
close(12)	3
setsockopt(3,SQL_TCP, TCP_NODELAY,[11], 4)=0	54

数据类型	数据量	系统调用数量	类型
Trainning	833	308 077	正常
Validation	4 373	2 122 085	正常
Attack	746	317 388	攻击
总计	5 952	2 747 550

攻击类型	攻击名称	载体	文件数
Hydra-FTP	密码爆破	Hydra-FTP	162
Hydra-SSH	密码爆破	Hydra-SSH	176
Adduser	添加新超级用户	客户端投毒	91
Java-Meterpreter	Java-based Meterpreter	TikiWiki漏洞利用	124
Meterpreter	Linux Meterpreter payload	客户端投毒	75
Webshell	C100 Webshell	PHP远程文件漏洞	118

PID	系统调用编号
551	4
551	2
551	66
551	66
551	4
551	138
551	66

方法	评价指标
方法	精确率	召回率	F值	准确率
CIDM	0.994	0.951	0.972	0.952
VN6+OC-SVM Linear Kernel	0.988	0.895	0.939	0.900
VN6+OC-SVM Gaussian Kernel	0.981	0.961	0.971	0.949

Container intrusion detection method based on host system call frequency

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 13

References 21

Related Articles 9

Metrics

Recommended 0

[1]	Tianpeng YE, Xiang LIN, Jianhua LI, Xuankai ZHANG, Liwen XU. Personalized lightweight distributed network intrusion detection system in fog computing [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 28-37.
[2]	Xiangdong HU, Lingling TANG. Method on intrusion detection for industrial internet based on light gradient boosting machine [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 46-55.
[3]	ANTONG P, Wen CHEN, Lifa WU. IoT intrusion detection method for unbalanced samples [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 130-139.
[4]	Gansen ZHAO,Zhijian XIE,Xinming WANG,Jiahao HE,Chengzhi ZHANG,Chengchuang LIN,ZHOU Ziheng,Bingchuan CHEN,RONG Chunming. ContractGuard:defend Ethereum smart contract with embedded intrusion detection [J]. Chinese Journal of Network and Information Security, 2020, 6(2): 35-55.
[5]	Yimu JI,Zhipeng JIAO,Shangdong LIU,Fei WU,Jing SUN,Na WANG,Zhiyu CHEN,Qiang BI,Penghao TIAN. CAN bus flood attack detection based on communication characteristics [J]. Chinese Journal of Network and Information Security, 2020, 6(1): 27-37.
[6]	Bin ZHANG,Lixun LI,Shuqin DONG. Malware detection approach based on improved SOINN [J]. Chinese Journal of Network and Information Security, 2019, 5(6): 21-30.
[7]	Binghao YAN,Guodong HAN. Combinatorial intrusion detection model based on deep recurrent neural network and improved SMOTE algorithm [J]. Chinese Journal of Network and Information Security, 2018, 4(7): 48-59.
[8]	Jialin WANG, Jiqiang LIU, Di ZHAO, Yingdi WANG, Yingxiao XIANG, Tong CHEN, Endong TONG, Wenjia NIU. Intrusion detection model based on non-symmetric convolution auto-encode and support vector machine [J]. Chinese Journal of Network and Information Security, 2018, 4(11): 57-68.
[9]	Di FAN,Jing LIU,Jun-xi ZHUANG,Ying-xu LAI. Research on attack scenario reconstruction method based on causal knowledge discovery [J]. Chinese Journal of Network and Information Security, 2017, 3(4): 58-68.