APPLICATION OF A HYBRID NEURAL NETWORK AE-LSTM FOR ANOMALIES DETECTION IN CONTAINER SYSTEMS

Abstract

The popularity of container systems attracts the attention of many researchers in the field of information
technology. Containerization technology allows to reduce the cost of computing resources when
deploying and supporting complex infrastructure solutions. Ensuring the security of container systems and
containerization in general, as well as the use of smart attacks based on artificial intelligence by malefactors,
is a serious problem on the way to the safe and stable operation of container systems. This article
proposes an approach for detecting not only previously unknown individual anomalous processes, but also
anomalous process sequences in container systems. The proposed approach and its implementation based
on the Docker platform are based on tracing system calls, constructing histograms of running processes,
and using the AE-LSTM neural network. The process of constructing histograms is based on accounting of
the number of executed system calls for each individual process. This solution provides the ability not only
to accurately identify any process in the system, but also to effectively detect anomalous process sequences
with a high degree of accuracy. The generated sequences are used as input data for the neural network.
After completing the training process, the neural network acquires the ability to detect anomalous sequences
by comparing a given threshold of reconstruction error with the actual error level of the input
data vector. When the neural network encounters a new input data vector, it calculates the reconstruction
error level - the difference between the expected and actual value. If this error exceeds a predetermined threshold, the system signals the presence of an anomaly in the sequence. Experiments show that the proposed
approach demonstrates high accuracy in detecting anomalous processes with a low level of false
positive detection results. Such results confirm the effectiveness of the proposed approach. Also, the computational
costs of training the neural network model are quite low. This allows using less powerful hardware
without significant performance losses. Such a solution can be trained and implemented in a new
infrastructure in a fairly short time