APPLICATION OF A HYBRID NEURAL NETWORK AE-LSTM FOR ANOMALIES DETECTION IN CONTAINER SYSTEMS
Abstract
The popularity of container systems attracts the attention of many researchers in the field of information
technology. Containerization technology allows to reduce the cost of computing resources when
deploying and supporting complex infrastructure solutions. Ensuring the security of container systems and
containerization in general, as well as the use of smart attacks based on artificial intelligence by malefactors,
is a serious problem on the way to the safe and stable operation of container systems. This article
proposes an approach for detecting not only previously unknown individual anomalous processes, but also
anomalous process sequences in container systems. The proposed approach and its implementation based
on the Docker platform are based on tracing system calls, constructing histograms of running processes,
and using the AE-LSTM neural network. The process of constructing histograms is based on accounting of
the number of executed system calls for each individual process. This solution provides the ability not only
to accurately identify any process in the system, but also to effectively detect anomalous process sequences
with a high degree of accuracy. The generated sequences are used as input data for the neural network.
After completing the training process, the neural network acquires the ability to detect anomalous sequences
by comparing a given threshold of reconstruction error with the actual error level of the input
data vector. When the neural network encounters a new input data vector, it calculates the reconstruction
error level - the difference between the expected and actual value. If this error exceeds a predetermined threshold, the system signals the presence of an anomaly in the sequence. Experiments show that the proposed
approach demonstrates high accuracy in detecting anomalous processes with a low level of false
positive detection results. Such results confirm the effectiveness of the proposed approach. Also, the computational
costs of training the neural network model are quite low. This allows using less powerful hardware
without significant performance losses. Such a solution can be trained and implemented in a new
infrastructure in a fairly short time.
References
kiberprostranstve [Artificial Intelligence for Cybersecurity: A New Stage of Confrontation in Cyberspace],
Iskusstvennyy intellekt i prinyatie resheniy [Artificial Intelligence and Decision Making], 2024,
No. 1, pp. 3-19.
2. Priedhorsky R. Charliecloud is not affected by CVE-2024-21626 or related vulnerabilities, Los Alamos
National Laboratory (LANL), Los Alamos, NM (United States), 2024, No. LA-UR-24-21089.
3. Levshun D.S., Vesnin D.V., Kotenko I.V. Prognozirovanie kategoriy uyazvimostey v konfiguratsiyakh
ustroystv s pomoshch'yu metodov iskusstvennogo intellekta [Forecasting vulnerability categories in
device configurations using artificial intelligence methods], Voprosy kiberbezopasnosti [Cybersecurity
Issues], 2024, No. 3 (61), pp. 33-39.
4. Applebaum S., Gaber T., Ahmed A. Signature-based and machine-learning-based web application
firewalls: A short survey, Procedia Computer Science, 2021, Vol. 189, pp. 359-367.
5. Pang G., Shen C., Cao L., Hengel A.V D. Deep learning for anomaly detection: A review, ACM computing
surveys (CSUR), 2021, Vol. 54, No. 2, pp. 1-38.
6. Ahmed M.E., Kim H., Camtepe S., Nepal S. Peeler: Profiling kernel-level events to detect ransomware,
Computer Security–ESORICS 22: 26th European Symposium on Research in Computer Security,
Darmstadt, Germany, October 4–8, 2021, Proceedings, Part I 26, Springer International Publishing,
2021, pp. 240-260.
7. Liao S., Zhou C., Zhao Y., Zhang Z., Zhang C., Gao Y., Zhong, G. A comprehensive detection approach
of nmap: Principles, rules and experiments, 2020 international conference on cyber-enabled
distributed computing and knowledge discovery (CyberC), IEEE, 2020, pp. 64-71.
8. Snehi J., Bhandari A., Baggan V., Snehi M., Kaur H. AIDAAS: Incident handling and remediation
anomaly-based IDaaS for cloud service providers, 2021 10th International Conference on System
Modeling & Advancement in Research Trends (SMART), IEEE, 2021, pp. 356-360.
9. Gupta S., Muthiyan N., Kumar S., Nigam A., Dinesh D.A. A supervised deep learning framework for
proactive anomaly detection in cloud workloads, 2017 14th IEEE India Council International Conference
(INDICON), IEEE, 2017, pp. 1-6.
10. Kosińska J., Tobiasz M. Detection of Cluster Anomalies With ML Techniques, IEEE Access, 2022,
Vol. 10, pp. 110742-110753.
11. Karn R.R., Kudva, P., Huang H., Suneja S., Elfadel I.M. Cryptomining detection in container clouds
using system calls and explainable machine learning, IEEE transactions on parallel and distributed
systems, 2020, Vol. 32, No. 3, pp. 674-691.
12. Wang Y., Wang Q., Qin X., Chen X., Xin B., Yang R. DockerWatch: a two-phase hybrid detection of
malware using various static features in container cloud, Soft Computing, 2023, Vol. 27, No. 2,
pp. 1015-1031.
13. El Khairi A., Caselli M., Knierim C., Peter A., Continella A. Contextualizing system calls in containers
for anomaly-based intrusion detection, Proceedings of the 2022 on Cloud Computing Security Workshop,
2022, pp. 9-21.
14. Tien C.W., Huang T.Y., Tien C.W., Huang T.C., Kuo S.Y. KubAnomaly: Anomaly detection for the
Docker orchestration platform with neural network approaches, Engineering reports, 2019, Vol. 1,
No. 5, pp. e12080.
15. Kotenko I., Melnik M., Abramenko G. Anomaly detection in container systems: using normal process
histograms and an autoencoder, 2024 IEEE 25th International Conference of Young Professionals in
Electron Devices and Materials (EDM 2024), IEEE. 2024. pp. 1930-1934.
16. Castanhel G. R., Heinrich T., Ceschin F., Maziero C. Taking a peek: An evaluation of anomaly detection
using system calls for containers, 2021 IEEE Symposium on Computers and Communications
(ISCC), IEEE, 2021, pp. 1-6.
17. Cui P., Umphress D. Towards unsupervised introspection of containerized application, Proceedings of
the 2020 10th International Conference on Communication and Network Security, 2020, pp. 42-51.
18. Deri L., Sabella S., Mainardi S., Degano P., Zunino, R. Combining System Visibility and Security
Using eBPF, ITASEC, 2019, Vol. 2315, pp. 1-12.
19. Kotenko I., Saenko I., Chechulin A., Vitkova L., Kolomeec M., Zelichenok I., Melnik M., Makrushin D.,
Petrevich N. Detection of Anomalies and Attacks in Container Systems: An Integrated Approach
Based on Black and White Lists, International Conference on Intelligent Information Technologies for
Industry, Cham: Springer International Publishing, 2022, pp. 107-117.
20. Subhash P., Qayyum M., Likhitha Varsha C., Mehernadh K., Sruthi J., Nithin A. A Security Framework
for the Detection of Targeted Attacks Using Honeypot, International Conference on Computer
& Communication Technologies, Singapore: Springer Nature Singapore, 2023. pp. 183-192.
