Linux containers are gaining increasing traction in both individual andindustrial use, and as these containers get integrated into mission-criticalsystems, real-time detection of malicious cyber attacks becomes a criticaloperational requirement. This paper introduces a real-time host-based intrusiondetection system that can be used to passively detect malfeasance againstapplications within Linux containers running in a standalone or in a cloudmulti-tenancy environment. The demonstrated intrusion detection system usesbags of system calls monitored from the host kernel for learning the behaviorof an application running within a Linux container and determining anomalouscontainer behavior. Performance of the approach using a database applicationwas measured and results are discussed.
展开▼
