research-article

CDL: Classified Distributed Learning for Detecting Security Attacks in Containerized Applications

Authors:

Olufogorehan Tunde-Onadele,

Xiaohui GuAuthors Info & Claims

ACSAC '20: Proceedings of the 36th Annual Computer Security Applications Conference

Pages 179 - 188

https://doi.org/10.1145/3427228.3427236

Published: 08 December 2020 Publication History

Abstract

Containers have been widely adopted in production computing environments for its efficiency and low overhead of isolation. However, recent studies have shown that containerized applications are prone to various security attacks. Moreover, containerized applications are often highly dynamic and short-lived, which further exacerbates the problem. In this paper, we present CDL, a classified distributed learning framework to achieve efficient security attack detection for containerized applications. CDL integrates online application classification and anomaly detection to overcome the challenge of lacking sufficient training data for dynamic short-lived containers while considering diversified normal behaviors in different applications. We have implemented a prototype of CDL and evaluated it over 33 real world vulnerability attacks in 24 commonly used server applications. Our experimental results show that CDL can reduce the false positive rate from over 12% to 0.24% compared to traditional anomaly detection schemes without aggregating training data. By introducing application classification into container behavior learning, CDL can improve the detection rate from catching 20 attacks to 31 attacks before those attacks succeed. CDL is light-weight, which can complete application classification and anomaly detection for each data sample within a few milliseconds.

References

[1]

2016. Secure DevOps platform for cloud native. https://www.sysdig.com

[2]

2017. Docker image vulnerability research. https://www.federacy.com/docker_image_vulnerabilities

[3]

2018. 8 surprising facts about real Docker adoption. https://datadoghq.com/docker-adoption

[4]

2019. Random forest classifier. https://scikit-learn.org

[5]

Amr S Abed, T Charles Clancy, and David S Levy. 2015. Applying bag of system calls for anomalous behavior detection of applications in Linux containers. In 2015 IEEE Globecom Workshops (GC Wkshps). IEEE, 1–5.

[6]

Anthony Bettini. 2015. Vulnerability exploitation in Docker container environments. FlawCheck, Black Hat Europe(2015).

[7]

Eric Carter. 2018. 2018 Docker usage report. https://sysdig.com/blog/2018-docker-usage-report

[8]

Lingjiao Chen, Hongyi Wang, Zachary Charles, and Dimitris Papailiopoulos. 2018. DRACO: Byzantine-resilient Distributed Training via Redundant Gradients. In International Conference on Machine Learning. 902–911.

[9]

Romain Fontugne, Johan Mazel, and Kensuke Fukuda. 2014. Hashdoop: A MapReduce framework for network anomaly detection. In Computer Communications Workshops (INFOCOM WKSHPS), 2014 IEEE Conference on. IEEE, 494–499.

[10]

Stephanie Forrest, Steven A Hofmeyr, Anil Somayaji, and Thomas A Longstaff. 1996. A sense of self for UNIX processes. In Symposium on Security and Privacy. IEEE, 120–128.

[11]

Li-zhong Geng and Hui-bo Jia. 2009. A low-cost method to intrusion detection system using sequences of system calls. In 2009 Second International Conference on Information and Computing Science, Vol. 1. IEEE, 143–146.

[12]

Siddharth Gopal and Yiming Yang. 2013. Distributed training of large-scale logistic models. In International Conference on Machine Learning. 289–297.

[13]

Tin Kam Ho. 1995. Random decision forests. In Proceedings of 3rd international conference on document analysis and recognition, Vol. 1. IEEE, 278–282.

[14]

Jakub Konečnỳ, H Brendan McMahan, Felix X Yu, Peter Richtárik, Ananda Theertha Suresh, and Dave Bacon. 2016. Federated learning: Strategies for improving communication efficiency. arXiv preprint arXiv:1610.05492(2016).

[15]

Tae Jun Lee, Justin Gottschlich, Nesime Tatbul, Eric Metcalf, and Stan Zdonik. 2018. Greenhouse: a zero-positive machine learning system for time-series anomaly detection. arXiv preprint arXiv:1801.03168(2018).

[16]

Wei Li. 2004. Using genetic algorithm for network intrusion detection. Proceedings of the United States department of energy cyber security group 1 (2004), 1–8.

[17]

Hung-Jen Liao, Chun-Hung Richard Lin, Ying-Chih Lin, and Kuang-Yuan Tung. 2013. Intrusion detection system: A comprehensive review. Journal of Network and Computer Applications 36, 1(2013), 16–24.

Digital Library

[18]

Xin Lin, Lingguang Lei, Yuewu Wang, Jiwu Jing, Kun Sun, and Quan Zhou. 2018. A measurement study on Linux container security: Attacks and countermeasures. In Proceedings of the 34th Annual Computer Security Applications Conference. 418–429.

Digital Library

[19]

Yujun Lin, Song Han, Huizi Mao, Yu Wang, and William J Dally. 2017. Deep gradient compression: Reducing the communication bandwidth for distributed training. arXiv preprint arXiv:1712.01887(2017).

[20]

Federico Maggi, Matteo Matteucci, and Stefano Zanero. 2008. Detecting intrusions through system call sequence and argument analysis. IEEE Transactions on Dependable and Secure Computing 7, 4 (2008), 381–395.

Digital Library

[21]

Pankaj Malhotra, Lovekesh Vig, Gautam Shroff, and Puneet Agarwal. 2015. Long short term memory networks for anomaly detection in time series. In Proceedings, Vol. 89. Presses universitaires de Louvain.

[22]

Antony Martin, Simone Raponi, Théo Combe, and Roberto Di Pietro. 2018. Docker ecosystem–vulnerability analysis. Computer Communications 122 (2018), 30–43.

[23]

Mayu Sakurada and Takehisa Yairi. 2014. Anomaly detection using autoencoders with nonlinear dimensionality reduction. In Proceedings of the MLSDA 2014 2nd Workshop on Machine Learning for Sensory Data Analysis. ACM, 4.

Digital Library

[24]

Rui Shu, Xiaohui Gu, and William Enck. 2017. A study of security vulnerabilities on Docker hub. In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy. 269–280.

Digital Library

[25]

Hwanjun Song, Jae-Gil Lee, and Wook-Shin Han. 2017. PAMAE: parallel k-medoids clustering with high accuracy and efficiency. In Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. ACM, 1087–1096.

Digital Library

[26]

Konstantin Sozinov, Vladimir Vlassov, and Sarunas Girdzijauskas. 2018. Human activity recognition using federated learning. In 2018 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Ubiquitous Computing & Communications, Big Data & Cloud Computing, Social Computing & Networking, Sustainable Computing & Communications (ISPA/IUCC/BDCloud/SocialCom/SustainCom). IEEE, 1103–1111.

[27]

Adrian Taylor, Sylvain Leblanc, and Nathalie Japkowicz. 2016. Anomaly detection in automobile control network data with long short-term memory networks. In 2016 IEEE International Conference on Data Science and Advanced Analytics (DSAA). IEEE, 130–139.

[28]

Benjamin Berry Thompson, Robert J Marks, Jai J Choi, Mohamed A El-Sharkawi, Ming-Yuh Huang, and Carl Bunje. 2002. Implicit learning in autoencoder novelty assessment. In Proceedings of the 2002 International Joint Conference on Neural Networks. IJCNN’02 (Cat. No. 02CH37290), Vol. 3. IEEE, 2878–2883.

[29]

Olufogorehan Tunde-Onadele, Jingzhu He, Ting Dai, and Xiaohui Gu. 2019. A Study on Container Vulnerability Exploit Detection. In 2019 IEEE International Conference on Cloud Engineering (IC2E). IEEE, 121–127.

[30]

Eric P Xing, Qirong Ho, Wei Dai, Jin Kyu Kim, Jinliang Wei, Seunghak Lee, Xun Zheng, Pengtao Xie, Abhimanu Kumar, and Yaoliang Yu. 2015. Petuum: A new platform for distributed machine learning on big data. IEEE Transactions on Big Data 1, 2 (2015), 49–67.

[31]

Xin Yao, Tianchi Huang, Chenglei Wu, Ruixiao Zhang, and Lifeng Sun. 2019. Towards faster and better federated learning: A feature fusion approach. In 2019 IEEE International Conference on Image Processing (ICIP). IEEE, 175–179.

[32]

Esra N Yolacan, Jennifer G Dy, and David R Kaeli. 2014. System call anomaly detection using multi-hmms. In 2014 IEEE Eighth International Conference on Software Security and Reliability-Companion. IEEE, 25–30.

Digital Library

[33]

Ahmed Zerouali, Tom Mens, Gregorio Robles, and Jesus M Gonzalez-Barahona. 2019. On the relation between outdated Docker containers, severity vulnerabilities, and bugs. In 2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, 491–501.

Cited By

Tunde-Onadele OLin YGu XHe JLatapie H(2024)Self-Supervised Machine Learning Framework for Online Container Security Attack DetectionACM Transactions on Autonomous and Adaptive Systems10.1145/366579519:3(1-28)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3665795
Malhotra RBansal AKessentini M(2024)A Systematic Literature Review on Maintenance of Software ContainersACM Computing Surveys10.1145/364509256:8(1-38)Online publication date: 10-Apr-2024
https://dl.acm.org/doi/10.1145/3645092
Haq MNguyen TTosun AVollmer FKorkmaz TSadeghi A(2024)SoK: A Comprehensive Analysis and Evaluation of Docker Container Attack and Defense Mechanisms2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00268(4573-4590)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00268
Show More Cited By

Index Terms

CDL: Classified Distributed Learning for Detecting Security Attacks in Containerized Applications

Index terms have been assigned to the content through auto-classification.

Recommendations

Toward just-in-time patching for containerized applications
HotSoS '20: Proceedings of the 7th Symposium on Hot Topics in the Science of Security

Containers have become increasingly popular in distributed computing environments. However, recent studies have shown that containerized applications are susceptible to various security attacks. Traditional pre-scheduled software update approaches not ...
Detecting Blind Cross-Site Scripting Attacks Using Machine Learning
SPML '18: Proceedings of the 2018 International Conference on Signal Processing and Machine Learning

Cross-site scripting (XSS) is a scripting attack targeting web applications by injecting malicious scripts into web pages. Blind XSS is a subset of stored XSS, where an attacker blindly deploys malicious payloads in web pages that are stored in a ...
Adversarial attacks on machine learning-based cyber security systems: a survey of techniques and defences

Machine learning (ML) has been increasingly adopted in the field of cyber security to enhance the detection and prevention of cyber threats. However, recent studies have demonstrated that ML-based cyber security systems are vulnerable to adversarial ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '20: Proceedings of the 36th Annual Computer Security Applications Conference

December 2020

962 pages

ISBN:9781450388580

DOI:10.1145/3427228

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 December 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

NSA Science of Security Lablet: Impact through Research, Scientific Methods, and Community Development

Conference

ACSAC '20

ACSAC '20: Annual Computer Security Applications Conference

December 7 - 11, 2020

Austin, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
472
Total Downloads

Downloads (Last 12 months)110
Downloads (Last 6 weeks)12

Reflects downloads up to 13 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Tunde-Onadele OLin YGu XHe JLatapie H(2024)Self-Supervised Machine Learning Framework for Online Container Security Attack DetectionACM Transactions on Autonomous and Adaptive Systems10.1145/366579519:3(1-28)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3665795
Malhotra RBansal AKessentini M(2024)A Systematic Literature Review on Maintenance of Software ContainersACM Computing Surveys10.1145/364509256:8(1-38)Online publication date: 10-Apr-2024
https://dl.acm.org/doi/10.1145/3645092
Haq MNguyen TTosun AVollmer FKorkmaz TSadeghi A(2024)SoK: A Comprehensive Analysis and Evaluation of Docker Container Attack and Defense Mechanisms2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00268(4573-4590)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00268
Li YHu HLiu WYang X(2023)An Optimal Active Defensive Security Framework for the Container-Based Cloud with Deep Reinforcement LearningElectronics10.3390/electronics1207159812:7(1598)Online publication date: 29-Mar-2023
https://doi.org/10.3390/electronics12071598
Levy Rocha SLopes de Mendonca FStaciarini Puttini RRabelo Nunes RAmvame Nze G(2023)DCIDS—Distributed Container IDSApplied Sciences10.3390/app1316930113:16(9301)Online publication date: 16-Aug-2023
https://doi.org/10.3390/app13169301
Gupta CVan Ede TContinella A(2023)HoneyKube: Designing and Deploying a Microservices-based Web Honeypot2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00005(1-11)Online publication date: May-2023
https://doi.org/10.1109/SPW59333.2023.00005
Wong YShen QLi CLiu CAi T(2023)Detecting Malicious Migration on Edge to Prevent Running Data LeakageICASSP 2023 - 2023 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)10.1109/ICASSP49357.2023.10095432(1-5)Online publication date: 4-Jun-2023
https://doi.org/10.1109/ICASSP49357.2023.10095432
Guo SSivanthi TSommer PKabir-Querrec MCoppik NMudgal ERossotti A(2023)A Zero-day Container Attack Detection based on Ensemble Machine Learning2023 IEEE 28th International Conference on Emerging Technologies and Factory Automation (ETFA)10.1109/ETFA54631.2023.10275683(1-8)Online publication date: 12-Sep-2023
https://doi.org/10.1109/ETFA54631.2023.10275683
Timonen SSroor MMohanani RMikkonen T(2023)Anomaly Detection Through Container Testing: A Survey of Company PracticesProduct-Focused Software Process Improvement10.1007/978-3-031-49266-2_25(363-378)Online publication date: 11-Dec-2023
https://dl.acm.org/doi/10.1007/978-3-031-49266-2_25
El Khairi ACaselli MKnierim CPeter AContinella ARegazzoni Fvan Dijk M(2022)Contextualizing System Calls in Containers for Anomaly-Based Intrusion DetectionProceedings of the 2022 on Cloud Computing Security Workshop10.1145/3560810.3564266(9-21)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3560810.3564266
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Table of Conten