| 基于主机系统调用频率的容器入侵检测方法 |
| |
| 作者姓名: | 季一木 杨卫东 李奎 刘尚东 刘强 邵思思 尤帅 黄乃娇 |
| |
| 作者单位: | 1. 南京邮电大学计算机学院,江苏 南京 210023;2. 国家高性能计算中心南京分中心,江苏 南京 210023;3. 南京邮电大学高性能计算与大数据处理研究所,江苏 南京 210023;4. 南京邮电大学高性能计算与智能处理工程研究中心,江苏 南京 210023 |
| |
| 基金项目: | 国家自然科学基金(62076139);江苏省(高校)自然科学基金(BK20170900);江苏省六大人才高峰项目(JY02);之江实验室开放课题(2021KF0AB05);南京邮电大学鼎山人才培养对象项目和南京邮电大学人才启动基金(NY219132);江苏省研究生创新计划项目(KYCX19_0921) |
| |
| 摘 要: | 容器技术由于其轻量级虚拟化的特点,已成为云平台中广泛使用的虚拟化技术,但它与宿主机共享内核,安全性和隔离性较差,易遭受泛洪、拒绝服务、逃逸攻击。为了有效检测容器是否遭受攻击,提出了一种基于主机系统调用频率的入侵检测方法,该方法利用不同攻击行为之间系统调用频率不同的特点,收集容器运行时产生的系统调用,结合滑动窗口和 TF-IDF 算法提取系统调用特征,通过对比特征相似度进行分类。通过实验验证,该方法的检测率可达97%,误报率低于4%。
|
| 关 键 词: | 主机系统调用 入侵检测 Docker容器 ADFA-LD数据集 |
Container intrusion detection method based on host system call frequency |
| |
| Authors: | Yimu JI Weidong YANG Kui LI Shangdong LIU Qiang LIU Sisi SHAO Shuai YOU Naijiao HUANG |
| |
| Affiliation: | 1. School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210023, China;2. Nanjing Center of HPC, Nanjing 210023, China;3. Institute of High Performance Computing and Big Data Processing, Nanjing University of Posts and Telecommunications, Nanjing 210023, China;4. Research Center for High Performance Computing and Intelligent Processing Engineering, Nanjing University of Posts and Telecommunications, Nanjing 210023, China |
| |
| Abstract: | Container technology has become a widely used virtualization technology in cloud platform due to its lightweight virtualization characteristics.However, it shares the kernel with the host, so it has poor security and isolation, and is vulnerable to flood, denial of service, and escape attacks.In order to effectively detect whether the container is attacked or not, an intrusion detection method based on host system call frequency was proposed.This method took advantage of the different frequency of system call between different attack behaviors, collected the system call generated when the container was running, extracted the system call features by combining the sliding window and TF-IDF algorithm, and classified by comparing the feature similarity.The experimental results show that the detection rate of this method can reach 97%, and the false alarm rate is less than 4%. |
| |
| Keywords: | host system call intrusion detection Docker container ADFA-LD data set |
|
| 点击此处可从《》浏览原始摘要信息 |
|
点击此处可从《》下载全文 |
