基于长短期记忆神经网络的容器内进程异常行为检测

容器技术以其轻便、灵活和快速部署等特点提高了应用分发部署效率.然而，资源隔离性低和共享内核的特性却给容器和云平台引入了新的安全风险.本文提出了一种基于系统调用序列和长短期记忆（Long Short-Term Memory，LSTM）神经网络的容器内进程异常行为检测方案，通过无代理监控模式采集进程全生命周期的系统调用序列数据，并利用LSTM捕获序列的语义特征，同时采用局部窗口内累积偏差的方式，提出了两种异常判决方法.此外，为优化模型训练效率，设计了一种短序列样本同比去重算法.在公开数据集和复现的实际攻击场景下的实验结果表明，该方案能有效检出容器内进程的异常行为，且检测效果优于同类的其它方法.

Anomaly Detection of Processes Behavior in Container Based on LSTM Neural Network

Container technology improves the efficiency of application distribution and deployment with its features of lightness,flexibility and rapid deployment.However,the characteristics of low resource isolation and shared kernel introduce new security risks to containers and cloud platforms.This paper proposes an anomaly detection scheme of processes behavior in container based on system call sequences and long short-term memory (LSTM) neural network,the scheme collects the system call sequence data of the whole life cycle of processes through the agentless monitoring mode,and uses LSTM to capture the semantic features of sequences.At the same time,two methods of abnormal decision are proposed by means of cumulative deviation in local window.Furthermore,in order to optimize the training efficiency of the model,an algorithm for removing duplicate short sequence samples with the same ratio is designed.The experimental results on the public dataset and real attack scenarios show that the scheme can effectively detect the abnormal behavior of processes in container,and the detection performance is better than other similar methods.