Container Anomaly Detection Based on Attention Mechanism and  Multiscale Convolutional Neural Network

Abstract

Abstract: Containers are widely used in cloud computing due to their lightweight, flexibility, and ease of deployment, making them an indispensable technology. However, they also face security concerns due to their shared kernel and weaker resource isolation compared to virtual machines. Based on attention mechanism and convolutional neural network, this paper proposes a method of process anomaly detection in container based on system call sequence, which uses the data generated by container process operation to analyze and judge the abnormal behavior of process. The experimental results on public datasets and simulated attack scenarios show that this method can detect anomalies in the behavior of processes within containers, and is higher in accuracy and precision than comparison methods such as random forest and LSTM.

Key words: system call, container, anomaly detection, deep learning, attention mechanism

摘要： 容器因为其轻量、灵活和便于部署等优点被广泛使用，成为云计算不可或缺的技术，但也因为其共享内核、相对虚拟机更弱的资源隔离的特性受到安全性方面的担忧.基于注意力机制和卷积神经网络提出一种基于系统调用序列的容器内进程异常检测方法，使用容器进程运行产生的数据对进程行为进行异常分析判断.在公开数据集和模拟攻击场景下的实验结果表明，该方法能检测出容器内进程行为的异常，并且在精确率、准确率等指标上高于随机森林、LSTM等对比方法.

关键词: 系统调用, 容器, 异常检测, 深度学习, 注意力机制

CLC Number:

TP309.2

李为, 袁泽坤, 吴克河, 程瑞, . 基于注意力机制和多尺度卷积神经网络的容器异常检测[J]. 信息安全研究, 2025, 11(1): 35-.

References

［1］Martin A, Raponi S, Combe T, et al. Docker ecosystemvulnerability analysis［J］. Computer Communications, 2018, 122(6): 3043［2］Sultan S, Ahmad I, Dimitriou T. Container security: Issues, challenges, and the road ahead［J］. IEEE Access, 2019, 7: 5297652996［3］边曼琳, 王利明. 云环境下Docker容器隔离脆弱性分析与研究［J］. 信息网络安全, 2020, 20(7): 8595［4］胥柯, 张新有, 栗晓晗. Docker容器逃逸防护技术研究［J］. 信息安全研究, 2022, 8(8): 768776［5］陈兴蜀, 金逸灵, 王玉龙, 等. 基于长短期记忆神经网络的容器内进程异常行为检测［J］. 电子学报, 2021, 49(1): 149156［6］Sever Y, Ekinci G, Dogan A H, et al. An empirical analysis of ids approaches in container security［C］ Proc of 2022 Int Workshop on Secure and Reliable Microservices and Containers (SRMC). Piscataway, NJ: IEEE, 2022: 1826［7］Du Qingfeng, Xie Tiandi, He Yu. Anomaly detection and diagnosis for containerbased microservices with performance monitoring［C］ Proc of the 18th Int Conf on Algorithms and Architectures for Parallel Processing. Berlin: Springer, 2018: 560572［8］Forrest S, Hofmeyr S A, Somayaji A, et al. A sense of self for unix processes［C］ Proc of 1996 IEEE Symp on Security and Privacy. Piscataway, NJ: IEEE, 1996: 120128［9］Kang D K, Fuller D, Honavar V. Learning classifiers for misuse and anomaly detection using a bag of system calls representation［C］ Proc of the 6th Annual IEEE SMC Information Assurance Workshop. Piscataway, NJ: IEEE, 2005: 118125［10］Kim G, Yi H, Lee J, et al. LSTMbased systemcall language modeling and robust ensemble method for designing hostbased intrusion detection systems［J］. arXiv preprint, arXiv:1611.01726, 2016［11］Creech G, Hu J. Generation of a new IDS test dataset: Time to retire the KDD collection［C］ Proc of 2013 IEEE Wireless Communications and Networking Conference (WCNC). Piscataway, NJ: IEEE, 2013: 44874492［12］Lippmann R P, Fried D J, Graf I, et al. Evaluating intrusion detection systems: The 1998 DARPA offline intrusion detection evaluation［C］ Proc of DARPA Information Survivability Conference and Exposition. Piscataway, NJ: IEEE, 2000: 1226［13］University of New Mexico. Computer immune systems data set［EBOL］. ［20240201］. https:www.cs.unm.edu~immsecsystemcalls［14］Xie Wenqi, Xu Shengwei, Zou Shihong, et al. A systemcall behavior language system for malware detection using a sensitivitybased LSTM model［C］ Proc of the 3rd Int Conf on Computer Science and Software Engineering. New York: ACM, 2020: 112118［15］Zhang Yifei, Luo Senlin, Pan Limin, et al. SyscallBSEM: Behavioral semantics enhancement method of system call sequence for high accurate and robust host intrusion detection［J］. Future Generation Computer Systems, 2021, 125: 112126［16］Abed A S, Clancy T C, Levy D S. Applying bag of system calls for anomalous behavior detection of applications in Linux containers［C］ Proc of 2015 IEEE globecom workshops (GC Wkshps). Piscataway, NJ: IEEE, 2015: 15［17］Gantikow H, Zhner T, Reich C. Container anomaly detection using neural networks analyzing system calls［C］ Proc of the 28th Euromicro Int Conf on Parallel, Distributed and NetworkBased Processing (PDP). Piscataway, NJ: IEEE, 2020: 408412［18］Sysdig. Sysdig: Linux system exploration and troubleshooting tool with first class support for containers［EBOL］. ［20240301］. https:github.comdraiossysdig［19］Wang Yulong, Chen Xingshu, Wang Qixu, et al. Unsupervised anomaly detection for container cloud via bilstmbased variational autoencoder［C］ Proc of IEEE International Conf on Acoustics, Speech and Signal Processing (ICASSP). Piscataway, NJ: IEEE, 2022: 30243028［20］栗晓晗, 张新有. 基于系统调用的Docker容器异常检测［J］. 微电子学与计算机, 2022, 39(12): 7785［21］Mikolov T, Sutskever I, Chen K, et al. Distributed representations of words and phrases and their compositionality［C］ Proc of the 26th Int Conf on Neural Information Processing System. New York: Curran Associates Inc, 2013: 31113119［22］Vaswani A, Shazeer N, Parmar N, et al. Attention is all you need［C］ Proc of the 31st Int Conf on Neural Information Processing Systems (NIPS’17). New York: Curran Associates Inc, 2017: 60006010［23］Devlin J, Chang M W, Lee K, et al. Bert: Pretraining of deep bidirectional transformers for language understanding［C］ Proc of the 2019 Conf of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies. Stroudsburg, PA: ACL, 2019: 41714186

[1]	. Research on Deep Learningbased Spatiotemporal Feature Fusion Network Intrusion Detection Model [J]. Journal of Information Security Reserach, 2025, 11(2): 122-.
[2]	. A Malicious TLS Traffic Detection Method with Multimodal Features [J]. Journal of Information Security Reserach, 2025, 11(2): 130-.
[3]	. Research of Invisible Backdoor Attack Based on Interpretability [J]. Journal of Information Security Reserach, 2025, 11(1): 21-.
[4]	. Malware Identification Technology Based on Bitmap Representation and UAtt Classification Network [J]. Journal of Information Security Reserach, 2025, 11(1): 28-.
[5]	. Encrypted Traffic Detection Technology for Multisession Coordinated #br# Attack Based on Deep Learning#br# [J]. Journal of Information Security Reserach, 2025, 11(1): 66-.
[6]	. Image Processing Model Watermarking Method Based on #br# Attention Mechanism and Passport Layer Embedding#br# [J]. Journal of Information Security Reserach, 2024, 10(9): 849-.
[7]	. A Review of GPU Acceleration Technology for Deep Learning in Plaintext and Private Computing Environments [J]. Journal of Information Security Reserach, 2024, 10(7): 586-.
[8]	. Model of Intrusion Detection Based on Federated Learning and Convolutional Neural Network [J]. Journal of Information Security Reserach, 2024, 10(7): 642-.
[9]	. An Automatic Vulnerability Classification Framework Based on BiGRU TextCNN [J]. Journal of Information Security Reserach, 2024, 10(5): 446-.
[10]	. Adversarial Attack Algorithm Based on Multimodel Scheduling Optimization#br# #br# [J]. Journal of Information Security Reserach, 2024, 10(5): 403-.
[11]	. Research on Network Traffic Intrusion Detection Method Based on Denoising Diffusion Probability Model [J]. Journal of Information Security Reserach, 2024, 10(5): 421-.
[12]	. Enhanced Malware Sample Generation Scheme Based on Convolution Attention Mechanism [J]. Journal of Information Security Reserach, 2024, 10(5): 431-.
[13]	. Research on Source Code Vulnerability Detection Based on BERT Model [J]. Journal of Information Security Reserach, 2024, 10(4): 294-.
[14]	. A Network Intrusion Detection Model Integrating CNN-BiGRU and Attention Mechanism [J]. Journal of Information Security Reserach, 2024, 10(3): 202-.
[15]	. Malicious TLS Traffic Detection Based on Graph Representation#br# #br# [J]. Journal of Information Security Reserach, 2024, 10(3): 209-.

Container Anomaly Detection Based on Attention Mechanism and Multiscale Convolutional Neural Network

基于注意力机制和多尺度卷积神经网络的容器异常检测

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics