Abstract:
With the explosive growth of virtualization technology, Docker has occupied the mainstream market of container technology, but due to its lightweight isolation approach has led to frequent security issues. Enterprises such as Ali, Jingdong and Byte Jump have started to adopt Docker container technology. Container security is closely related to the security of users' properties, while there is still a large lack of research on Docker container security, and the demand for efficient and secure virtualization solutions is gradually increasing. In this paper, we propose a Docker Anomaly Detection Based on System Call (DADBS), which aims to capture the abnormal process behaviour of the application while the container is running by analysing the sequence of system calls. DADBS collects the application system call sequences by tracking the running processes in the container, filters the redundant information of the sequences by combining the system call levels and multi-level TF-IDF quantization scores, uses long and short-term memory neural networks to learn the normal behavior to build the system call language model, and finally uses the cosine similarity deviation to determine the abnormality. Experiments in the cloud environment demonstrate that the model achieves an AUC value of 0.848 on the ADFA public dataset, and can efficiently detect process anomalies in actual attack scenarios on Docker containers.