{"title":"基于OC-SVM的容器化实时入侵检测系统","authors":"Lu Zhang, R. Cushing, C. D. Laat, P. Grosso","doi":"10.1109/CSE53436.2021.00029","DOIUrl":null,"url":null,"abstract":"A Digital Data Marketplace (DDM) is a digital infrastructure to facilitate policy-governed data sharing in a secure and trustworthy manner with container-based virtualization technologies. An intrusion detection systems (IDS) is essential to enforce the policies. We propose a real-time intrusion detection system that monitors and analyzes the Linux-kernel system calls of a running container. We adopt the One-Class Support Vector Machine (OC-SVM) to detect anomalies. The training data of the OC-SVM algorithm is collected and sanitized in a secure environment. We evaluate the detection capability of our proposed system against modern attacks, e.g. Machine Learning (ML) adversarial attacks, with a customized attack dataset. In addition, we investigate the influence of various feature extraction methods, kernel functions and segmentation length with four metrics. Our experimental results show that we can achieve a low FPR, with a worst case of 0.12, and a TPR of 1 for most attacks, when we adopt the term-frequency feature extraction method and we choose segmentation length of 30000. Furthermore, the optimal kernel functions depend on the concrete application being examined.","PeriodicalId":6838,"journal":{"name":"2021 IEEE 24th International Conference on Computational Science and Engineering (CSE)","volume":"122 1","pages":"138-145"},"PeriodicalIF":0.0000,"publicationDate":"2021-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":"{\"title\":\"A real-time intrusion detection system based on OC-SVM for containerized applications\",\"authors\":\"Lu Zhang, R. Cushing, C. D. Laat, P. Grosso\",\"doi\":\"10.1109/CSE53436.2021.00029\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"A Digital Data Marketplace (DDM) is a digital infrastructure to facilitate policy-governed data sharing in a secure and trustworthy manner with container-based virtualization technologies. An intrusion detection systems (IDS) is essential to enforce the policies. We propose a real-time intrusion detection system that monitors and analyzes the Linux-kernel system calls of a running container. We adopt the One-Class Support Vector Machine (OC-SVM) to detect anomalies. The training data of the OC-SVM algorithm is collected and sanitized in a secure environment. We evaluate the detection capability of our proposed system against modern attacks, e.g. Machine Learning (ML) adversarial attacks, with a customized attack dataset. In addition, we investigate the influence of various feature extraction methods, kernel functions and segmentation length with four metrics. Our experimental results show that we can achieve a low FPR, with a worst case of 0.12, and a TPR of 1 for most attacks, when we adopt the term-frequency feature extraction method and we choose segmentation length of 30000. Furthermore, the optimal kernel functions depend on the concrete application being examined.\",\"PeriodicalId\":6838,\"journal\":{\"name\":\"2021 IEEE 24th International Conference on Computational Science and Engineering (CSE)\",\"volume\":\"122 1\",\"pages\":\"138-145\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-10-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2021 IEEE 24th International Conference on Computational Science and Engineering (CSE)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/CSE53436.2021.00029\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 IEEE 24th International Conference on Computational Science and Engineering (CSE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CSE53436.2021.00029","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 6
摘要
数字数据市场(Digital Data Marketplace, DDM)是一种数字基础设施,它使用基于容器的虚拟化技术,以安全可靠的方式促进策略管理的数据共享。入侵检测系统(IDS)对于执行策略至关重要。提出了一种实时入侵检测系统,用于监控和分析运行容器的linux内核系统调用。我们采用一类支持向量机(OC-SVM)来检测异常。OC-SVM算法的训练数据是在安全的环境中收集和消毒的。我们使用定制的攻击数据集评估了我们提出的系统对现代攻击的检测能力,例如机器学习(ML)对抗性攻击。此外,我们还研究了各种特征提取方法、核函数和分割长度对四个度量的影响。我们的实验结果表明,当我们采用频项特征提取方法,选择分割长度为30000时,我们可以获得较低的FPR,最坏情况为0.12,对大多数攻击的TPR为1。此外,最优核函数取决于所检查的具体应用程序。
A real-time intrusion detection system based on OC-SVM for containerized applications
A Digital Data Marketplace (DDM) is a digital infrastructure to facilitate policy-governed data sharing in a secure and trustworthy manner with container-based virtualization technologies. An intrusion detection systems (IDS) is essential to enforce the policies. We propose a real-time intrusion detection system that monitors and analyzes the Linux-kernel system calls of a running container. We adopt the One-Class Support Vector Machine (OC-SVM) to detect anomalies. The training data of the OC-SVM algorithm is collected and sanitized in a secure environment. We evaluate the detection capability of our proposed system against modern attacks, e.g. Machine Learning (ML) adversarial attacks, with a customized attack dataset. In addition, we investigate the influence of various feature extraction methods, kernel functions and segmentation length with four metrics. Our experimental results show that we can achieve a low FPR, with a worst case of 0.12, and a TPR of 1 for most attacks, when we adopt the term-frequency feature extraction method and we choose segmentation length of 30000. Furthermore, the optimal kernel functions depend on the concrete application being examined.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
