A real-time intrusion detection system based on OC-SVM for containerized applications
Lu Zhang, Reginald Cushing, Cees de Laat, Paola Grosso
Abstract
A Digital Data Marketplace (DDM) is a digital infrastructure to facilitate policy-governed data sharing in a secure and trustworthy manner with container-based virtualization technologies. An intrusion detection systems (IDS) is essential to enforce the policies. We propose a real-time intrusion detection system that monitors and analyzes the Linux-kernel system calls of a running container. We adopt the One-Class Support Vector Machine (OC-SVM) to detect anomalies. The training data of the OC-SVM algorithm is collected and sanitized in a secure environment. We evaluate the detection capability of our proposed system against modern attacks, e.g. Machine Learning (ML) adversarial attacks, with a customized attack dataset. In addition, we investigate the influence of various feature extraction methods, kernel functions and segmentation length with four metrics. Our experimental results show that we can achieve a low FPR, with a worst case of 0.12, and a TPR of 1 for most attacks, when we adopt the term-frequency feature extraction method and we choose segmentation length of 30000. Furthermore, the optimal kernel functions depend on the concrete application being examined.