电子学报 ›› 2021, Vol. 49 ›› Issue (1): 149-156.DOI: 10.12263/DZXB.20190220

• 学术论文 • 上一篇    下一篇

基于长短期记忆神经网络的容器内进程异常行为检测

陈兴蜀1,2, 金逸灵1,2, 王玉龙1,2, 蒋超1,2, 王启旭1,2   

  1. 1. 四川大学网络空间安全学院, 四川成都 610065;
    2. 四川大学网络空间安全研究院, 四川成都 610065
  • 收稿日期:2019-02-27 修回日期:2020-04-21 出版日期:2021-01-25
    • 通讯作者:
    • 金逸灵
    • 作者简介:
    • 陈兴蜀 女,1968年8月出生,贵州六枝人,四川大学教授、博士生导师,主要研究方向:云计算/大数据安全,威胁检测,开源情报.E-mail:chenxsh@scu.edu.cn
    • 基金资助:
    • 国家自然科学基金重点项目 (No.U19A2081); 国家自然科学基金青年科学基金 (No.61802270); 国家"双创"示范基地之变革性技术国际研发转化平台 (No.C700011); 四川省重点研发资金 (No.2018G20100); 国家自然科学基金联合基金 (No.U19A2081)

Anomaly Detection of Processes Behavior in Container Based on LSTM Neural Network

CHEN Xing-shu1,2, JIN Yi-ling1,2, WANG Yu-long1,2, JIANG Chao1,2, WANG Qi-xu1,2   

  1. 1. College of Cybersecurity, Sichuan University, Chengdu, Sichuan 610065, China;
    2. Cybersecurity Research Institute, Sichuan University, Chengdu, Sichuan 610065, China
  • Received:2019-02-27 Revised:2020-04-21 Online:2021-01-25 Published:2021-01-25
    • Corresponding author:
    • JIN Yi-ling
    • Supported by:
    • Key Program of National Natural Science Foundation of China (No.U19A2081); Youth Fund of National Natural Science Foundation of China (No.61802270); Transformational Technology International R&D and Transformation Platform of National Demonstration base for mass Entrepreneurship and Innovation (No.C700011); Key Research and Development Fund of Sichuan Province (No.2018G20100); Joint Funds of the National Natural Science Foundation of China (No.U19A2081)

摘要: 容器技术以其轻便、灵活和快速部署等特点提高了应用分发部署效率.然而,资源隔离性低和共享内核的特性却给容器和云平台引入了新的安全风险.本文提出了一种基于系统调用序列和长短期记忆(Long Short-Term Memory,LSTM)神经网络的容器内进程异常行为检测方案,通过无代理监控模式采集进程全生命周期的系统调用序列数据,并利用LSTM捕获序列的语义特征,同时采用局部窗口内累积偏差的方式,提出了两种异常判决方法.此外,为优化模型训练效率,设计了一种短序列样本同比去重算法.在公开数据集和复现的实际攻击场景下的实验结果表明,该方案能有效检出容器内进程的异常行为,且检测效果优于同类的其它方法.

 

关键词: 异常检测, 容器, 长短期记忆, 系统调用, 神经网络

Abstract: Container technology improves the efficiency of application distribution and deployment with its features of lightness, flexibility and rapid deployment. However, the characteristics of low resource isolation and shared kernel introduce new security risks to containers and cloud platforms. This paper proposes an anomaly detection scheme of processes behavior in container based on system call sequences and long short-term memory (LSTM) neural network, the scheme collects the system call sequence data of the whole life cycle of processes through the agentless monitoring mode, and uses LSTM to capture the semantic features of sequences. At the same time, two methods of abnormal decision are proposed by means of cumulative deviation in local window. Furthermore, in order to optimize the training efficiency of the model, an algorithm for removing duplicate short sequence samples with the same ratio is designed. The experimental results on the public dataset and real attack scenarios show that the scheme can effectively detect the abnormal behavior of processes in container, and the detection performance is better than other similar methods.

 

Key words: anomaly detection, container, long short-term memory, system call, neural network

中图分类号: