基于长短期记忆神经网络的容器内进程异常行为检测

doi:10.12263/DZXB.20190220

电子学报 ›› 2021, Vol. 49 ›› Issue (1): 149-156.DOI: 10.12263/DZXB.20190220

基于长短期记忆神经网络的容器内进程异常行为检测

陈兴蜀^1,2, 金逸灵^1,2, 王玉龙^1,2, 蒋超^1,2, 王启旭^1,2

1. 四川大学网络空间安全学院, 四川成都 610065;
2. 四川大学网络空间安全研究院, 四川成都 610065

收稿日期:2019-02-27 修回日期:2020-04-21 出版日期:2021-01-25
- 通讯作者:
- 金逸灵
- 作者简介:
- 陈兴蜀 女,1968年8月出生,贵州六枝人,四川大学教授、博士生导师,主要研究方向:云计算/大数据安全,威胁检测,开源情报.E-mail:chenxsh@scu.edu.cn
- 基金资助:
- 国家自然科学基金重点项目 (No.U19A2081）; 国家自然科学基金青年科学基金 (No.61802270）; 国家"双创"示范基地之变革性技术国际研发转化平台 (No.C700011）; 四川省重点研发资金 (No.2018G20100）; 国家自然科学基金联合基金 (No.U19A2081）

Anomaly Detection of Processes Behavior in Container Based on LSTM Neural Network

CHEN Xing-shu^1,2, JIN Yi-ling^1,2, WANG Yu-long^1,2, JIANG Chao^1,2, WANG Qi-xu^1,2

1. College of Cybersecurity, Sichuan University, Chengdu, Sichuan 610065, China;
2. Cybersecurity Research Institute, Sichuan University, Chengdu, Sichuan 610065, China

Received:2019-02-27 Revised:2020-04-21 Online:2021-01-25 Published:2021-01-25
- Corresponding author:
- JIN Yi-ling
- Supported by:
- Key Program of National Natural Science Foundation of China (No.U19A2081); Youth Fund of National Natural Science Foundation of China (No.61802270); Transformational Technology International R&D and Transformation Platform of National Demonstration base for mass Entrepreneurship and Innovation (No.C700011); Key Research and Development Fund of Sichuan Province (No.2018G20100); Joint Funds of the National Natural Science Foundation of China (No.U19A2081)

摘要/Abstract

摘要： 容器技术以其轻便、灵活和快速部署等特点提高了应用分发部署效率.然而，资源隔离性低和共享内核的特性却给容器和云平台引入了新的安全风险.本文提出了一种基于系统调用序列和长短期记忆（Long Short-Term Memory，LSTM）神经网络的容器内进程异常行为检测方案，通过无代理监控模式采集进程全生命周期的系统调用序列数据，并利用LSTM捕获序列的语义特征，同时采用局部窗口内累积偏差的方式，提出了两种异常判决方法.此外，为优化模型训练效率，设计了一种短序列样本同比去重算法.在公开数据集和复现的实际攻击场景下的实验结果表明，该方案能有效检出容器内进程的异常行为，且检测效果优于同类的其它方法.

关键词: 异常检测, 容器, 长短期记忆, 系统调用, 神经网络

Abstract: Container technology improves the efficiency of application distribution and deployment with its features of lightness, flexibility and rapid deployment. However, the characteristics of low resource isolation and shared kernel introduce new security risks to containers and cloud platforms. This paper proposes an anomaly detection scheme of processes behavior in container based on system call sequences and long short-term memory (LSTM) neural network, the scheme collects the system call sequence data of the whole life cycle of processes through the agentless monitoring mode, and uses LSTM to capture the semantic features of sequences. At the same time, two methods of abnormal decision are proposed by means of cumulative deviation in local window. Furthermore, in order to optimize the training efficiency of the model, an algorithm for removing duplicate short sequence samples with the same ratio is designed. The experimental results on the public dataset and real attack scenarios show that the scheme can effectively detect the abnormal behavior of processes in container, and the detection performance is better than other similar methods.

Key words: anomaly detection, container, long short-term memory, system call, neural network

中图分类号:

TP309

陈兴蜀, 金逸灵, 王玉龙, 等. 基于长短期记忆神经网络的容器内进程异常行为检测[J]. 电子学报, 2021, 49(1): 149-156.

CHEN Xing-shu, JIN Yi-ling, WANG Yu-long, et al. Anomaly Detection of Processes Behavior in Container Based on LSTM Neural Network[J]. Acta Electronica Sinica, 2021, 49(1): 149-156.

参考文献

[1] MATTETTI M,SHULMAN-PELEG A,ALLOUCHE Y,et al.Securing the infrastructure and the workloads of linux containers[A].IEEE Conference on Communications and Network Security[C].Florence,Italy:IEEE,2015.524-526.
[2] FORREST S,HOFMERYR S A,SOMAYAJI A,et al.A sense of self for unix processes[A].Proceedings of the 1996 IEEE Symposium on Security and Privacy[C].Oakland:IEEE,1996.120-128.
[3] KOSORESOW A P,HOFMEYR S A.Intrusion detection via system call traces[J].Software IEEE,1997,14(5):35-42.
[4] MISHRA P,PILLI E S,VARADHARAJAN V,et al.Intrusion detection techniques in cloud environment:a survey[J].Journal of Network and Computer Applications,2017,77(C):18-47.
[5] MASKE S A,PARVAT T J.Advanced anomaly intrusion detection technique for host based system using system call patterns[A].International Conference on Inventive Computation Technologies[C].Coimbatore,India:IEEE,2017.1-4.
[6] KHREICH W,KHOSRAVIFAR B,HAMOU-LHADJ A,et al.An anomaly detection system based on variable n-gram features and one-class SVM[J].Information and Software Technology,2017,91:186-197.
[7] XIAO X,WANG Z,LI Q,et al.Back-propagation neural network on markov chains from system call sequences:a new approach for detecting android malware with system call sequences[J].Iet Information Security,2017,11(1):8-15.
[8] 尹清波,张汝波,李雪耀,等.基于动态马尔科夫模型的入侵检测技术研究[J].电子学报,2004,32(11):1785-1788. YIN Qing-bo,ZHANG Ru-bo,LI Xue-yao,et al.Research on technology of intrusion detection based on dynamic markov model[J].Acta Electronica Sinica,2004,32(11):1785-1788.(in Chinese)
[9] Xiao X,Zhang S,MERCALDO F,et al.Android malware detection based on system call sequences and LSTM[J].Multimedia Tools and Applications,2017,2:1-21.
[10] 陈兴蜀,陈佳昕,赵丹丹,等.基于虚拟机IO序列与Markov模型的异常行为检测[J].清华大学学报(自然科学版),2018,58(4):395-401+410. CHEN Xing-shu,CHEN Jia-xin,ZHAO Dan-dan,et al.Anomaly detection based on io sequences in a virtual machine with the markov mode[J].Journal Tsinghua University (Science and Technology),2018,58(4):395-401+410.(in Chinese)
[11] ALARIFI S,WOLTHUSEN S.Anomaly detection for ephemeral cloud iaas virtual machines[A].International Conference on Network and System Security[C].Berlin Heidelberg:Springer,2014.321-335.
[12] GUPTA S,KUMAR P.An immediate system call sequence based approach for detecting malicious program executions in cloud environment[J].Wireless Personal Communications,2015,81(1):1-21.
[13] TAHIR R,RAZA A,NAQVI M,et al.An anomaly detection fabric for clouds based on collaborative vm communities[A].IEEE/ACM International Symposium on Cluster,Cloud and Grid Computing[C].Madrid,Spain:IEEE,2017.431-441.
[14] KASHYAP A,KUMAR G S,JANGIR S,et al.IHIDS:Introspection-based hybrid intrusion detection system in cloud environment[A].International Conference on Advances in Computing,Communications and Informatics[C].Udupi,India:IEEE,2017.687-693.
[15] ELGRAINI M T,ASSEM N,RACHIDI T.Host intrusion detection for long stealthy system call sequences[A].Information Science and Technology[C].Fez,Morocco:IEEE,2012.96-100.
[16] KOUCHAM O,RACHIDI T,ASSEM N.Host intrusion detection using system call argument-based clustering combined with bayesian classication[A].Sai Intelligent Systems Conference[C].London,UK:IEEE,2015.1010-1016.
[17] MURTAZA S S,KHREICH W,HAMOULHADJ A,et al.A host-based anomaly detection approach by representing system calls as states of kernel modules[A].IEEE International Symposium on Software Reliability Engineering[C].Pasadena,CA,USA:IEEE,2014.431-440.
[18] 黄杰.云环境虚拟机安全关键技术研究与实现[D].四川成都:电子科技大学,2017. HUANG Jie.Research and implementation of virtual machine security key technology on cloud environment[D].Chengdu,Sichuan:University of Electronic Science and Technology of China,2017.(in Chinese)

基于长短期记忆神经网络的容器内进程异常行为检测

Anomaly Detection of Processes Behavior in Container Based on LSTM Neural Network

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	黄赟, 张帆, 郭威, 陈立, 羊光. 一种基于数据标准差的卷积神经网络量化方法[J]. 电子学报, 2023, 51(3): 639-647.
[2]	张金颢, 周恒, 张守龙, 蒋廷勇, 王胜涛, 刘真. 基于仿真及神经网络的大型电磁脉冲模拟器近区场计算[J]. 电子学报, 2023, 51(3): 712-719.
[3]	吕杭, 蒋明峰, 李杨, 张鞠成, 王志康. 基于混合时频域特征的卷积神经网络心律失常分类方法的研究[J]. 电子学报, 2023, 51(3): 701-711.
[4]	杨利平, 侯振威, 辜小花, 郝峻永. 弱标签声音事件检测的空间-通道特征表征与自注意池化[J]. 电子学报, 2023, 51(2): 297-306.
[5]	王子为, 鲁继文, 周杰. 基于自适应梯度优化的二值神经网络[J]. 电子学报, 2023, 51(2): 257-266.
[6]	许新征, 李杉. 基于特征膨胀卷积模块的轻量化技术研究[J]. 电子学报, 2023, 51(2): 355-364.
[7]	丁琪, 田萱, 孙国栋. 基于注意力增强的热点感知新闻推荐模型[J]. 电子学报, 2023, 51(1): 93-104.
[8]	张永梅, 孙捷. 基于动静态特征双输入神经网络的咳嗽声诊断COVID-19算法[J]. 电子学报, 2023, 51(1): 202-212.
[9]	袁海英, 成君鹏, 曾智勇, 武延瑞. Mobile_BLNet：基于Big-Little Net的轻量级卷积神经网络优化设计[J]. 电子学报, 2023, 51(1): 180-191.
[10]	王神龙, 雍宇, 吴晨睿. 基于伪孪生神经网络的低纹理工业零件6D位姿估计[J]. 电子学报, 2023, 51(1): 192-201.
[11]	王硕, 王坚, 王亚男, 宋亚飞. 一种基于特征融合的恶意代码快速检测方法[J]. 电子学报, 2023, 51(1): 57-66.
[12]	吴靖, 叶晓晶, 黄峰, 陈丽琼, 王志锋, 刘文犀. 基于深度学习的单帧图像超分辨率重建综述[J]. 电子学报, 2022, 50(9): 2265-2294.
[13]	毛国君, 王者浩, 黄山, 王翔. 基于剪边策略的图残差卷积深层网络模型[J]. 电子学报, 2022, 50(9): 2205-2214.
[14]	袁海英, 曾智勇, 成君鹏. 面向灵活并行度的稀疏卷积神经网络加速器[J]. 电子学报, 2022, 50(8): 1811-1818.
[15]	徐兴荣, 刘聪, 李婷, 郭娜, 任崇广, 曾庆田. 基于双向准循环神经网络和注意力机制的业务流程剩余时间预测方法[J]. 电子学报, 2022, 50(8): 1975-1984.