Anomaly Detection of Processes Behavior in Container Based on LSTM Neural Network

CHEN Xing-shu; JIN Yi-ling; WANG Yu-long; JIANG Chao; WANG Qi-xu

doi:10.12263/DZXB.20190220

您当前的位置：

首页 >

文章列表页 >

Anomaly Detection of Processes Behavior in Container Based on LSTM Neural Network

更新时间：2025-12-08

- Anomaly Detection of Processes Behavior in Container Based on LSTM Neural Network
- Acta Electronica Sinica Vol. 49, Issue 1, Pages: 149-156(2021)
- 作者机构：
  
  1. 四川大学网络空间安全学院,四川,成都,610065
  2. 四川大学网络空间安全研究院,四川,成都,610065
  3. 四川大学网络空间安全学院,四川,成都,610065
  4. 四川大学网络空间安全研究院,四川,成都,610065
- 作者简介：
- 基金信息：
- DOI：10.12263/DZXB.20190220
  CLC： TP309
- Published Online：25 January 2021，
  
  Published：2021
- 稿件说明：
移动端阅览
CHEN Xing-shu, JIN Yi-ling, WANG Yu-long, et al. Anomaly Detection of Processes Behavior in Container Based on LSTM Neural Network[J]. Acta Electronica Sinica, 2021, 49(1): 149-156.
DOI：

CHEN Xing-shu, JIN Yi-ling, WANG Yu-long, et al. Anomaly Detection of Processes Behavior in Container Based on LSTM Neural Network[J]. Acta Electronica Sinica, 2021, 49(1): 149-156. DOI： 10.12263/DZXB.20190220.

摘要

容器技术以其轻便、灵活和快速部署等特点提高了应用分发部署效率.然而，资源隔离性低和共享内核的特性却给容器和云平台引入了新的安全风险.本文提出了一种基于系统调用序列和长短期记忆（Long Short-Term Memory，LSTM）神经网络的容器内进程异常行为检测方案，通过无代理监控模式采集进程全生命周期的系统调用序列数据，并利用LSTM捕获序列的语义特征，同时采用局部窗口内累积偏差的方式，提出了两种异常判决方法.此外，为优化模型训练效率，设计了一种短序列样本同比去重算法.在公开数据集和复现的实际攻击场景下的实验结果表明，该方案能有效检出容器内进程的异常行为，且检测效果优于同类的其它方法.

Abstract

Container technology improves the efficiency of application distribution and deployment with its features of lightness

flexibility and rapid deployment. However

the characteristics of low resource isolation and shared kernel introduce new security risks to containers and cloud platforms. This paper proposes an anomaly detection scheme of processes behavior in container based on system call sequences and long short-term memory (LSTM) neural network

the scheme collects the system call sequence data of the whole life cycle of processes through the agentless monitoring mode

and uses LSTM to capture the semantic features of sequences. At the same time

two methods of abnormal decision are proposed by means of cumulative deviation in local window. Furthermore

in order to optimize the training efficiency of the model

an algorithm for removing duplicate short sequence samples with the same ratio is designed. The experimental results on the public dataset and real attack scenarios show that the scheme can effectively detect the abnormal behavior of processes in container

and the detection performance is better than other similar methods.

关键词

Keywords

references

Views

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Intrusion Detection Based on Sub-Set of System Calls

System Call Anomaly Detection Method Based on HMM

Variable Horizon Multi-Directional Scanning Method for Time Series Anomaly Detection

Image Classification Network of Background Perception Mechanism

Neural Network Based Image Style Transfer: A Survey

Related Author

ZHANG Xiang-feng

SUN Yu-fang

ZHAO Qing-song

YAN Qiao

XIE Wei-xin

SONG Ge

YU Jian-Ping

HUANG Yu-zhe

Related Institution

Institute of Software,Chinese Academy of Sciences

Institute of Information Engineering,Shenzhen University

Institute of Electronic Engineering,Xidian University

Institute of Information EngineeringShenzhen UniversityShenzhenGuangdong China

Institute of Electronic EngineeringXidian UniversityXi'anShaanxi China

⁰