Intrusion Detection System for Applications using Linux Containers

Amr Abed, Charles Clancy, David Levy

Agenda

Backgound Overview Evaluation Conclusion

Linux Containers

Anomaly Detection TechniqueSliding Window & BoSC

…futex futex

sendto futex

sendtopwritesendtofutex

…

[2,0,3,0,1,0,…,0]Syscall Index

sendto 0select 1futex 2lseek 3

pwrite 4… …

other 42Index Map

BoSC

BoSC Frequency

… …

[2,1,2,0,1,0,…,0] 5

[2,0,3,0,1,0,…,0] 1

Normal-behavior Database

Anomaly Detection TechniqueSliding Window & BoSC

…futex futex

sendto futex

sendtopwrite

sendtofutex

…

[3,0,2,0,1,0,…,0]Syscall Index

sendto 0select 1futex 2lseek 3pwrite 4

… …other 42

Index Map

BoSC

BoSC Frequency

… …

[2,1,2,0,1,0,…,0] 5

[2,0,3,0,1,0,…,0] 1

[3,0,2,0,1,0,…,0] 1

Normal-behavior Database

Anomaly Detection TechniqueSliding Window & BoSC

…futexfutex sendto futex

sendtopwritesendtofutex

…

[3,0,2,0,1,0,…,0]Syscall Index

sendto 0select 1futex 2lseek 3pwrite 4

… …other 42

Index Map

BoSC

BoSC Frequency

… …

[2,1,2,0,1,0,…,0] 5

[2,0,3,0,1,0,…,0] 1

[3,0,2,0,1,0,…,0] 2

Normal-behavior Database

Agenda

Background Overview Evaluation Conclusion

Real-time Intrusion Detecion

straceBehavior

LogSyscall

List

mysqlslap sqlmap

Monitoring

Real-time Intrusion Detecion

straceBehavior

LogSyscall

List

mysqlslap sqlmap

Syscall ParserSyscall

Index MapSliding Window

Syscall

System Call Parsing

Index BoSC

Frequency

Real-time Intrusion Detection

BoSC

Classifier

Normal Behavior Database

Learning System Behavior

Real-time Intrusion Detecion

BoSC

Classifier

Normal Behavior Database

OK STOPB

oSC

Matching?

Anomaly Detection

Agenda

Background Overview Evaluation Conclusion

Test Environment

mysqlslap sqlmap

Test Configuration

Test Parameters• Epoch-size range: 1000, 1500, …, 4000 (total system calls per epoch)• Detection-threshold range: 10, 20, …, 100 (mismatches per epoch)

System Input• A trace of 3,804,000 total system calls was used• Only system calls were used for training (no arguments)• 875,000 system calls used for training• 40 distinct system calls found

Individual Attack Types Tested

Reconnaissance (Brute-force) attack• Retrieve all info about DBMS, e.g. users, roles, schemas, passwords, … etc. • Generated ~ 42,000 mismatches

DoS Attack• Using wild cards to slow down database• Generated 37 mismatches

OS takeover attempt• Attempt to run ‘cat /etc/passwd’ shell command (failed)• Generated 279 mismatches

File-system access• Copy /etc/passwd to local machine • Generated 182 mismatches

Test Results

Epoch Size = 1000 system calls per epoch

Test Results

Detection Threshold = 10 mismatches per epoch

Agenda

Background Overview Evaluation Conclusion

Conclusion

High detection rate is easily achievable at low detection threshold• 100% at detection threshold of 10 mismatches per epoch

High detection speed• Minimum of 10 system calls (for 100% detection rate)• Maximum of 1000 system calls (for epoch size of 1000)

Non-zero FPR measured• Nature of running application (not repetitive)

• state of database changes from idle to active Plus same workload may not generate exact BoSCs• expect better performance for an application that is repetitive by nature (e.g. Hadoop Yarn)

• Memory-based learning technique • looks for exact same BoSCs • modify technique to adapt for minor change for better performance

Strong anomaly signal from anomalous data• Malicious dataset: average 695 mismatches/epoch• Normal dataset: average 33 mismatches/epoch

Relatively small overhead• 5MB for storing normal-behavior database