Intrusion Detection System for Applications using Linux Containers
•Download as PPTX, PDF•
1 like•892 views
This presentation describes an Anomaly-based Intrusion Detection System for securing Linux Containers. The presentation was given on Monday, September 21, 2015, as part of the ESORICS 2015 Workshop on Security and Trust Management (STM).
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Intrusion Detection System for Applications using Linux Containers
Similar to Intrusion Detection System for Applications using Linux Containers (20)
Recently uploaded
Recently uploaded (20)
Intrusion Detection System for Applications using Linux Containers
- 1. Intrusion Detection System for Applications using Linux Containers Amr Abed, Charles Clancy, David Levy
- 2. Agenda Backgound Overview Evaluation Conclusion
- 4. Anomaly Detection Technique Sliding Window & BoSC … futex futex sendto futex sendto pwrite sendto futex … [2,0,3,0,1,0,…, 0] Syscall Index sendto 0 select 1 futex 2 lseek 3 pwrite 4 … … other 42 Index Map BoSC BoSC Frequency … … [2,1,2,0,1,0,…,0] 5 [2,0,3,0,1,0,…,0] 1 Normal-behavior Database
- 5. Anomaly Detection Technique Sliding Window & BoSC … futex futex sendto futex sendto pwrite sendto futex … [3,0,2,0,1,0,…, 0] Syscall Index sendto 0 select 1 futex 2 lseek 3 pwrite 4 … … other 42 Index Map BoSC BoSC Frequency … … [2,1,2,0,1,0,…,0] 5 [2,0,3,0,1,0,…,0] 1 [3,0,2,0,1,0,…,0] 1 Normal-behavior Database
- 6. Anomaly Detection Technique Sliding Window & BoSC … futex futex sendto futex sendto pwrite sendto futex … [3,0,2,0,1,0,…, 0] Syscall Index sendto 0 select 1 futex 2 lseek 3 pwrite 4 … … other 42 Index Map BoSC BoSC Frequency … … [2,1,2,0,1,0,…,0] 5 [2,0,3,0,1,0,…,0] 1 [3,0,2,0,1,0,…,0] 2 Normal-behavior Database
- 7. Agenda Background Overview Evaluation Conclusion
- 8. Real-time Intrusion Detecion strace Behavior Log Syscall List mysqlslap sqlmap Monitoring
- 9. Real-time Intrusion Detecion strace Behavior Log Syscall List mysqlslap sqlmap Syscall Parser Syscall Index Map Sliding Window Syscall System Call Parsing Index BoSC Frequency
- 10. Real-time Intrusion Detection BoSC Classifier Normal Behavior Database Learning System Behavior
- 11. Real-time Intrusion Detecion BoSC Classifier Normal Behavior Database OK STOP BoSC Matching? Anomaly Detection
- 12. Agenda Background Overview Evaluation Conclusion
- 14. Test Configuration Test Parameters • Epoch-size range: 1000, 1500, …, 4000 (total system calls per epoch) • Detection-threshold range: 10, 20, …, 100 (mismatches per epoch) System Input • A trace of 3,804,000 total system calls was used • Only system calls were used for training (no arguments) • 875,000 system calls used for training • 40 distinct system calls found
- 15. Individual Attack Types Tested Reconnaissance (Brute-force) attack • Retrieve all info about DBMS, e.g. users, roles, schemas, passwords, … etc. • Generated ~ 42,000 mismatches DoS Attack • Using wild cards to slow down database • Generated 37 mismatches OS takeover attempt • Attempt to run ‘cat /etc/passwd’ shell command (failed) • Generated 279 mismatches File-system access • Copy /etc/passwd to local machine • Generated 182 mismatches
- 16. Test Results Detection Threshold 10 20 30 40 50 60 70 80 90 100 % 0 10 20 30 40 50 60 70 80 90 100 FPR TPR Epoch Size = 1000 system calls per epoch
- 17. Test Results Epoch size 1000 1500 2000 2500 3000 3500 4000 % 0 10 20 30 40 50 60 70 80 90 100 FPR TPR Detection Threshold = 10 mismatches per epoch
- 18. Agenda Background Overview Evaluation Conclusion
- 19. Conclusion High detection rate is easily achievable at low detection threshold • 100% at detection threshold of 10 mismatches per epoch High detection speed • Minimum of 10 system calls (for 100% detection rate) • Maximum of 1000 system calls (for epoch size of 1000) Non-zero FPR measured • Nature of running application (not repetitive) • state of database changes from idle to active Plus same workload may not generate exact BoSCs • expect better performance for an application that is repetitive by nature (e.g. Hadoop Yarn) • Memory-based learning technique • looks for exact same BoSCs • modify technique to adapt for minor change for better performance Strong anomaly signal from anomalous data • Malicious dataset: average 695 mismatches/epoch • Normal dataset: average 33 mismatches/epoch Relatively small overhead • 5MB for storing normal-behavior database
Editor's Notes
- A container typically encapsulates single application plus libraries and binaries only Containers running on the same host share the same kernel as the host Namespaces and control groups are used to isolate containers and manage resources Containers communicate with the host kernel (and the wider world) through system calls
- Sample Syscall trace
- Sample Syscall trace
- Sample Syscall trace
- The Linux buitl-in tool strace is used to trace system calls between the container and the host kernel. The system call trace is written to a behavior log file. In addition, strace is used to generate a list of system calls that frequently appears during the normal execution of the current application.
- System call parser reads behavior file as being updated by strace epoch by epoch. During each epoch, the system calls are read one at a time, and the new system call is then added to the sliding window. In addition, the system calls is passed to the syscall index map to look up the index. The current frequency of the new system call is calculated, and the syscall index is retrieved from the map, and used to update the corresponding index in the new BoSC
- The created BoSC is then passed to the classifier. In training mode, the classifier just adds the new BoSC to the normal behavior database if doesn’t already exists. If it already exists, the frequency of the bag is incremented. The databse is considered stable once all expected normal behavior is applied to the container
- Once the databse is stable, the classifier switches to classification mode. In that mode, the classifier checks if new BoSC is not present in the database, a mismatch is declared. If the number of mismatches within one epoch exceeds certain threshold, an anomaly signal is raised. To improve the FPR for future epochs, we are also applying a continuous training mode in which the difference from last-epoch database is added to the normal behavior database if the number of mismatches is less than the threshold.