Refining Security Monitoring Techniques for Container-Based Virtualisation Environments

Abstract

Context: Virtualisation is a vital part of many industries’ software deployment. When virtualisation became popular, it was more or less synonymous with virtual machines and hypervisors. Since then, a newer form of virtualisation has surged in popularity, containers. Containers provide improvements over traditional hyper visors in several aspects, with lower overhead and short boot and shutdown times often being referenced. Problem: However, due to the way containers operate, they do not achieve the same level of isolation, an essential attribute in security. Containers share kernel with the host and other containers running on the host. A shared kernel means the attack surface differs from hypervisors, causing an elevated need for proper monitoring and investigation of potential monitoring techniques for detecting attacks, threats or misbehaving containers. Objective: This study aims to understand what container monitoring techniques are available and how they operate. Moreover, it explores novel container monitoring techniques providing better efficiency and coverage of the STRIDE threat model. Approach: The first objective is realised by conducting a literature review using the snowballing approach. The second objective is realised by following the design science research methodology. Results: As a result, a container monitoring technique is created and refined over four iterations. This technique uses the Isolation Forest algorithm to detect anomalies in system call traces. The Isolation Forest algorithm enables unsupervised anomaly detection while providing multiple advantageous characteristics in terms of efficiency and detection. Evaluation: In order to evaluate and compare the proposed monitoring technique with other techniques, a framework is developed to support the use of different anomaly detection and feature extraction algorithms, streamlining the evaluation process. Conclusion: The resulting technique detects all attacks included in the evaluation while keeping an average FPR below 3%.