| With the development of the cloud computing, Linux containers are playing an important role in industrial use, however, the containers are suffering more and more security threats while the researches on container are not sufficient, for example, as of October 2015, there were 103 container related defects in the U.S. national vulnerability database. So detecting abnormal behavior of programs in containers to protect container is important in container security.A new method of system call features extraction is proposed in this paper, and the process features model uses not only the process features,but also the father son relation and the inter-process communication relation. In the identification of anomaly process, the method in this paper checks whether the features of the unknown process in the features tree not only, but also checks the related processes of the unknown process,including the father-son and inter-process communication relation process.We design and implement an anomaly detection system for docker containers, ADDocker we called, which is based on the above method and model.We evaluate the ADDocker with the malicious software samples as testing set in the typical containers, such as Ubuntu and MySQL, in cloud computing platform. The experiment results show that the method of feature extraction can extract the better process features, and ADDocker is effective in the real containers. |
PDF Full Text Request