We propose a novel solution combining supervised and unsupervised machine learning models for intrusion detection at kernel level in cloud containers. In particular, the proposed solution is built over an ensemble of random and isolation forests trained on sequences of system calls that are collected at the hosting machine's kernel level. The sequence of system calls are translated into a weighted and directed graph to obtain a compact description of the container behavior, which is given as input to the ensemble model. We executed a set of experiments in a controlled environment in order to test our solution against the two most common threats that have been identified in cloud containers, and our results show that we can achieve high detection rates and low false positives in the tested attacks.

翻译：我们提出了一种新颖的解决方案，结合监督式与非监督式机器学习模型，用于云容器内核级别的入侵检测。具体而言，该方案基于集成随机森林与孤立森林构建，模型训练数据来源于宿主机内核层收集的系统调用序列。通过将系统调用序列转化为带权有向图，可获得容器行为的紧凑描述，并将其作为集成模型的输入。我们在受控环境中开展了一系列实验，针对云容器中已识别的两种最常见威胁进行测试。结果表明，在测试的攻击场景下，该方法能够实现高检测率与低误报率。