APPLICATION OF A HYBRID NEURAL NETWORK AE-LSTM FOR ANOMALIES DETECTION IN CONTAINER SYSTEMS
Abstract
The popularity of container systems attracts the attention of many researchers in the field of information technology. Containerization technology allows to reduce the cost of computing resources when deploying and supporting complex infrastructure solutions. Ensuring the security of container systems and containerization in general, as well as the use of smart attacks based on artificial intelligence by malefactors, is a serious problem on the way to the safe and stable operation of container systems. This article proposes an approach for detecting not only previously unknown individual anomalous processes, but also anomalous process sequences in container systems. The proposed approach and its implementation based on the Docker platform are based on tracing system calls, constructing histograms of running processes, and using the AE-LSTM neural network. The process of constructing histograms is based on accounting of the number of executed system calls for each individual process. This solution provides the ability not only to accurately identify any process in the system, but also to effectively detect anomalous process sequences with a high degree of accuracy. The generated sequences are used as input data for the neural network. After completing the training process, the neural network acquires the ability to detect anomalous sequences by comparing a given threshold of reconstruction error with the actual error level of the input data vector. When the neural network encounters a new input data vector, it calculates the reconstruction error level - the difference between the expected and actual value. If this error exceeds a predetermined threshold, the system signals the presence of an anomaly in the sequence. Experiments show that the proposed approach demonstrates high accuracy in detecting anomalous processes with a low level of false positive detection results. Such results confirm the effectiveness of the proposed approach. Also, the computational costs of training the neural network model are quite low. This allows using less powerful hardware without significant performance losses. Such a solution can be trained and implemented in a new infrastructure in a fairly short time
