Enhancing Container Security Using Machine Learning Based on Kernel Tracing Logs

Hyeonseok Shin, Minjung Jo, Hosang Yoo, Yongwon Lee, Jiyeon Lee, Byungchul Tak

http://doi.org/10.5626/JOK.2024.51.11.947

The use of container technology has been rapidly increasing as it gains attention in cloud environments. Containers are lighter and more advantageous for deployment than virtual machines because they do not require a separate operating system. However, containers can have security vulnerabilities due to their characteristic of sharing the same host kernel. In this paper, we designed and implemented a security system to address these vulnerabilities by using eBPF technology, kernel tracing logs, and an ensemble machine learning model. Our system can effectively detect attacks leveraging race conditions and the heap spray technique used in kernel memory vulnerabilities. Unlike traditional security policy-based approaches, it allows for rapid and dynamic responses without needing profile creation. For detecting attacks leveraging race conditions, the system achieved over 99% accuracy in Precision, Recall, and F1-Score, while it recorded over 97% accuracy across all metrics for heap spray detection.