CDL: Classified Distributed Learning for Detecting Security Attacks in Containerized Applications
Published in Annual Computer Security Applications Conference, 2020
Recommended citation: Lin, Y., Tunde-Onadele, O. and Gu, X., 2020, December. CDL: Classified Distributed Learning for Detecting Security Attacks in Containerized Applications. In Annual Computer Security Applications Conference (pp. 179-188) https://doi.org/10.1145/3427228.3427236
Containers have been widely adopted in production computing environments for its efficiency and low isolation overhead. However, recent studies have shown that containerized applications are prone to various security attacks. Moreover, containerized applications are often highly dynamic and short-lived, which further exacerbates the problem. In this paper, we present CDL, a classified distributed learning framework to achieve efficient security attack detection for containerized applications. CDL integrates online application classification and anomaly detection to overcome the challenge of lacking sufficient training data for dynamic short-lived containers while considering diversified normal behaviors in different applications. We have implemented a prototype of CDL and evaluated it over 33 real world vulnerability attacks in 24 commonly used server applications. Our experimental results show that CDL can reduce the false positive rate from over 12% to 0.24% compared to the traditional anomaly detection scheme without aggregating training data. Compared to the distributed learning method without application classification, CDL can improve the detection rate from catching 20 out of 33 attacks to 31 out of 33 attacks before those attacks compromise the server systems. CDL is light-weight, which can complete application classification and anomaly detection within a few milliseconds.