I See Syscalls by the Seashore: An Anomaly-based IDS for Containers Leveraging Sysdig Data

Intrusion detection in virtualized environments is vital due to the widespread adoption of virtualization technology. A common strategy for achieving this task involves collecting data from the virtual environment and providing it to intrusion detection solutions. However, these solutions can be affected by other elements present in the virtual environment. An approach that has gained prominence is applying machine learning (ML) models to perform anomaly-based intrusion detection based on system call traces. In Linux-based environments, many tools can be used for collecting the system calls issued by processes and containers; two of the most popular are strace and sysdig. This paper introduces a dataset of system call traces collected with sysdig with a focus on anomaly-based intrusion detection for containerized applications and uses this dataset to compare the effectiveness of strace and sysdig data and evaluate the performance of five different ML models for anomaly detection. The results reveal that sysdig is an attractive option, enabling the collection of system call traces with lower overhead than strace while achieving good detection performance with several ML models.