Resilient intrusion detection system for cloud containers

The lightweight virtualisation and isolated execution offered by Linux containers qualify it to be the dominant virtualisation platform for cloud-based applications. The fact that Linux containers run on the same host while sharing the same kernel opens the door for new attacks. However, limited research has been conducted in the area of securing cloud containers. This paper presents a resilient intrusion detection and resolution system for cloud-based containers. The system relies on two main pillars, a real-time smart behaviour monitoring mechanism to detect maliciously behaving containers, and a moving-target defence approach that applies runtime container migration to quarantine such containers and to minimise attack dispersion. To avoid zero-day targeted attacks, the system also induces random live migrations between running containers to obfuscate its execution behaviour. Such obfuscation makes it harder for attackers to execute their targeted attacks. The system was tested by a big-data application using a container-based Apache Hadoop cluster to demonstrate the system's ability to automatically deploy, monitor, detect, and respond to maliciously behaving applications by live migration or by rolling back the container to a safe state. Results showed that the proposed system efficiently ensure safe and secure container operation.