An Empirical Analysis of IDS Approaches in Container Security

SEVER Y., Ekinci G., Dogan A. H., Alparslan B., Gurbuz A. S., Jabrayilov V., ...More

International Workshop on Secure and Reliable Microservices and Containers (SRMC), Vienna, Austria, 19 - 22 September 2022, pp.18-26 identifier identifier

  • Publication Type: Conference Paper / Full Text
  • Doi Number: 10.1109/srmc57347.2022.00007
  • City: Vienna
  • Country: Austria
  • Page Numbers: pp.18-26
  • Keywords: Containers, IDS, Cloud Computing, Microservices, Network Security, INTRUSION DETECTION
  • Middle East Technical University Affiliated: Yes


Microservices architecture has been praised as a lightweight, modular and robust alternative to monolithic software in recent years with software containerization bringing parallel ideas to the table against bare metal and even virtual machine based software deployment solutions. While containers provide support for agile software development in the cloud, they suffer from security issues due to their lightweight structure not providing isolation as strong as that of virtual machines. This calls for the development of robust intrusion detection systems (IDS) for containers, taking into account their specific vulnerabilities. Existing IDS for containerized software deployments have mainly used host-based syscall monitoring, with only a few utilizing network-based monitoring without justification for the particular sensor used. In this paper, we aim to close this research gap by empirically evaluating the performances of system call and network flow based features in machine learning-based intrusion detection for containers when subjected to the same attacks. Our results show that basing the IDS on the network layer exhibits better performance than the host-based IDS for the investigated vulnerabilities, demonstrating the need for network monitoring for enhanced container security.