Ab‐HIDS: An anomaly‐based host intrusion detection system using frequency of N‐gram system call features and ensemble learning for containerized environment

Abstract

SummaryCloud's operating‐system‐level virtualization has introduced a new phase of lightweight virtualization through containers. The architecture of cloud‐native and microservices‐based application development strongly advocates for the use of containers due to their swift and convenient deployment capabilities. However, the security of applications within containers is important, as malicious or vulnerable content could jeopardize the container and the host system. This vulnerability also extends to neighboring containers and may compromise data integrity and confidentiality. The article focuses on developing an intrusion detection system tailored to containerized cloud environments by identifying system call analysis techniques and also proposes an anomaly‐based host intrusion detection system (Ab‐HIDS). This system employs the frequency of N‐grams system calls as distinctive features. To enhance performance, two ensemble learning models, namely voting‐based ensemble learning and XGBoost ensemble learning, are employed for training and testing the data. The proposed system is evaluated using the Leipzig Intrusion Detection Data Set (LID‐DS), demonstrating substantial performance compared to existing state‐of‐the‐art methods. Ab‐HIDS is validated for class imbalance using the imbalance ratio and synthetic minority over‐sampling technique methods. Our system achieved significant improvements in detection accuracy with 4% increase for the voting‐based ensemble model and 6% increase for the XGBoost ensemble model. Additionally, we observed reductions in the false positive rate by 0.9% and 0.8% for these models, respectively, compared to existing state‐of‐the‐art methods. These results illustrate the potential of our proposed approach in improving security measures within containerized environments.