Boosting real-time cybersecurity: The Influence of the size of system call sequences on intrusion detection

Abstract

Container technologies have witnessed significant growth and value in recent years, particularly for developers and technology companies. The ability to detect cyberattacks in real-time has become critically important, especially with the integration of containers into cloud environments. To achieve this, intrusion detection systems have been employed to identify suspicious activities within containerized applications, whether these containers operate independently or within a cloud environment. Attempts to manipulate the behavior of containers or the applications within them will not aid in the detection of attacks or anomalies. The contribution of this research is focused on exploring the Influence of the size of call sequences on attack detection by using a sliding window approach with varying sizes. A dataset (LID-DS) was used, and the process of using partial traces versus full traces and its effect on anomaly detection was evaluated. The study also investigated whether variations in the sliding window size influence the classifier's performance in anomaly detection. Machine learning algorithms were employed. The Random Forest algorithm achieved the best results across all metrics and window sizes. The best results were obtained with a window size of w=14, indicating that this window size was optimal for attack detection.