Boosting real-time cybersecurity: The Influence of the size of system call sequences on intrusion detection
الملخص
Container technologies have witnessed significant growth and value in recent years, particularly for developers and technology companies. The ability to detect cyberattacks in real-time has become critically important, especially with the integration of containers into cloud environments. To achieve this, intrusion detection systems have been employed to identify suspicious activities within containerized applications, whether these containers operate independently or within a cloud environment. Attempts to manipulate the behavior of containers or the applications within them will not aid in the detection of attacks or anomalies. The contribution of this research is focused on exploring the Influence of the size of call sequences on attack detection by using a sliding window approach with varying sizes. A dataset (LID-DS) was used, and the process of using partial traces versus full traces and its effect on anomaly detection was evaluated. The study also investigated whether variations in the sliding window size influence the classifier's performance in anomaly detection. Machine learning algorithms were employed. The Random Forest algorithm achieved the best results across all metrics and window sizes. The best results were obtained with a window size of w=14, indicating that this window size was optimal for attack detection.
References
[B]. Zhang, L., Cushing, R., de Laat, C., & Grosso, P. (2021). A real-time intrusion detection system based on OC-SVM, In 2021 IEEE 24th International Conference on Computational Science and Engineering (CSE) (pp. 138-145).
[C]. Grimmer, M., Kaelble, T., Nirsberger, F., Schulze, E., Rucks, T., Hoffmann, J., & Rahm, E. (2022, September). Dataset Report: LID-DS 2021. In International Conference on Critical Information Infrastructures Security (pp. 63-73). Cham: Springer Nature Switzerland.
[D]. Shamim, N., Asim, M., Baker, T., & Awad, A. I. (2023). Efficient Approach for Anomaly Detection in IoT Using System Calls. Sensors, 23(2), 652. https://doi.org/10.3390/s23020652
[E]. Birihanu, E., & Lendák, I. (2025). Explainable correlation-based anomaly detection for Industrial Control Systems. Frontiers in Artificial Intelligence, 7, 1508821.
[F]. Vajda, D. L., Do, T. V., Bérczes, T., & Farkas, K. (2024). Machine learning-based real-time anomaly detection using data pre-processing in the telemetry of server farms. Scientific Reports, 14(1), 23288.
[G]. El Khairi, A., Caselli, M., Knierim, C., Peter, A., & Continella, A. (2022, November). Contextualizing system calls in containers for anomaly-based intrusion detection. In Proceedings of the 2022 on Cloud Computing Security Workshop (pp. 9-21).
[H]. Joraviya, N., Gohil, B. N., & Rao, U. P. (2024). Ab‐HIDS: An anomaly‐based host intrusion detection system using frequency of N‐gram system call features and ensemble learning for containerized environment. Concurrency and Computation: Practice and Experience, 36(23), e8249.
[I]. Rossotti, A. (2022). Anomaly detection framework and deep learning techniques for zero-day attack in container based environment
[K]. Zhang, L., Cushing, R., de Laat, C., & Grosso, P. (2021, October). A real-time intrusion detection system based on OC-SVM for containerized applications. In 2021 IEEE 24th international conference on computational science and engineering (CSE) (pp. 138-145). IEEE.
[L]. Flora, J., & Antunes, N. (2019, September). Studying the applicability of intrusion detection to multi-tenant container environments. In 2019 15th European Dependable Computing Conference (EDCC) (pp. 133-136). IEEE.
[M]. Carmona-Cabezas, R., Gómez-Gómez, J., Gutiérrez de Ravé, E., & Jiménez-Hornero, F. J. (2019). A sliding window-based algorithm for faster transformation of time series into complex networks. Chaos: An Interdisciplinary Journal of Nonlinear Science, 29(10).
[N]. Bernaschi, M., Gabrielli, E., & Mancini, L. V. (2002). REMUS: A security-enhanced operating system. ACM Transactions on Information and System Security (TISSEC), 5(1), 36-61.
[O]. Mahfouz, A. M., Abuhussein, A., Venugopal, D., & Shiva, S. G. (2021). Network intrusion detection model using one-class support vector machine. In Advances in Machine Learning and Computational Intelligence: Proceedings of ICMLCI 2019 (pp. 79-86). Springer Singapore
[P]. Alghushairy, O., Alsini, R., Soule, T., & Ma, X. (2020). A Review of Local Outlier Factor Algorithms for Outlier Detection in Big Data Streams. Big Data Cogn. Compute. 2021, 5,
[Q]. Srinivasan, S., Kumar, A., Mahajan, M., Sitaram, D., & Gupta, S. (2019). Probabilistic realtime intrusion detection system for docker containers. In Security in Computing and Communications: 6th International Symposium, SSCC 2018, Bangalore, India, September, Revised Selected Papers 6 (pp. 336-347). Springer Singapore.
[R]. Byrnes, J., Hoang, T., Mehta, N. N., & Cheng, Y. (2020, October). A modern implementation of system call sequence-based host-based intrusion detection systems. In 2020 Second IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA) (pp. 218-225). IEEE
[S]. Abed, A. S., Clancy, T. C., & Levy, D. S. (2015, December). Applying bag of system calls for anomalous behavior detection of applications in linux containers. In 2015 IEEE globecom workshops (GC Wkshps) (pp. 1-5). IEEE.
[T]. Liu, M., Xue, Z., Xu, X., Zhong, C., & Chen, J. (2018). Host-based intrusion detection system with system calls: Review and future trends. ACM computing surveys (CSUR), 51(5), 1-36
