Fine-Grained Behavioral Analysis for Malware Detection in Containerized Environments
DOI:
https://doi.org/10.47672/ajce.2725Abstract
Purpose: Containerized environments have become foundational to modern software development due to their portability, scalability, and efficient resource utilization. However, their shared-kernel architecture introduces distinct security challenges, particularly in malware detection. This study presents a historical analysis of fine-grained, behavior-based malware detection techniques within containerized systems.
Materials and Methods: We examine early machine learning approaches, including Decision Trees, Hidden Markov Models, and LSTM networks trained with limited datasets alongside system call tracing and process behavior profiling.
Findings: While these techniques are now outdated, they marked critical early steps beyond static and signature-based detection in dynamic, containerized infrastructures. We analyse behavioural features such as syscall sequences, memory anomalies, and DNS irregularities, assessing their detection performance and limitations in orchestrated environments. The paper further contextualizes these legacy methods in light of modern advancements, including eBPF-based monitoring and context-aware deep learning models.
Unique Contribution to Theory, Practice and Policy: Key recommendations include leveraging eBPF for efficient runtime monitoring, incorporating orchestration metadata for context-aware detection, and enabling cross-container correlation for identifying lateral movement. This retrospective establishes a comparative framework that informs the development of adaptive, real-time security solutions, such as graph neural networks and behavioural baselining, thereby guiding future research in runtime container security.
Downloads
References
J. Watada, et al., "Emerging trends, techniques and open issues of containerization: A review," IEEE Access, vol. 7, pp. 152443–152472, 2019
Y. Vlasov, N. Khrystenko, and D. Uzun, "Analysis of Modern Continuous Integration/Deployment Workflows Based on Virtualization Tools and Containerization Techniques," in Integrated Computer Technologies in Mechanical Engineering: Synergetic Engineering, Cham: Springer International Publishing, 2020.
T. Siddiqui, S. A. Siddiqui, and N. A. Khan, "Comprehensive analysis of container technology," in Proc. 2019 4th Int. Conf. Information Systems and Computer Networks (ISCON), Mathura, India, 2019.
S. Sultan, I. Ahmad, and T. Dimitriou, "Container security: Issues, challenges, and the road ahead," IEEE Access, vol. 7, pp. 52976–52996, 2019.
H. S. Galal, Y. B. Mahdy, and M. A. Atiea, "Behavior-based features model for malware detection," J. Comput. Virol. Hacking Tech., vol. 12, pp. 59–67, 2016.
A. Gómez Ramírez, Deep learning and isolation-based security for intrusion detection and prevention in grid computing, Ph.D. dissertation, Frankfurt U., 2018.
A. Samir, et al., "Anomaly detection and analysis for reliability management clustered container architectures," Int. J. Adv. Syst. Meas., vol. 12, no. 3, pp. 247–264, 2020.
A. Khan, "Key characteristics of a container orchestration platform to enable a modern application," IEEE Cloud Comput., vol. 4, no. 5, pp. 42–48, 2017.
M. Pearce, S. Zeadally, and R. Hunt, "Virtualization: Issues, security threats, and solutions," ACM Comput. Surv., vol. 45, no. 2, pp. 1–39, 2013.
G. Suarez-Tangil, et al., "Evolution, detection and analysis of malware for smart devices," IEEE Commun. Surveys Tuts., vol. 16, no. 2, pp. 961–987, 2013.
Ö. A. Aslan and R. Samet, "A comprehensive review on malware detection approaches," IEEE Access, vol. 8, pp. 6249–6271, 2020.
S. Talukder, "Tools and techniques for malware detection and analysis," arXiv preprint arXiv:2002.06819, 2020.
S. M. Jain, Linux Containers and Virtualization: A Kernel Perspective, 2020.
A. Simioni, "Implementation and evaluation of a container-based software architecture," M.S. thesis, 2017.
S. M. Varghese and K. P. Jacob, "Process profiling using frequencies of system calls," in Proc. 2nd Int. Conf. Availability, Reliability and Security (ARES), Vienna, Austria, 2007.
H. Gantikow, et al., "Rule-based security monitoring of containerized environments," in Proc. Int. Conf. Cloud Computing and Services Science, Cham: Springer International Publishing, 2019.
O. Or-Meir, et al., "Dynamic malware analysis in the modern era—A state of the art survey," ACM Comput. Surv., vol. 52, no. 5, pp. 1–48, 2019.
F. Liang, et al., "Machine learning for security and the internet of things: the good, the bad, and the ugly," IEEE Access, vol. 7, pp. 158126–158147, 2019
V. Rodriguez-Galiano, et al., "Machine learning predictive models for mineral prospectivity: An evaluation of neural networks, random forest, regression trees and support vector machines," Ore Geol. Rev., vol. 71, pp. 804–818, 2015.
N. Pant and R. Elmasri, "Detecting meaningful places and predicting locations using varied k-means and hidden Markov model," in Proc. 17th SIAM Int. Conf. Data Mining (SDM), 3rd Int. Workshop on ML Methods for Recommender Systems, Houston, TX, USA, 2017
Z. Zhong and R. Buyya, "A cost-efficient container orchestration strategy in kubernetes-based cloud computing infrastructures with heterogeneous resources," ACM Trans. Internet Technol. (TOIT), vol. 20, no. 2, pp. 1–24, 2020.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2021 Khaja Kamaluddin

This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution (CC-BY) 4.0 License that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.