DistAppGaurd: Distributed Application Behaviour Profiling in Cloud-Based Environment

Abstract

Today, Machine Learning (ML) techniques are increasingly used to detect abnormal behaviours of industrial applications. Since many of these applications are moving to the cloud environments, classical ML approaches are facing new challenges in accurately identifying abnormal behaviours due to the highly dynamic and heterogeneous nature of the cloud. In this paper, we propose a novel framework, DistAppGaurd, for profiling simultaneously the behaviour of all microservice components of a distributed application in the cloud. The framework can therefore, detect complex attacks that are not observable by monitoring a single process or a single microservice. DistAppGaurd utilizes the system calls executed by all the processes of an application to build a graph consisting of data exchanges among different application entities (e.g., processes and files) representing the behaviour of the application. This representation is then used by our novel miroservice-aware Autoencoder model to perform anomaly detection at runtime. The efficiency and feasibility of our approach is shown by implementing several different real-world attacks, which yields high detection rates (94%-97%) at 0.01% false alarm rate.