DockerWatch: a two-phase hybrid detection of malware using various static features in container cloud

As an emerging virtualization technology, the Linux container provides a more lightweight, flexible, and high-performance operating-system-level virtual run-time environment. Its appearance has profoundly changed the development and deployment of multi-tier distributed applications. However, the imperfect system resource isolation features and the kernel-sharing mechanism will introduce significant security risks to the cloud platform. In this paper, we present DockerWatch, a real-time detection system for malware detection in the container-based cloud platform. DockerWatch uses a non-intrusive manner to extract executable files inside the containers, then uses the ensemble of various static features and behavior-based graphs as the analysis vector to learn the robust representations of malicious patterns. Consequently, a two-phase hybrid detection method based on deep learning is proposed to accelerate and enhance the detection performance, aiming to address the trade-off between fast and high-performance real-time detection. Extensive experiments are conducted and compared with extensive existing related methods using real-world datasets to validate the effectiveness of our system. The results show that DockerWatch achieves excellent detection performance with acceptable run-time performance overhead introduced into the platform.