Fig 4 - available via license: Creative Commons Attribution 4.0 International
Content may be subject to copyright.
Vanilla ANN model performance on the validation set versus the number of neurons in the first hidden layer.
Source publication
The use of containers in cloud computing has been steadily increasing. With the emergence of Kubernetes, the management of applications inside containers (or pods) is simplified. Kubernetes allows automated actions like self-healing, scaling, rolling back, and updates for the application management. At the same time, security threats have also evol...
Similar publications
Today’s computer is often infected by malwares and conventional communication channels such as inter-process communication (IPC) are attractive attack surface for attackers because important information such as user’s personal data and passwords are transmitted between processes over IPC. In addition, there is no other protection other than the acc...
Citations
... The SHAP approach was utilized to explain and interpret the models' classification conclusions, allowing cybersecurity specialists to optimize and evaluate the validity of their judgments swiftly. Karn et al. [122] developed an ML-based detection strategy for anomalous pods in a Kubernetes cluster in a different study. To identify and explain crypto-mining applications, the system uses auto-encoding-based techniques for LSTM models, SHAP, LIME, and LIME. ...
In recent years, numerous explainable artificial intelligence (XAI) use cases have been developed, to solve numerous real problems in industrial applications while maintaining the explainability level of the used artificial intelligence (AI) models to judge their quality and potentially hold the models accountable if they become corrupted. Therefore, understanding the state-of-the-art methods, pointing out recent issues, and deriving future directions are important to drive XAI research efficiently. This paper presents a systematic literature review of local explanation techniques and their practical applications in various industrial sectors. We first establish the need for XAI in response to opaque AI models and survey different local explanation methods for industrial AI applications. The number of studies is then examined with several factors, including industry sectors, AI models, data types, and XAI-based usage and purpose. We also look at the advantages and disadvantages of local explanation methods and how well they work in practical settings. The difficulties of using local explanation techniques are also covered, including computing complexity and the trade-off between precision and interpretability. Our findings demonstrate that local explanation techniques can boost industrial AI models’ transparency and interpretability and give insightful information about them. The efficiency of these procedures must be improved, and ethical concerns about their application must be resolved. This paper contributes to the increasing knowledge of local explanation strategies and offers guidance to academics and industry professionals who want to use these methods in practical settings.
... Based on monitoring Linux-kernel system calls (syscalls), the researchers in [93] present a ML-based detection system of anomalous pods in a Kubernetes cluster. A number of ML models are built to detect anomalous pods among numerous healthy cloud workloads using cryptominers images as containers. ...
... Löbner et al. [81] post-hoc explanation, Model-agnostic explainer Privacy Information Gain (IG) and extended Iterative Dichotomiser 3 (ID3) classification tree Rjoub et al. [82] Local explanation, Post-hoc explanation Trust Double Deep Q Learning (DDQN) Rjoub et al. [87] Local explanation, Post-hoc explanation Trust SHAP Machlev et al. [85] Model-agnostic explainer, Post-hoc Trust Grad-CAM, LIME Kuppa et al. [86] post-hoc explanation, Model-agnostic explainer Trust Input*Gradient(I*G), Layer-Wise Relevance Propagation(LRP), Guided Back Propagation(GBP), Smooth-Grad(SG), Gradient(GRAD), and Integrated Gradients(IG) Mankodiya et al. [90] Model-specific explainers Trust Decision Tree-based algorithms Elayan et al. [91] post-hoc explanation Trust IoB-XAI R. Karn et al. [93] Local explanation, post-hoc explanation ID SHAP & LIME M. Wang et al. [94] Local & Global explanation ID SHAP G. Baryannis et al. [95] Model-specific ID Decision Tree & SVM L. Aguilar. [96] Local explanation, post-hoc explanation ID Decision Tree G. Iadarola et al. [97] Global explanation, Model-specific Intrusion prevention Gradient-weighted Class Activation Mapping (Grad-CAM) L. Marino et al. [98] Local explanation, Model-specific, post-hoc explanation Intrusion prevention Adversarial machine learning Y. Al Hammadi et al. [99] Local explanation, pre-hoc explanation, Model-specific Access Control SHAP C. Seibold et al. [100] Global explanation, Post-hoc explanation Access Control Focused Layer-wise Relevance Propagation (FLRP) W. Garcia et al. [101] Model-agnostic explainer, Post-hoc explanation, Local explanation Authentication LIME R. Rocha et al. [102] Global explanation, Model-agnostic explainer, Post-hoc explanation, Authentication Gedeon method way, the authenticity of documents, images, or other types of data. ...
... Based on monitoring Linux-kernel system calls (syscalls), the researchers in [93] present a ML-based detection system of anomalous pods in a Kubernetes cluster. A number of ML models are built to detect anomalous pods among numerous healthy cloud workloads using cryptominers images as containers. ...
... Löbner et al. [81] post-hoc explanation, Model-agnostic explainer Privacy Information Gain (IG) and extended Iterative Dichotomiser 3 (ID3) classification tree Rjoub et al. [82] Local explanation, Post-hoc explanation Trust Double Deep Q Learning (DDQN) Rjoub et al. [87] Local explanation, Post-hoc explanation Trust SHAP Machlev et al. [85] Model-agnostic explainer, Post-hoc Trust Grad-CAM, LIME Kuppa et al. [86] post-hoc explanation, Model-agnostic explainer Trust Input*Gradient(I*G), Layer-Wise Relevance Propagation(LRP), Guided Back Propagation(GBP), Smooth-Grad(SG), Gradient(GRAD), and Integrated Gradients(IG) Mankodiya et al. [90] Model-specific explainers Trust Decision Tree-based algorithms Elayan et al. [91] post-hoc explanation Trust IoB-XAI R. Karn et al. [93] Local explanation, post-hoc explanation ID SHAP & LIME M. Wang et al. [94] Local & Global explanation ID SHAP G. Baryannis et al. [95] Model-specific ID Decision Tree & SVM L. Aguilar. [96] Local explanation, post-hoc explanation ID Decision Tree G. Iadarola et al. [97] Global explanation, Model-specific Intrusion prevention Gradient-weighted Class Activation Mapping (Grad-CAM) L. Marino et al. [98] Local explanation, Model-specific, post-hoc explanation Intrusion prevention Adversarial machine learning Y. Al Hammadi et al. [99] Local explanation, pre-hoc explanation, Model-specific Access Control SHAP C. Seibold et al. [100] Global explanation, Post-hoc explanation Access Control Focused Layer-wise Relevance Propagation (FLRP) W. Garcia et al. [101] Model-agnostic explainer, Post-hoc explanation, Local explanation Authentication LIME R. Rocha et al. [102] Global explanation, Model-agnostic explainer, Post-hoc explanation, Authentication Gedeon method way, the authenticity of documents, images, or other types of data. ...
The black-box nature of artificial intelligence (AI) models has been the source of many concerns in their use for critical applications. Explainable Artificial Intelligence (XAI) is a rapidly growing research field that aims to create machine learning models that can provide clear and interpretable explanations for their decisions and actions. In the field of network cybersecurity, XAI has the potential to revolutionize the way we approach network security by enabling us to better understand the behavior of cyber threats and to design more effective defenses. In this survey, we review the state of the art in XAI for cybersecurity in network systems and explore the various approaches that have been proposed to address this important problem. The review follows a systematic classification of network-driven cybersecurity threats and issues. We discuss the challenges and limitations of current XAI methods in the context of cybersecurity and outline promising directions for future research.
... In [24], SHAP, LIME, and an auto-encoding-based scheme for LSTM (Long short-term memory) models are applied to an ML-based detection system for cryptomining in a Kubernetes cluster. ...
Cybersecurity vendors consistently apply AI (Artificial Intelligence) to their solutions and many cybersecurity domains can benefit from AI technology. However, black-box AI techniques present some difficulties in comprehension and adoption by its operators, given that their decisions are not always humanly understandable (as is usually the case with deep neural networks, for example). Since it aims to make the operation of AI algorithms more interpretable for its users and developers, XAI (eXplainable Artificial Intelligence) can be used to address this issue. Through a systematic literature review, this work seeks to investigate the current research scenario on XAI applied to cybersecurity, aiming to discover which XAI techniques have been applied in cybersecurity, and which areas of cybersecurity have already benefited from this technology.
... Frequency lists are not the sole method for using system call traces in machine learning applications For instance, Srinivasan et al. [16] used sequence of system calls with preserved order to create n-grams with Maximum Likelihood Estimator for anomaly detection in containers. Karn et al. [23] used n-gram representation as well during detecting malicious processes inside containers. Iacovazzi and Raza [24], on the other hand, represented system calls in a sequence in a graph representation to preserve dependencies between system calls. ...
... Cryptomining malware has become a significant threat in Kubernetes, with hidden executables that uses server resources for mining. To detect and classify pods that hold cryptomining processes, Karn et al. [23] proposed that machine learning can be used together with system calls. ...
The rising use of microservices based software deployment on the cloud leverages containerized software extensively. The security of applications running inside containers as well as the container environment itself are critical infrastructure in the cloud setting and 5G. To address the security concerns, research efforts have been focused on container security with subfields such as intrusion detection, malware detection and container placement strategies. These security efforts are roughly divided into two categories: rule based approaches and machine learning that can respond to novel threats. In this study, we have surveyed the container security literature focusing on approaches that leverage machine learning to address security challenges.
... The field of Explainable artificial intelligence (XAI) has expanded tremendously in subsequent years [2]. Deep learning has developed incredibly accurate models due to the widespread usage of machine learning, yet its models are not explainable [3][4][5][6]. During the literature survey of different digital libraries, we found that the USA is an emerging country that is doing active research in this area. ...
Artificial intelligence (AI) is continuously evolving; however, in the last 10 years, it has gotten considerably more difficult to explain AI models. With the help of explanations, end users can understand the outcomes generated by AI models. The proposed work has shown major issues and gaps in the literature. The main issues found in the literature are unfair/biased decisions made by the model, poor accuracy, reliability, and evaluation metrics to assess the effectiveness of explanations and security of data. Research results obtained in this proposed work highlight the needs, challenges, and opportunities in the field of Explainable artificial intelligence (XAI). How can we make artificial intelligence models explainable? Evaluation of explanations using metrics is the main contribution of this research work. Moreover, the proposed work analyzed different types of explanations, leading companies providing Explainable artificial intelligence services, and open-source tools available in the market for using Explainable artificial intelligence. Finally, based on the reviewed works, the proposed work well-found some future directions for designing more transparent models for artificial intelligence.
... A machine learning based Cryptomining Detection in cloud is presented in [23], which monitor the system call of Linux kernel and detect the presence of pod using different machine learning algorithms. A Sequencing based ransom ware detection model is presented in [24], where DNA act-Ran uses machine learning algorithm in searching the specific sequence and uses frequency vectors in classifying the tool. ...
Machine learning (ML) is often used to solve the problem of malware detection and classification and various machine learning approaches are adapted to the problem of malware classification; still acquiring poor performance by the way of feature selection, and classification. To manage the issue, an efficient Adaptive Feature Centric XG Boost Ensemble Learner Classifier “AFC-XG Boost” novel algorithm is presented in this paper. The proposed model has been designed to handle varying data sets of malware detection obtained from Kaggle data set. The model turns the process of XG Boost classifier in several stages to optimize the performance. At preprocessing stage, the data set given has been noise removed, normalized and tamper removed using Feature Base Optimizer “FBO” algorithm. The FBO would normalize the data points as well as performs noise removal according to the feature values and their base information. Similarly, the performance of standard XG Boost has been optimized by adapting Feature selection using Class Based Principle Component Analysis “CBPCA” algorithm, which performs feature selection according to the fitness of any feature for different classes. Based on the selected features, the method generates regression tree for each feature considered. Based on the generated trees, the method performs classification by computing Tree Level Ensemble Similarity “TLES” and Class Level Ensemble Similarity “CLES”. Using both method computes the value of Class Match Similarity “CMS” based on which the malware has been classified. The proposed approach achieves 97% accuracy in malware detection and classification with the less time complexity of 34 seconds for 75000 samples
... Docker containers are virtualization technology based on the operating system level, where applications and all their dependencies and source code are packaged in a single resource called image (Karn et al., 2021), from which multiple containers can be initiated. Containers provide huge advantages when managing a complex infrastructure (Şengül et al., 2021), and because of that, their use is on the rise. ...
... It affects the victims not only by illegally using and wasting their CPU resources but also by causing financial damages due to extra electricity costs (Hong et al., 2018;Tekiner et al., 2021). Cryptojacking attacks can be carried out by different attack vectors, such as websites, operating systems, Random Access Memory -RAM (Varlioglu et al., 2022), and docker images (Liu et al., 2020;Karn et al., 2021). We focus on the application of supervised machine learning approach to detect cryptojacking in docker images. ...
... With the proliferation of cryptojacking attacks (Yulianto et al., 2019), especially through docker containers (Karn et al., 2021;Liu et al., 2020) (2021) worked on a solution to cryptojacking detection based on network traffic using supervised machine learning approach, and experimented five classification algorithms. Their result on this research achieved an accuracy score of 99.91%. ...
Nowadays, Docker Containers are currently being adopted as industry standards for software delivery, because they provide quick and responsive delivery and handle performance and scalability challenges. However, attackers are exploiting them to introduce malicious instructions in publicly available images to perform unauthorized use of third-party’s computer resources for Cryptojacking. We developed a machine learning based model to detect Docker images that lead to cryptojacking. The dataset used is composed of 800 Docker images collected from Docker hub, half of which contains instructions for cryptomining, and the other half does not contain such instructions. We trained 10 classification algorithms and evaluated them using the K-Fold Cross Validation approach. The results showed accuracy scores ranging from 89% to 97%. Stochastic Gradient Descent for Logistic Regression outperformed the other algorithms reaching an accuracy score of 97%. With these results, we conclude that machine learning algorithms can detect Docker images carrying cryptojacking malware with a good performance.
... The container engine provides an isolated environment for the execution of co ers [23]. A container image is a deployment unit that remains static prior to contain ecution [24]. A container registry is a server on which container images are registered the container management interface serves as a user management interface for the e tion and monitoring of containers [25]. ...
... The container engine provides an isolated environment for the execution of containers [23]. A container image is a deployment unit that remains static prior to container execution [24]. A container registry is a server on which container images are registered, and the container management interface serves as a user management interface for the execution and monitoring of containers [25]. ...
Container platforms ease the deployment of applications and respond to failures. The advantages of container platforms have promoted their use in information services. However, the use of container platforms is accompanied by associated security risks. For instance, malware uploaded by users can leak important information, and malicious operators can cause unauthorized modifications to important files to create service errors. These security threats degrade the quality of information services and reduce their reliability. To overcome these issues, important container files should be protected by file-access control functions. However, legacy file-access control techniques, such as umask and SecureOS, do not support container platforms. To address this problem, we propose a novel kernel-based architecture in this study to control access to container files. The proposed container file-access control architecture comprises three components. The functionality and performance of the proposed architecture were assessed by implementing it on a Linux platform. Our analysis confirmed that the proposed architecture adequately controls users’ access to container files and performs on par with legacy file-access control techniques.
... Karn et al. [57] introduced an automated cryptomining pod detection in a Kubernetes cluster using a statistical explainability mechanism. They attempted to identify and classify any background malware executables that were running. ...
With the extensive application of deep learning (DL) algorithms in recent years, e.g., for detecting Android malware or vulnerable source code, artificial intelligence (AI) and machine learning (ML) are increasingly becoming essential in the development of cybersecurity solutions. However, sharing the same fundamental limitation with other DL application domains, such as computer vision (CV) and natural language processing (NLP), AI-based cybersecurity solutions are incapable of justifying the results (ranging from detection and prediction to reasoning and decision-making) and making them understandable to humans. Consequently, explainable AI (XAI) has emerged as a paramount topic addressing the related challenges of making AI models explainable or interpretable to human users. It is particularly relevant in cybersecurity domain, in that XAI may allow security operators, who are overwhelmed with tens of thousands of security alerts per day (most of which are false positives), to better assess the potential threats and reduce alert fatigue. We conduct an extensive literature review on the intersection between XAI and cybersecurity. Particularly, we investigate the existing literature from two perspectives: the applications of XAI to cybersecurity (e.g., intrusion detection, malware classification), and the security of XAI (e.g., attacks on XAI pipelines, potential countermeasures). We characterize the security of XAI with several security properties that have been discussed in the literature. We also formulate open questions that are either unanswered or insufficiently addressed in the literature, and discuss future directions of research.
