Detector: Automated Intrusion Detection for Microservices

The recent adoption of microservice-based applications divides an application into small independent services that communicate using lightweight mechanisms, improving flexibility and scalability in dynamic DevOps environments that leverage containers and orchestration tools such as Kubernetes. However, this growing popularity raises concerns related to their dependability and security, aggravated by several attacks and the lack of intrusion detection tools that target microservices. Thus, developing solutions that can be deployed in real-world scenarios and whose purpose is to keep applications and businesses secure is of the utmost importance. This paper presents mu Detector, an intrusion detection tool for microservice-based applications. This tool uses intrusion detection techniques from previous research and automates their functioning for Kubernetes and KubeEdge deployments. The user provides a configuration file and the tool uses monitoring agents to collect system calls from the containers and transfers them over to the IDS module that performs anomaly-based intrusion detection. Anomalous activity will trigger alarms indicating a possible intrusion. The user can interact with the tool and its monitoring capabilities through a command-line interface or a web dashboard. pDetector was validated using functional testing and performance and scalability tests. Results show that pDetector performs well and does not impact the proper functioning of the microservices: in scenarios with over 100 000 system calls being collected per second, the CPU and memory usage of the worker nodes did not exceed 10% of the total resources available.