CPC G06F 21/554 (2013.01) [G06F 2221/034 (2013.01)] | 24 Claims |
1. A method for intrusion detection in a run-time container environment, comprising:
deploying a behavior model in association with a container executing in the run-time container environment, the behavior model having been generated from a container image and one or more library dependencies of the container image, the behavior model being a graph data structure having a set of nodes, and a set of edges, wherein a node represents one of: a process, a file and a network socket, and wherein an edge represents a system call made by at least one process represented in the graph data structure;
as the container image executes in the container, receiving system call telemetry;
responsive to receipt of the telemetry, determining whether the container image is executing in a manner inconsistent with the behavior model, thereby indicating an anomaly; and
upon a determination that the container image is executing in a manner inconsistent with the behavior model, taking an automated action to attempt to address the anomaly.
|