US 11,748,473 B2
Intrusion detection in micro-services through container telemetry and behavior modeling
Frederico Araujo, White Plains, NY (US); Teryl Paul Taylor, Danbury, CT (US); Jiyong Jang, Chappaqua, NY (US); and Will Blair, Boston, MA (US)
Assigned to International Business Machines Corporation, Armonk, NY (US)
Filed by International Business Machines Corporation, Armonk, NY (US)
Filed on Oct. 15, 2020, as Appl. No. 17/71,055.
Prior Publication US 2022/0121741 A1, Apr. 21, 2022
Int. Cl. G06F 21/55 (2013.01)
CPC G06F 21/554 (2013.01) [G06F 2221/034 (2013.01)] 24 Claims
OG exemplary drawing
 
1. A method for intrusion detection in a run-time container environment, comprising:
deploying a behavior model in association with a container executing in the run-time container environment, the behavior model having been generated from a container image and one or more library dependencies of the container image, the behavior model being a graph data structure having a set of nodes, and a set of edges, wherein a node represents one of: a process, a file and a network socket, and wherein an edge represents a system call made by at least one process represented in the graph data structure;
as the container image executes in the container, receiving system call telemetry;
responsive to receipt of the telemetry, determining whether the container image is executing in a manner inconsistent with the behavior model, thereby indicating an anomaly; and
upon a determination that the container image is executing in a manner inconsistent with the behavior model, taking an automated action to attempt to address the anomaly.