| CPC H04L 63/1433 (2013.01) [H04L 63/1416 (2013.01); H04L 63/1441 (2013.01)] | 20 Claims |
|
8. A memory device storing instructions that, when executed by at least one central processing unit, perform operations that detect a cloud malware infecting containerized services, the operations comprising:
monitoring inter-container activities conducted between the containerized services hosted by different network nodes in a cloud-computing environment;
identifying a service identifier associated with an inter-container activity of the inter-container activities conducted between the containerized services hosted by the different network nodes;
identifying a container-specific service behavioral profile by querying a database having entries that specify different container-specific service behavioral profiles to their corresponding service identifiers including an entry that specifies the container-specific service behavioral profile for the inter-container activity associated with the service identifier;
comparing the inter-container activity to the container-specific service behavioral profile generated by a machine learning model trained using historical observations of the inter-container activities also associated with the service identifier;
determining that the inter-container activity fails to conform to the container-specific service behavioral profile generated by the machine learning model; and
in response to the determining that the inter-container activity fails to conform to the container-specific service behavioral profile, generating a malware alert notification indicating the cloud malware is detected in the containerized services.
|