Kernel-Level Rootkits Features to Train Learning Models Against Namespace Attacks on Containers

The container-based cloud computing service is increasingly adopted by many service providers for its efficiency and flexibility. Containers isolated by namespaces share OS kernel. When the kernel-level rootkits exploit vulnerabilities existing in kernel, the namespace can be invalidated leading to critical security incidents. Even though many traditional approaches have been made to detect kernel-level rootkits, it is hard to detect new attacks conducted in the new environment such as container-based cloud computing system. In this paper, we show some possible attack scenarios by kernel-level rootkits exploiting kernel namespaces and suggest key features that can be used to train machine learning and neural network models.