A METHOD FOR ANOMALY DETECTION IN KUBERNETES CLUSTERS USING AN LSTM AUTOENCODER

Abstract

The object of the study is an information technology for detecting anomalous and potentially malicious activity in containerized environments based on the Kubernetes platform. The subject of the research comprises methods for analyzing multidimensional telemetry data of a Kubernetes cluster and their application in combination with deep learning algorithms for building intelligent intrusion detection systems. The paper addresses the problem of constructing a comprehensive dataset that integrates network traffic characteristics, container-level metrics, and Kubernetes cluster state indicators. Special attention is given to data preprocessing, including missing value imputation, feature space standardization, and the formation of time sequences required to model the dynamic behavior of the system. Considering the imbalance between the number of normal operation samples and attack scenarios, as well as the limited set of known attack types, the study substantiates the feasibility of using an anomaly detection approach based on training exclusively on normal behavior data. To solve the stated problem, the use of an LSTM Autoencoder is proposed, which enables modeling temporal dependencies in telemetry data and detecting deviations from learned normal behavior through reconstruction error analysis. A formal approach to determining the anomaly threshold based on F1-score optimization is proposed, ensuring a balanced trade-off between attack detection recall and the number of false positives. During the experimental study, the effectiveness of the proposed approach is evaluated using standard classification performance metrics, including precision, recall, and F1-score. The obtained results demonstrate the model’s ability to detect up to 95% of attack scenarios in the absence of prior information about their types, confirming the suitability of the approach for zero-day attack detection. The practical significance of the work lies in the possibility of applying the proposed method to build robust and adaptive security systems for Kubernetes clusters, focused on real-time behavioral anomaly analysis.