BEHAVIORAL PROFILING OF CONTAINERS FOR CYBERATTACK DETECTION BASED ON SYSTEM CALLS

Abstract

This paper investigates the feasibility of detecting cyberattacks in containerized environments based on behavioral profiling of container workloads. The growing adoption of container technologies in cloud-native infrastructures has increased the attack surface of modern systems and highlighted the need for effective runtime security mechanisms. In this context, behavioral analysis of system activity represents a promising direction for intrusion detection. System call telemetry is collected using the Falco security monitoring tool with an eBPF-based engine, which enables near real-time observation of process execution events, network connections, and file system operations inside containers with minimal performance overhead. A method for constructing behavioral profiles of containers is proposed, combining time-based aggregation of system events into fixed-length windows with a deterministic rule-based classification approach. This allows transforming low-level system call data into higher-level behavioral representations suitable for analysis. Experimental studies are conducted for scenarios representing normal service operation as well as typical attack patterns, including interactive shell execution, reverse shell activity, and cryptominer emulation. The quality of attack detection is evaluated using standard classification metrics, namely Precision and Recall. The obtained results demonstrate the fundamental applicability of the proposed approach for identifying anomalous container behavior. At the same time, they reveal significant limitations of simple threshold-based rules when applied in containerized environments, where different attack scenarios may exhibit overlapping behavioral characteristics. These findings substantiate the necessity of further research aimed at extending the feature set and incorporating more adaptive classification methods for improving detection accuracy in containerized systems.