Container Anomaly Detection System Based on Improved-iForest and eBPF

Abstract

Abstract: Container has become an important part of cloud-native architecture. More and more enterprises are deploying their core business on containers. The running status of containers is very important for the stability of their business. This paper proposes a container anomaly detection system based on the improved isolation forest algorithm and eBPF. The data is directly extracted from the kernel through eBPF, and the data fluctuating with time is corrected by the method of polynomial regression, and then the iTrees are constructed by the improved isolation forest algorithm, and the abnormal score is calculated to locate the abnormal container. Experiments show that the system improves the precision and recall rate compared with the classical isolation forest algorithm, and the resource overhead is very small.