DeSFAM: An Adaptive eBPF and AI-Driven Framework for Securing Cloud Containers in Real Time
Containerized applications offer lightweight and scalable deployment but remain exposed to security risks due to a shared kernel. We present DeSFAM (Dynamic eBPF-driven Syscall Filtering and Anomaly Mitigation), a real-time security framework that enforces least-privilege syscall usage and detects b...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2025-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/11095719/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849237958873317376 |
|---|---|
| author | Sehar Zehra Hassan Jamil Syed Fahad Samad Ummay Faseeha |
| author_facet | Sehar Zehra Hassan Jamil Syed Fahad Samad Ummay Faseeha |
| author_sort | Sehar Zehra |
| collection | DOAJ |
| description | Containerized applications offer lightweight and scalable deployment but remain exposed to security risks due to a shared kernel. We present DeSFAM (Dynamic eBPF-driven Syscall Filtering and Anomaly Mitigation), a real-time security framework that enforces least-privilege syscall usage and detects behavioral anomalies. DeSFAM integrates: 1) hybrid syscall profiling through static analysis and dynamic eBPF tracing; 2) SyscallAD (System call Anomaly Detection), a low-latency anomaly detector combining Variational Autoencoder (VAE) and Isolation Forest (iForest); 3) contextual risk scoring based on MITRE ATT&CK mappings and CVE correlations; and 4) adaptive syscall enforcement using eBPF maps and LSM hooks. Evaluations using the DongTing dataset and real-world CVE attack scenarios show DeSFAM achieves 94% precision, 90% recall, sub-millisecond enforcement latency, and less than 1% performance overhead. DeSFAM effectively blocks privilege escalation, container escape attempts, and syscall injection attacks in modern container environments. |
| format | Article |
| id | doaj-art-b6e7083533a0467bbb90cbe6e69c62e9 |
| institution | Kabale University |
| issn | 2169-3536 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj-art-b6e7083533a0467bbb90cbe6e69c62e92025-08-20T04:01:48ZengIEEEIEEE Access2169-35362025-01-011313920313922410.1109/ACCESS.2025.359219211095719DeSFAM: An Adaptive eBPF and AI-Driven Framework for Securing Cloud Containers in Real TimeSehar Zehra0https://orcid.org/0009-0007-7595-1221Hassan Jamil Syed1https://orcid.org/0000-0002-1834-1810Fahad Samad2https://orcid.org/0000-0003-3833-2644Ummay Faseeha3https://orcid.org/0009-0000-5276-1504Department of Computer Science, FAST National University of Computer and Emerging Sciences, Karachi, PakistanAsia Pacific University of Technology and Innovation (APU), Kuala Lumpur, MalaysiaDepartment of Cyber Security, FAST National University of Computer and Emerging Sciences, Karachi, PakistanDepartment of Computer Science, FAST National University of Computer and Emerging Sciences, Karachi, PakistanContainerized applications offer lightweight and scalable deployment but remain exposed to security risks due to a shared kernel. We present DeSFAM (Dynamic eBPF-driven Syscall Filtering and Anomaly Mitigation), a real-time security framework that enforces least-privilege syscall usage and detects behavioral anomalies. DeSFAM integrates: 1) hybrid syscall profiling through static analysis and dynamic eBPF tracing; 2) SyscallAD (System call Anomaly Detection), a low-latency anomaly detector combining Variational Autoencoder (VAE) and Isolation Forest (iForest); 3) contextual risk scoring based on MITRE ATT&CK mappings and CVE correlations; and 4) adaptive syscall enforcement using eBPF maps and LSM hooks. Evaluations using the DongTing dataset and real-world CVE attack scenarios show DeSFAM achieves 94% precision, 90% recall, sub-millisecond enforcement latency, and less than 1% performance overhead. DeSFAM effectively blocks privilege escalation, container escape attempts, and syscall injection attacks in modern container environments.https://ieeexplore.ieee.org/document/11095719/Anomaly detectioncloud containerscontainer securityeBPF monitoringreal-time threat detectionsyscall filtering |
| spellingShingle | Sehar Zehra Hassan Jamil Syed Fahad Samad Ummay Faseeha DeSFAM: An Adaptive eBPF and AI-Driven Framework for Securing Cloud Containers in Real Time IEEE Access Anomaly detection cloud containers container security eBPF monitoring real-time threat detection syscall filtering |
| title | DeSFAM: An Adaptive eBPF and AI-Driven Framework for Securing Cloud Containers in Real Time |
| title_full | DeSFAM: An Adaptive eBPF and AI-Driven Framework for Securing Cloud Containers in Real Time |
| title_fullStr | DeSFAM: An Adaptive eBPF and AI-Driven Framework for Securing Cloud Containers in Real Time |
| title_full_unstemmed | DeSFAM: An Adaptive eBPF and AI-Driven Framework for Securing Cloud Containers in Real Time |
| title_short | DeSFAM: An Adaptive eBPF and AI-Driven Framework for Securing Cloud Containers in Real Time |
| title_sort | desfam an adaptive ebpf and ai driven framework for securing cloud containers in real time |
| topic | Anomaly detection cloud containers container security eBPF monitoring real-time threat detection syscall filtering |
| url | https://ieeexplore.ieee.org/document/11095719/ |
| work_keys_str_mv | AT seharzehra desfamanadaptiveebpfandaidrivenframeworkforsecuringcloudcontainersinrealtime AT hassanjamilsyed desfamanadaptiveebpfandaidrivenframeworkforsecuringcloudcontainersinrealtime AT fahadsamad desfamanadaptiveebpfandaidrivenframeworkforsecuringcloudcontainersinrealtime AT ummayfaseeha desfamanadaptiveebpfandaidrivenframeworkforsecuringcloudcontainersinrealtime |