The use of containers in cloud computing has been steadily increasing. With the emergence of Kubernetes, the management of applications inside containers (or pods) is simplified. Kubernetes allows automated actions like self-healing, scaling, rolling back, and updates for the application management. At the same time, security threats have also evolved with attacks on pods to perform malicious actions. Out of several recent malware types, cryptomining has emerged as one of the most serious threats with its hijacking of server resources for cryptocurrency mining. During application deployment and execution in the pod, a cryptomining process, started by a hidden malware executable can be run in the background, and a method to detect malicious cryptomining software running inside Kubernetes pods is needed. One feasible strategy is to use machine learning (ML) to identify and classify pods based on whether or not they contain a running process of cryptomining. In addition to such detection, the system administrator will need an explanation as to the reason(s) of the ML's classification outcome. The explanation will justify and support disruptive administrative decisions such as pod removal or its restart with a new image. In this article, we describe the design and implementation of an ML-based detection system of anomalous pods in a Kubernetes cluster by monitoring Linux-kernel system calls (syscalls). Several types of cryptominers images are used as containers within an anomalous pod, and several ML models are built to detect such pods in the presence of numerous healthy cloud workloads. Explainability is provided using SHAP, LIME, and a novel auto-encoding-based scheme for LSTM models. Seven evaluation metrics are used to compare and contrast the explainable models of the proposed ML cryptomining detection engine.

中文翻译：

---

使用系统调用和可解释机器学习在容器云中进行密码挖掘检测

容器在云计算中的使用一直在稳步增加。随着 Kubernetes 的出现，简化了容器（或 Pod）内应用程序的管理。Kubernetes 允许应用程序管理的自动操作，如自我修复、扩展、回滚和更新。同时，安全威胁也随着对 Pod 的攻击而演变，以执行恶意操作。在最近的几种恶意软件类型中，加密挖掘已成为最严重的威胁之一，因为它会劫持服务器资源进行加密货币挖掘。在 pod 中部署和执行应用程序期间，可以在后台运行由隐藏的恶意软件可执行文件启动的挖矿过程，并且需要一种检测在 Kubernetes pod 内运行的恶意挖矿软件的方法。一种可行的策略是使用机器学习 (ML) 根据 pod 是否包含正在运行的加密挖掘过程来识别和分类 pod。除了此类检测之外，系统管理员还需要解释 ML 分类结果的原因。该解释将证明并支持破坏性的管理决策，例如删除 pod 或使用新映像重新启动。在本文中，我们通过监控 Linux 内核系统调用（系统调用）来描述基于 ML 的 Kubernetes 集群中异常 pod 检测系统的设计和实现。几种类型的加密矿工图像被用作异常 pod 中的容器，并且构建了多个 ML 模型以在存在大量健康云工作负载的情况下检测此类 pod。可解释性使用 SHAP、LIME、以及一种新的基于自动编码的 LSTM 模型方案。七个评估指标用于比较和对比所提出的 ML 密码挖掘检测引擎的可解释模型。