Real-Time Anomaly Detection in Docker Containers: A Continuous Learning Approach Using SF-SOINN

As cyber threats are becoming more sophisticated than ever with the rapid expansion of internet-connected systems and increased use of containerized environments, we present Soft-Forgetting Self-Organizing Incremental Neural Network (SF-SOINN), a novel approach to unsupervised anomaly detection in containerized platforms. Whereas traditional Intrusion Detection Systems (IDS) utilize supervised learning that uses known attack signatures for training, SF-SOINN employs a continuous learning approach to adapt dynamically to new data patterns, thereby eliminating the need for labeled datasets. This capability enables effective real-time detection of zero-day threats in dynamic environments. SF-SOINN have demonstrated efficacy in identifying malicious attacks on the real-world NSL-KDD dataset, and we extended its application to containerized environments, using the KubAnomaly framework. Our benchmark results reveal that SF-SOINN outperforms traditional supervised models like Support Vector Machines (SVM), Convolutional Neural Networks (CNN), and unsupervised KubAnomaly, particularly in scenarios involving complex attacks. The performance metric considered here focused on the optimization of False Positive Rate (FPR), while balancing other key performance metrics like accuracy, recall, and precision to achieve best results - and we anticipate this approach will lay a strong foundation for developing robust anomaly IDS in future.