Hybrid Runtime Detection of Malicious Containers Using eBPF
Jeongeun Ryu1, Riyeong Kim2, Soomin Lee1, Sumin Kim1, Hyunwoo Choi1,2, Seongmin Kim1,2,*
1 Department of Convergence Security Engineering, Sungshin Women’s University, 2, Bomun-Ro 34da-Gil, Seongbuk-Gu, Seoul, 02844, Republic of Korea
2 Department of Future Convergence Technology Engineering, Sungshin Women’s University, 2, Bomun-Ro 34da-Gil, Seongbuk-Gu, Seoul, 02844, Republic of Korea
* Corresponding Author: Seongmin Kim. Email: 
Computers, Materials & Continua https://doi.org/10.32604/cmc.2025.074871
Received 20 October 2025; Accepted 28 November 2025; Published online 22 December 2025
Abstract
As containerized environments become increasingly prevalent in cloud-native infrastructures, the need for effective monitoring and detection of malicious behaviors has become critical. Malicious containers pose significant risks by exploiting shared host resources, enabling privilege escalation, or launching large-scale attacks such as cryptomining and botnet activities. Therefore, developing accurate and efficient detection mechanisms is essential for ensuring the security and stability of containerized systems. To this end, we propose a hybrid detection framework that leverages the extended Berkeley Packet Filter (eBPF) to monitor container activities directly within the Linux kernel. The framework simultaneously collects flow-based network metadata and host-based system-call traces, transforms them into machine-learning features, and applies multi-class classification models to distinguish malicious containers from benign ones. Using six malicious and four benign container scenarios, our evaluation shows that runtime detection is feasible with high accuracy: flow-based detection achieved 87.49%, while host-based detection using system-call sequences reached 98.39%. The performance difference is largely due to similar communication patterns exhibited by certain malware families which limit the discriminative power of flow-level features. Host-level monitoring, by contrast, exposes fine-grained behavioral characteristics, such as file-system access patterns, persistence mechanisms, and resource-management calls that do not appear in network metadata. Our results further demonstrate that both monitoring modality and preprocessing strategy directly influence model performance. More importantly, combining flow-based and host-based telemetry in a complementary hybrid approach resolves classification ambiguities that arise when relying on a single data source. These findings underscore the potential of eBPF-based hybrid analysis for achieving accurate, low-overhead, and behavior-aware runtime security in containerized environments, and they establish a practical foundation for developing adaptive and scalable detection mechanisms in modern cloud systems.
Keywords
Container security; container anomaly detection; eBPF; system calls; network flow; machine learning
Open Access
Login
Register
Submit a Paper
Propose a Special lssue
Download PDF
Downloads
Citation Tools
