Saved in:
Bibliographic Details
Main Authors: Nousias, Akis, Katsaros, Efklidis, Syrmos, Evangelos, Radoglou-Grammatikis, Panagiotis, Lagkas, Thomas, Argyriou, Vasileios, Moscholios, Ioannis, Markakis, Evangelos, Goudos, Sotirios, Sarigiannidis, Panagiotis
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2504.03238
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866909564923805696
author Nousias, Akis
Katsaros, Efklidis
Syrmos, Evangelos
Radoglou-Grammatikis, Panagiotis
Lagkas, Thomas
Argyriou, Vasileios
Moscholios, Ioannis
Markakis, Evangelos
Goudos, Sotirios
Sarigiannidis, Panagiotis
author_facet Nousias, Akis
Katsaros, Efklidis
Syrmos, Evangelos
Radoglou-Grammatikis, Panagiotis
Lagkas, Thomas
Argyriou, Vasileios
Moscholios, Ioannis
Markakis, Evangelos
Goudos, Sotirios
Sarigiannidis, Panagiotis
contents Malware detection is increasingly challenged by evolving techniques like obfuscation and polymorphism, limiting the effectiveness of traditional methods. Meanwhile, the widespread adoption of software containers has introduced new security challenges, including the growing threat of malicious software injection, where a container, once compromised, can serve as entry point for further cyberattacks. In this work, we address these security issues by introducing a method to identify compromised containers through machine learning analysis of their file systems. We cast the entire software containers into large RGB images via their tarball representations, and propose to use established Convolutional Neural Network architectures on a streaming, patch-based manner. To support our experiments, we release the COSOCO dataset--the first of its kind--containing 3364 large-scale RGB images of benign and compromised software containers at https://huggingface.co/datasets/k3ylabs/cosoco-image-dataset. Our method detects more malware and achieves higher F1 and Recall scores than all individual and ensembles of VirusTotal engines, demonstrating its effectiveness and setting a new standard for identifying malware-compromised software containers.
format Preprint
id arxiv_https___arxiv_org_abs_2504_03238
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Malware Detection in Docker Containers: An Image is Worth a Thousand Logs
Nousias, Akis
Katsaros, Efklidis
Syrmos, Evangelos
Radoglou-Grammatikis, Panagiotis
Lagkas, Thomas
Argyriou, Vasileios
Moscholios, Ioannis
Markakis, Evangelos
Goudos, Sotirios
Sarigiannidis, Panagiotis
Cryptography and Security
Artificial Intelligence
Computer Vision and Pattern Recognition
Malware detection is increasingly challenged by evolving techniques like obfuscation and polymorphism, limiting the effectiveness of traditional methods. Meanwhile, the widespread adoption of software containers has introduced new security challenges, including the growing threat of malicious software injection, where a container, once compromised, can serve as entry point for further cyberattacks. In this work, we address these security issues by introducing a method to identify compromised containers through machine learning analysis of their file systems. We cast the entire software containers into large RGB images via their tarball representations, and propose to use established Convolutional Neural Network architectures on a streaming, patch-based manner. To support our experiments, we release the COSOCO dataset--the first of its kind--containing 3364 large-scale RGB images of benign and compromised software containers at https://huggingface.co/datasets/k3ylabs/cosoco-image-dataset. Our method detects more malware and achieves higher F1 and Recall scores than all individual and ensembles of VirusTotal engines, demonstrating its effectiveness and setting a new standard for identifying malware-compromised software containers.
title Malware Detection in Docker Containers: An Image is Worth a Thousand Logs
topic Cryptography and Security
Artificial Intelligence
Computer Vision and Pattern Recognition
url https://arxiv.org/abs/2504.03238