Real-time anomaly detection in docker containers: a continuous learning approach using SF-SOINN

As cyber threats become increasingly sophisticated due to the rapid expansion of internet-connected systems and the growing use of containerized environments, this paper presents the Soft-Forgetting Self-Organizing Incremental Neural Network (SF-SOINN), a novel approach to unsupervised anomaly detection in containerized platforms. Unlike traditional Intrusion Detection Systems (IDS), which rely on supervised learning and known attack signatures for training, SF-SOINN adopts a continuous learning approach that dynamically adapts to new data patterns, thereby eliminating the need for labeled datasets. This capability enables effective real-time detection of zero-day threats in dynamic environments. SF-SOINN demonstrated efficacy in identifying malicious attacks using the real-world NSL-KDD dataset, and its application was extended to containerized environments using the KubAnomaly framework. Benchmark results show that SF-SOINN outperforms traditional supervised models such as Support Vector Machines (SVM) and Convolutional Neural Networks (CNN), as well as the unsupervised KubAnomaly approach, particularly in scenarios involving complex attacks. The performance evaluation focused on optimizing the False Positive Rate (FPR), while balancing other key metrics such as accuracy, recall, and precision. This approach is expected to provide a strong foundation for developing robust anomaly-based IDSs in the future.