Fig. 5

Process of how Optimus creates new profiles for containers. The profile generator derives valid candidate system calls by matching newly monitored system calls with candidates extracted through association analysis. Combining these valid candidates with previously allowed system calls results in a new set of allowed system calls. The essential system calls required for container initialization are added to this set, culminating in the creation of a new Seccomp profile tailored to the specific container’s needs