Software container application security

The invention claimed is: 1. A computer implemented method to detect anomalous behavior of a software container having a software application executing therein, the method comprising: receiving a sparse data representation of each of: a first set of container network traffic records, a first set of application traffic records, and a first set of container resource records, and training a first hierarchical temporal memory (HTM) for the first set of container network traffic records, a second HTM for the first set of application traffic records, and a third HTM for the first set of container resource records, wherein the first set of container network traffic records correspond to network traffic communicated with the software container, the first set of application traffic records correspond to network traffic communicated with the software application, and the first set of container resource records correspond to the use of computer resources by the software container; receiving a sparse data representation of each of: a second set of container network traffic records, a second set of application traffic records, and a second set of container resource records; executing the trained first HTM based on the second set of container network traffic records, the trained second HTM based on the second set of application traffic records, and the trained third HTM based on the second set of container resource records to determine a degree of recognition of each of the second set of container network traffic records, the second set of application traffic records, and the second set of container resource records; and responsive to an identification of a coincidence of a degree of recognition of each of the second set of container network traffic records, the second set of application traffic records, and the second set of container resource records being below a threshold degree in each of the trained first HTM, the trained second HTM, and the trained third HTM, identifying anomalous behavior of the software container. 2. The method of claim 1 , wherein the software container is a software process executable in an operating system of a computer system in which operating system software processes are prevented from accessing resources of other second processes executing in the operating system. 3. The method of claim 1 , wherein, in response to the identification of anomalous behavior, implementing a responsive measure to the anomalous behavior. 4. The method of claim 3 , wherein the responsive measure includes one or more of: interrupting operation of the software container; identifying software components in communication with the application in the software container as potentially compromised; identifying a definition of the software container as anomalous; and effecting at least one of a redeployment, a reinstallation or a reconfiguration of the software container. 5. The method of claim 1 , wherein, in the training mode of operation, each HTM evaluates an anomaly score for records in a respective first set of records and the HTM is trained until the anomaly score meets a predetermined threshold degree of anomaly. 6. The method of claim 1 , wherein the coincidence occurs within a time window having a predetermined maximum duration. 7. A computer system comprising: a processor and memory storing computer program code for detecting anomalous behavior of a software container having a software application executing therein, by: receiving a sparse data representation of each of: a first set of container network traffic records, a first set of application traffic records, and a first set of container resource records, and training a first hierarchical temporal memory (HTM) for the first set of container network traffic records, a second HTM for the first set of application traffic records, and a third HTM for the first set of container resource records, wherein the first set of container network traffic records correspond to network traffic communicated with the software container, the first set of application traffic records correspond to network traffic communicated with the software application, and the first set of container resource records correspond to the use of computer resources by the software container; receiving a sparse data representation of each of: a second set of container network traffic records, a second set of application traffic records, and a second set of container resource records; executing the trained first HTM based on the second set of container network traffic records, the trained second HTM based on the second set of application traffic records, and the trained third HTM based on the second set of container resource records to determine a degree of recognition of each of the second set of container network traffic records, the second set of application traffic records, and the second set of container resource records; and responsive to an identification of a coincidence of a degree of recognition of each of the second set of container network traffic records, the second set of application traffic records, and the second set of container resource records being below a threshold degree in each of the trained first HTM, the trained second HTM, and the trained third HTM, identifying anomalous behavior of the software container. 8. A non-transitory computer readable storage element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer system to perform the method as claimed in claim 1 .