AI &amp; eBPF based performance anomaly detection system

Ben-Yair, Ido; Rogovoy, Pavel; Zaidenberg, Nezer Jacob

doi:10.1145/3319647.3325842

Cited by 7 publications

(3 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…String matching is handled by Snort using a combination of the Boyer-Moore (BM) [32] and Aho-Corasick (AC) [33] algorithms. [34] suggests using AI to identify performance irregularities using eBPF. eBPF is used in [35], [36] and also [37] in order to build countermeasures for DoS assaults.…”

Section: Related Workmentioning

confidence: 99%

High-performance Intrusion Detection Systemusing eBPF with Machine Learning algorithms

ANAND,

Aakula

2023

Preprint

View full text Add to dashboard Cite

Denial of Service (DoS) and Distributed DoS (DDoS) attacks are standard prob-lems organizations that rely on network services face. Detecting these attackspromptly and accurately is crucial to mitigating the damage caused. This paperproposes an Intrusion Detection System (IDS) that utilizes the extended Berke-ley Packet Filter (eBPF) with machine learning algorithms, namely Decision Tree(DT), Random Forest (RF), Support Vector Machine (SVM), and TwinSVM.eBPF is a bytecode-based virtual machine that runs programs without modifyingthe kernel source code. It can implement various services, such as observabil-ity, security, and networking. Socket filters are an eBPF program attached tothe socket in the Linux kernel that allows for efficient filtering and manip-ulation of network packets at the socket after packets are received from thenetwork stack. Packets that are filtered at the socket level before enteringthe user space. The steps involved in the proposed model are: a) collectingdata from famous repository, CIC-IDS-2017. b) Once the raw data is obtained,it undergoes preprocessing, which includes data transmission, cleaning, reduc-tion, and discretization. c) Following the preprocessing step, an ANOVA F-testextracts specific features from the preprocessed data. d) Lastly, the extractedfeatures are analyzed for intrusion detection using various ML algorithms:DT, RF, SVM, and TwinSVM. e) The eBPF program captures network traf-fic and utilizes trained model parameters to detect attacks within the kernel.Our experimental results show that the accuracy of our proposed ML algo-rithms, DT, RF, SVM, and TwinSVM, outperforms the existing related work:99.38, 99.44, 88.73, and 93.82, respectively. The experimental code available inhttps://github.com/NemalikantiAnand/Project.git

show abstract

Section: Related Workmentioning

confidence: 99%

High-performance Intrusion Detection Systemusing eBPF with Machine Learning algorithms

ANAND,

Aakula

2023

Preprint

View full text Add to dashboard Cite

show abstract

“…For instance, in [11] authors use eBPF to efficiently replace iptables 4 , a well-known firewall and traffic management tool for Linux systems. Additional applications include safeguarding users privacy while using common domain resolution protocols [12], network congestion [13], [14] and fault [15] detection, network traffic mirroring [16], the deployment of mobile gateway for 5G networks [17], identification and performance tuning of a Redis database [18], Intrusion Detection and Prevention System [19], [20], and detection of specific cyberattacks, such as Distributed Denial of Service [21] or Water Torture [22].…”

Section: A Ebpf-based Applications and Approachesmentioning

confidence: 99%

A Control Plane Enabling Automated and Fully Adaptive Network Traffic Monitoring With eBPF

2022

View full text Add to dashboard Cite

The extended Berkeley Packet Filter (eBPF) enables the dynamic injection of user-defined processing logic at run-time in the Linux networking stack without disrupting any active monitoring process. This enables the selective extraction of only the traffic features that are needed in a given instant of time, which is what we define fully adaptive network traffic monitoring. However, eBPF programs require adhoc control plane routines for each specific scenario in order to orchestrate the underlying data plane and export the required metrics, resulting in potentially duplicated source codes to maintain, and creating the risk of deploying, at runtime, unverified user-defined code that controls the devices running the monitoring process. This paper presents a control plane that automatically adapts both its management tasks and data extraction methodologies based on the underlying data plane provided by the user, who can merely focus on the monitoring logic definition. The paper evaluates the performance of the control plane's modules and demonstrates the advantages, in terms of processing speed and memory consumption, of a fullyadaptive monitoring approach with respect to nProbe (a state-of-the-art solution), an adaptive and a nonadaptive methodology in eBPF. Experiments prove that the control plane monitoring functionalities do not significantly affect the underlying data plane (0.15% degraded throughput) and leverage the most efficient extraction primitives (20x faster execution time), and show that the fully-adaptive monitoring leads to a higher number of processed packets (10x) and significantly lower memory occupancy (10x) when extracting the smallest set of features.

show abstract

“…Some researcher have already investigated eBPF based IDSs or thought about using ML in eBPF. [2] propose to use AI for detecting performance anomalies with eBPF. However, they only propose a concept and do not provide an evaluation of the benefit of their approach.…”

Section: B Ebpf For a Machine Learning (Ml)-based Intrusion Detection...mentioning

confidence: 99%

A flow-based IDS using Machine Learning in eBPF

Bachl¹,

Fabini²,

Zseby³

2021

Preprint

View full text Add to dashboard Cite

eBPF is a new technology which allows dynamically loading pieces of code into the Linux kernel. It can greatly speed up networking since it enables the kernel to process certain packets without the involvement of a userspace program. So far eBPF has been used for simple packet filtering applications such as firewalls or Denial of Service protection. We show that it is possible to develop a flow based network intrusion detection system based on machine learning entirely in eBPF. Our solution uses a decision tree and decides for each packet whether it is malicious or not, considering the entire previous context of the network flow. We achieve a performance increase of over 20% compared to the same solution implemented as a userspace program.

show abstract

AI & eBPF based performance anomaly detection system

Cited by 7 publications

References 0 publications

High-performance Intrusion Detection Systemusing eBPF with Machine Learning algorithms

High-performance Intrusion Detection Systemusing eBPF with Machine Learning algorithms

A Control Plane Enabling Automated and Fully Adaptive Network Traffic Monitoring With eBPF

A flow-based IDS using Machine Learning in eBPF

Contact Info

Product

Resources

About