Design and implementation of an intrusion detection system by using Extended BPF in the Linux kernel

Wang, Shie-Yuan; Chang, Jen-Chieh

doi:10.1016/j.jnca.2021.103283

Cited by 16 publications

(6 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Recently, the authors in [22] used eBPF [23] in the Linux kernel to pre-drop the packets that need not be delivered to the Snort program for further checking, and achieved a speedup of 3 against the typical implementation of Snort under many evaluated cases. In that work, the authors evaluated the performance of their eBPF-based implementation of Snort on a server machine equipped with an 8-core 3.5 GHZ CPU.…”

Section: Discussionmentioning

confidence: 99%

Supporting Large Random Forests in the Pipelines of a Hardware Switch to Classify Packets at 100-Gbps Line Rate

Wang,

2023

IEEE Access

Self Cite

View full text Add to dashboard Cite

Packet classification is an essential function for many applications such as QoS provisioning and network intrusion detection. In this work, we perform random forest classification in the pipelines of a hardware switch to classify packets at 100 Gbps line rate. We design, implement, and evaluate the performance of our scheme in a P4 (Programming Protocol-independent Packet Processors) programmable hardware switch. Experimental results show that our scheme can: (1) support a random forest composed of more than 100 decision trees in the pipelines of a hardware switch, and (2) use such a large random forest to classify packets at 100 Gbps line rate. In this paper, we design the match-action rules that are required to implement such a random forest in a P4 hardware switch. Besides, we analytically derive the formulas that give the number of these rules.

show abstract

Section: Discussionmentioning

confidence: 99%

Supporting Large Random Forests in the Pipelines of a Hardware Switch to Classify Packets at 100-Gbps Line Rate

Wang,

2023

IEEE Access

Self Cite

View full text Add to dashboard Cite

show abstract

“…eBPF has been widely used to build fast and complex applications in several domains such as tactile [35], security [36], cloud computing [37] and network function virtualization [38]. In what follows, we limit our analysis to the limitations of the system and the relevant frameworks.…”

Section: Related Workmentioning

confidence: 99%

Composing eBPF Programs Made Easy With HIKe and eCLAT

Mayer,

Bracciale,

Lungaroni

et al. 2024

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

“…The paper [12] makes a suggestion for the design and implementation of an IDS that makes use of eBPF inside the Linux kernel. To begin, they suggested using a method based on eBPF to design and deploy IDS systems.…”

Section: Related Workmentioning

confidence: 99%

High-performance Intrusion Detection Systemusing eBPF with Machine Learning algorithms

ANAND,

Aakula

2023

Preprint

View full text Add to dashboard Cite

Denial of Service (DoS) and Distributed DoS (DDoS) attacks are standard prob-lems organizations that rely on network services face. Detecting these attackspromptly and accurately is crucial to mitigating the damage caused. This paperproposes an Intrusion Detection System (IDS) that utilizes the extended Berke-ley Packet Filter (eBPF) with machine learning algorithms, namely Decision Tree(DT), Random Forest (RF), Support Vector Machine (SVM), and TwinSVM.eBPF is a bytecode-based virtual machine that runs programs without modifyingthe kernel source code. It can implement various services, such as observabil-ity, security, and networking. Socket filters are an eBPF program attached tothe socket in the Linux kernel that allows for efficient filtering and manip-ulation of network packets at the socket after packets are received from thenetwork stack. Packets that are filtered at the socket level before enteringthe user space. The steps involved in the proposed model are: a) collectingdata from famous repository, CIC-IDS-2017. b) Once the raw data is obtained,it undergoes preprocessing, which includes data transmission, cleaning, reduc-tion, and discretization. c) Following the preprocessing step, an ANOVA F-testextracts specific features from the preprocessed data. d) Lastly, the extractedfeatures are analyzed for intrusion detection using various ML algorithms:DT, RF, SVM, and TwinSVM. e) The eBPF program captures network traf-fic and utilizes trained model parameters to detect attacks within the kernel.Our experimental results show that the accuracy of our proposed ML algo-rithms, DT, RF, SVM, and TwinSVM, outperforms the existing related work:99.38, 99.44, 88.73, and 93.82, respectively. The experimental code available inhttps://github.com/NemalikantiAnand/Project.git

show abstract

Design and implementation of an intrusion detection system by using Extended BPF in the Linux kernel

Cited by 16 publications

References 14 publications

Supporting Large Random Forests in the Pipelines of a Hardware Switch to Classify Packets at 100-Gbps Line Rate

Supporting Large Random Forests in the Pipelines of a Hardware Switch to Classify Packets at 100-Gbps Line Rate

Composing eBPF Programs Made Easy With HIKe and eCLAT

High-performance Intrusion Detection Systemusing eBPF with Machine Learning algorithms

Contact Info

Product

Resources

About