A flow-based IDS using Machine Learning in eBPF
Maximilian Bachl, Joachim Fabini, Tanja Zseby
TL;DR
This paper presents a novel flow-based network intrusion detection system implemented entirely in eBPF, leveraging machine learning to efficiently identify malicious traffic with significant performance gains.
Contribution
It introduces a machine learning-based IDS in eBPF, enabling real-time detection within the Linux kernel with improved performance over user-space solutions.
Findings
Over 20% performance increase compared to user-space implementation
Effective flow-based detection using decision trees in eBPF
Real-time malicious traffic identification within the kernel
Abstract
eBPF is a new technology which allows dynamically loading pieces of code into the Linux kernel. It can greatly speed up networking since it enables the kernel to process certain packets without the involvement of a userspace program. So far eBPF has been used for simple packet filtering applications such as firewalls or Denial of Service protection. We show that it is possible to develop a flow based network intrusion detection system based on machine learning entirely in eBPF. Our solution uses a decision tree and decides for each packet whether it is malicious or not, considering the entire previous context of the network flow. We achieve a performance increase of over 20% compared to the same solution implemented as a userspace program.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsNetwork Security and Intrusion Detection · Internet Traffic Analysis and Secure E-voting · Advanced Malware Detection Techniques
Methodstravel james