Carleton University - School of Computer Science Honours Project
Winter 2020
Host-Based Anomaly Detection with Extended BPF
William Findlay
SCS News Image
System introspection is becoming an increasingly attractive option for maintaining operating system stability and security. This is primarily due to the many recent advances in system introspection technology; in particular, the 2014 introduction of Extended Berkeley Packet Filter (eBPF) into the Linux Kernel along with the recent development of more usable interfaces such as the BPF Compiler Collection (bcc) have resulted in a rich, performant, and (perhaps most importantly) safe subsystem for both kernel and userland instrumentation. The scope, safety, and performance of eBPF system introspection has potentially powerful applications in the domain of computer security. In order to demonstrate this, I present ebpH, an eBPF implementation of Somayaji’s Process Homeostasis (pH). ebpH is an intrusion detection system (IDS) that uses eBPF programs to instrument system calls and establish normal behavior for processes, building a profile for each executable on the sys- tem; subsequently, ebpH can warn the user when it detects process behavior that violates the established profiles. Experimental results show that ebpH can detect anomalies in pro- cess behavior with negligible overhead. Furthermore, ebpH’s anomaly detection comes with minimal risk to the system thanks to the safety guarantees of eBPF, rendering it an ideal solution for monitoring production systems. This thesis will discuss the design and implementation of ebpH along with the technical challenges which occurred along the way. It will then present experimental data and per- formance benchmarks that demonstrate ebpH’s ability to monitor process behavior with minimal overhead. Finally, it will conclude with a discussion on the merits of eBPF IDS implementations and potential avenues for future work. ebpH is licensed under GPLv2 and full source code is available at willfindlay/ebph.