Carleton University - School of Computer Science Honours Project
Winter 2020
Host-Based Anomaly Detection with Extended BPF

ABSTRACT
System introspection is becoming an increasingly attractive option for maintaining operating
system stability and security. This is primarily due to the many recent advances in system
introspection technology; in particular, the 2014 introduction of Extended Berkeley Packet
Filter (eBPF) into the Linux Kernel along with the recent development of more
usable interfaces such as the BPF Compiler Collection (bcc) have resulted in a rich,
performant, and (perhaps most importantly) safe subsystem for both kernel and userland
instrumentation.
The scope, safety, and performance of eBPF system introspection has potentially powerful
applications in the domain of computer security. In order to demonstrate this, I present
ebpH, an eBPF implementation of Somayaji’s Process Homeostasis (pH). ebpH is an
intrusion detection system (IDS) that uses eBPF programs to instrument system calls and
establish normal behavior for processes, building a profile for each executable on the sys-
tem; subsequently, ebpH can warn the user when it detects process behavior that violates
the established profiles. Experimental results show that ebpH can detect anomalies in pro-
cess behavior with negligible overhead. Furthermore, ebpH’s anomaly detection comes with
minimal risk to the system thanks to the safety guarantees of eBPF, rendering it an ideal
solution for monitoring production systems.
This thesis will discuss the design and implementation of ebpH along with the technical
challenges which occurred along the way. It will then present experimental data and per-
formance benchmarks that demonstrate ebpH’s ability to monitor process behavior with
minimal overhead. Finally, it will conclude with a discussion on the merits of eBPF IDS
implementations and potential avenues for future work.
ebpH is licensed under GPLv2 and full source code is available at https://github.com/
willfindlay/ebph.