Network Profiles for Detecting Application-Characteristic Behavior Using Linux eBPF

Lars Wüstrich, Markus Schacherbauer, Markus Budeus, Dominik Freiherr Von Künßberg, Sebastian Gallenmüller, Marc Oliver Pahl, Georg Carle

Publikation: Beitrag in Buch/Bericht/KonferenzbandKonferenzbeitragBegutachtung

2 Zitate (Scopus)

Abstract

Applications often show unique communication behavior. Knowledge about this behavior is beneficial in various use cases, such as anomaly or dependency detection. In this paper, we present network profiles that characterize typical application behavior. This requires a reliable and accurate association of processes and applications, which is challenging. We, therefore, introduce an eBPF-based matcher for this task that enables the creation of network profiles. In our evaluation we show that eBPF allows us to efficiently collect the relevant data to build application profiles, addressing issues of other data collection approaches. We further evaluate our work by using a network profile to identify emulated botnet activity masqueraded as a benign process.

OriginalspracheEnglisch
TiteleBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions
Herausgeber (Verlag)Association for Computing Machinery, Inc
Seiten8-14
Seitenumfang7
ISBN (elektronisch)9798400702938
DOIs
PublikationsstatusVeröffentlicht - 10 Sept. 2023
Veranstaltung1st Workshop on eBPF and Kernel Extensions, eBPF 2023 - New York, USA/Vereinigte Staaten
Dauer: 10 Sept. 2023 → …

Publikationsreihe

NameeBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions

Konferenz

Konferenz1st Workshop on eBPF and Kernel Extensions, eBPF 2023
Land/GebietUSA/Vereinigte Staaten
OrtNew York
Zeitraum10/09/23 → …

Fingerprint

Untersuchen Sie die Forschungsthemen von „Network Profiles for Detecting Application-Characteristic Behavior Using Linux eBPF“. Zusammen bilden sie einen einzigartigen Fingerprint.

Dieses zitieren