TY - GEN
T1 - Network Profiles for Detecting Application-Characteristic Behavior Using Linux eBPF
AU - Wüstrich, Lars
AU - Schacherbauer, Markus
AU - Budeus, Markus
AU - Freiherr Von Künßberg, Dominik
AU - Gallenmüller, Sebastian
AU - Pahl, Marc Oliver
AU - Carle, Georg
N1 - Publisher Copyright:
© 2023 ACM.
PY - 2023/9/10
Y1 - 2023/9/10
N2 - Applications often show unique communication behavior. Knowledge about this behavior is beneficial in various use cases, such as anomaly or dependency detection. In this paper, we present network profiles that characterize typical application behavior. This requires a reliable and accurate association of processes and applications, which is challenging. We, therefore, introduce an eBPF-based matcher for this task that enables the creation of network profiles. In our evaluation we show that eBPF allows us to efficiently collect the relevant data to build application profiles, addressing issues of other data collection approaches. We further evaluate our work by using a network profile to identify emulated botnet activity masqueraded as a benign process.
AB - Applications often show unique communication behavior. Knowledge about this behavior is beneficial in various use cases, such as anomaly or dependency detection. In this paper, we present network profiles that characterize typical application behavior. This requires a reliable and accurate association of processes and applications, which is challenging. We, therefore, introduce an eBPF-based matcher for this task that enables the creation of network profiles. In our evaluation we show that eBPF allows us to efficiently collect the relevant data to build application profiles, addressing issues of other data collection approaches. We further evaluate our work by using a network profile to identify emulated botnet activity masqueraded as a benign process.
KW - application profiling
KW - extended berkeley packet filter (eBPF)
UR - http://www.scopus.com/inward/record.url?scp=85172862369&partnerID=8YFLogxK
U2 - 10.1145/3609021.3609294
DO - 10.1145/3609021.3609294
M3 - Conference contribution
AN - SCOPUS:85172862369
T3 - eBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions
SP - 8
EP - 14
BT - eBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions
PB - Association for Computing Machinery, Inc
T2 - 1st Workshop on eBPF and Kernel Extensions, eBPF 2023
Y2 - 10 September 2023
ER -