Network Profiles for Detecting Application-Characteristic Behavior Using Linux eBPF

Lars Wüstrich, Markus Schacherbauer, Markus Budeus, Dominik Freiherr Von Künßberg, Sebastian Gallenmüller, Marc Oliver Pahl, Georg Carle

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

2 Scopus citations

Abstract

Applications often show unique communication behavior. Knowledge about this behavior is beneficial in various use cases, such as anomaly or dependency detection. In this paper, we present network profiles that characterize typical application behavior. This requires a reliable and accurate association of processes and applications, which is challenging. We, therefore, introduce an eBPF-based matcher for this task that enables the creation of network profiles. In our evaluation we show that eBPF allows us to efficiently collect the relevant data to build application profiles, addressing issues of other data collection approaches. We further evaluate our work by using a network profile to identify emulated botnet activity masqueraded as a benign process.

Original languageEnglish
Title of host publicationeBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions
PublisherAssociation for Computing Machinery, Inc
Pages8-14
Number of pages7
ISBN (Electronic)9798400702938
DOIs
StatePublished - 10 Sep 2023
Event1st Workshop on eBPF and Kernel Extensions, eBPF 2023 - New York, United States
Duration: 10 Sep 2023 → …

Publication series

NameeBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions

Conference

Conference1st Workshop on eBPF and Kernel Extensions, eBPF 2023
Country/TerritoryUnited States
CityNew York
Period10/09/23 → …

Keywords

  • application profiling
  • extended berkeley packet filter (eBPF)

Fingerprint

Dive into the research topics of 'Network Profiles for Detecting Application-Characteristic Behavior Using Linux eBPF'. Together they form a unique fingerprint.

Cite this