Network Profiles for Detecting Application-Characteristic Behavior Using Linux eBPF

Lars Wüstrich; Markus Schacherbauer; Markus Budeus; Dominik Freiherr Von Künßberg; Sebastian Gallenmüller; Marc Oliver Pahl; Georg Carle

doi:10.1145/3609021.3609294

Network Profiles for Detecting Application-Characteristic Behavior Using Linux eBPF

Lars Wüstrich
, Markus Schacherbauer
, Markus Budeus
, Dominik Freiherr Von Künßberg
, Sebastian Gallenmüller
, Marc Oliver Pahl
, Georg Carle

Informatics 8 - Chair of Network Architectures and Services

Technical University of Munich
Technopôle Brest-Iroise

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

5 Scopus citations

Abstract

Applications often show unique communication behavior. Knowledge about this behavior is beneficial in various use cases, such as anomaly or dependency detection. In this paper, we present network profiles that characterize typical application behavior. This requires a reliable and accurate association of processes and applications, which is challenging. We, therefore, introduce an eBPF-based matcher for this task that enables the creation of network profiles. In our evaluation we show that eBPF allows us to efficiently collect the relevant data to build application profiles, addressing issues of other data collection approaches. We further evaluate our work by using a network profile to identify emulated botnet activity masqueraded as a benign process.

Original language	English
Title of host publication	eBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions
Publisher	Association for Computing Machinery, Inc
Pages	8-14
Number of pages	7
ISBN (Electronic)	9798400702938
DOIs	https://doi.org/10.1145/3609021.3609294
State	Published - 10 Sep 2023
Event	1st Workshop on eBPF and Kernel Extensions, eBPF 2023, co-located with SIGCOMM 2023 - New York, United States Duration: 10 Sep 2023 → 10 Sep 2023

Publication series

Name	eBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions

Conference

Conference	1st Workshop on eBPF and Kernel Extensions, eBPF 2023, co-located with SIGCOMM 2023
Country/Territory	United States
City	New York
Period	10/09/23 → 10/09/23

Keywords

application profiling
extended berkeley packet filter (eBPF)

Access to Document

10.1145/3609021.3609294

Cite this

Wüstrich, L., Schacherbauer, M., Budeus, M., Freiherr Von Künßberg, D., Gallenmüller, S., Pahl, M. O., & Carle, G. (2023). Network Profiles for Detecting Application-Characteristic Behavior Using Linux eBPF. In eBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions (pp. 8-14). (eBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions). Association for Computing Machinery, Inc. https://doi.org/10.1145/3609021.3609294

Wüstrich, Lars ; Schacherbauer, Markus ; Budeus, Markus et al. / Network Profiles for Detecting Application-Characteristic Behavior Using Linux eBPF. eBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions. Association for Computing Machinery, Inc, 2023. pp. 8-14 (eBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions).

@inproceedings{907cebccadac4fdcae8f7b4629f383ee,

title = "Network Profiles for Detecting Application-Characteristic Behavior Using Linux eBPF",

abstract = "Applications often show unique communication behavior. Knowledge about this behavior is beneficial in various use cases, such as anomaly or dependency detection. In this paper, we present network profiles that characterize typical application behavior. This requires a reliable and accurate association of processes and applications, which is challenging. We, therefore, introduce an eBPF-based matcher for this task that enables the creation of network profiles. In our evaluation we show that eBPF allows us to efficiently collect the relevant data to build application profiles, addressing issues of other data collection approaches. We further evaluate our work by using a network profile to identify emulated botnet activity masqueraded as a benign process.",

keywords = "application profiling, extended berkeley packet filter (eBPF)",

author = "Lars W{\"u}strich and Markus Schacherbauer and Markus Budeus and \{Freiherr Von K{\"u}n{\ss}berg\}, Dominik and Sebastian Gallenm{\"u}ller and Pahl, \{Marc Oliver\} and Georg Carle",

note = "Publisher Copyright: {\textcopyright} 2023 ACM.; 1st Workshop on eBPF and Kernel Extensions, eBPF 2023, co-located with SIGCOMM 2023 ; Conference date: 10-09-2023 Through 10-09-2023",

year = "2023",

month = sep,

day = "10",

doi = "10.1145/3609021.3609294",

language = "English",

series = "eBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions",

publisher = "Association for Computing Machinery, Inc",

pages = "8--14",

booktitle = "eBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions",

}

Wüstrich, L, Schacherbauer, M, Budeus, M, Freiherr Von Künßberg, D, Gallenmüller, S, Pahl, MO & Carle, G 2023, Network Profiles for Detecting Application-Characteristic Behavior Using Linux eBPF. in eBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions. eBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions, Association for Computing Machinery, Inc, pp. 8-14, 1st Workshop on eBPF and Kernel Extensions, eBPF 2023, co-located with SIGCOMM 2023, New York, United States, 10/09/23. https://doi.org/10.1145/3609021.3609294

Network Profiles for Detecting Application-Characteristic Behavior Using Linux eBPF. / Wüstrich, Lars; Schacherbauer, Markus; Budeus, Markus et al.
eBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions. Association for Computing Machinery, Inc, 2023. p. 8-14 (eBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Network Profiles for Detecting Application-Characteristic Behavior Using Linux eBPF

AU - Wüstrich, Lars

AU - Schacherbauer, Markus

AU - Budeus, Markus

AU - Freiherr Von Künßberg, Dominik

AU - Gallenmüller, Sebastian

AU - Pahl, Marc Oliver

AU - Carle, Georg

PY - 2023/9/10

Y1 - 2023/9/10

N2 - Applications often show unique communication behavior. Knowledge about this behavior is beneficial in various use cases, such as anomaly or dependency detection. In this paper, we present network profiles that characterize typical application behavior. This requires a reliable and accurate association of processes and applications, which is challenging. We, therefore, introduce an eBPF-based matcher for this task that enables the creation of network profiles. In our evaluation we show that eBPF allows us to efficiently collect the relevant data to build application profiles, addressing issues of other data collection approaches. We further evaluate our work by using a network profile to identify emulated botnet activity masqueraded as a benign process.

AB - Applications often show unique communication behavior. Knowledge about this behavior is beneficial in various use cases, such as anomaly or dependency detection. In this paper, we present network profiles that characterize typical application behavior. This requires a reliable and accurate association of processes and applications, which is challenging. We, therefore, introduce an eBPF-based matcher for this task that enables the creation of network profiles. In our evaluation we show that eBPF allows us to efficiently collect the relevant data to build application profiles, addressing issues of other data collection approaches. We further evaluate our work by using a network profile to identify emulated botnet activity masqueraded as a benign process.

KW - application profiling

KW - extended berkeley packet filter (eBPF)

UR - https://www.scopus.com/pages/publications/85172862369

U2 - 10.1145/3609021.3609294

DO - 10.1145/3609021.3609294

M3 - Conference contribution

AN - SCOPUS:85172862369

T3 - eBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions

SP - 8

EP - 14

BT - eBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions

PB - Association for Computing Machinery, Inc

T2 - 1st Workshop on eBPF and Kernel Extensions, eBPF 2023, co-located with SIGCOMM 2023

Y2 - 10 September 2023 through 10 September 2023

ER -

Wüstrich L, Schacherbauer M, Budeus M, Freiherr Von Künßberg D, Gallenmüller S, Pahl MO et al. Network Profiles for Detecting Application-Characteristic Behavior Using Linux eBPF. In eBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions. Association for Computing Machinery, Inc. 2023. p. 8-14. (eBPF 2023 - Proceedings of the ACM SIGCOMM 2023 Workshop on eBPF and Kernel Extensions). doi: 10.1145/3609021.3609294

Network Profiles for Detecting Application-Characteristic Behavior Using Linux eBPF

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this