Network Profiles for Detecting Application-Characteristic Behavior Using Linux eBPF

Wüstrich, Lars; Schacherbauer, Markus; Budeus, Markus; Freiherr von Künßberg, Dominik; Gallenmüller, Sebastian; Pahl, Marc-Oliver; Carle, Georg

doi:10.1145/3609021.3609294

2023

Back
Back to start of result list
Permanent link for displayed object

Document type:: Konferenzbeitrag
Author(s):: Wüstrich, Lars; Schacherbauer, Markus; Budeus, Markus; Freiherr von Künßberg, Dominik; Gallenmüller, Sebastian; Pahl, Marc-Oliver; Carle, Georg
Title:: Network Profiles for Detecting Application-Characteristic Behavior Using Linux eBPF
Abstract:: Applications often show unique communication behavior. Knowledge about this behavior is beneficial in various use cases, such as anomaly or dependency detection. In this paper, we present network profiles that characterize typical application behavior. This requires a reliable and accurate association of processes and applications, which is challenging. We, therefore, introduce an eBPF-based matcher for this task that enables the creation of network profiles. In our evaluation we show that eBPF allows us to efficiently collect the relevant data to build application profiles, addressing issues of other data collection approaches. We further evaluate our work by using a network profile to identify emulated botnet activity masqueraded as a benign process. «
Applications often show unique communication behavior. Knowledge about this behavior is beneficial in various use cases, such as anomaly or dependency detection. In this paper, we present network profiles that characterize typical application behavior. This requires a reliable and accurate association of processes and applications, which is challenging. We, therefore, introduce an eBPF-based matcher for this task that enables the creation of network profiles. In our evaluation we show that eBPF... »
Keywords:: application profiling, extended berkeley packet filter (eBPF)
Book / Congress title:: Proceedings of the 1st Workshop on eBPF and Kernel Extensions
Publisher:: Association for Computing Machinery
Publisher address:: New York, NY, USA
Year:: 2023
Month:: September
Pages:: 8–14
Print-ISBN:: 9798400702938
Bookseries title:: eBPF ’23
Fulltext / DOI:: doi:10.1145/3609021.3609294
WWW:: https://doi.org/10.1145/3609021.3609294
BibTeX

Occurrences:

mediaTUM Gesamtbestand Einrichtungen Schools TUM School of Computation, Information and Technology Departments Computer Engineering Informatik 8 - Lehrstuhl für Netzarchitekturen und Netzdienste (Prof. Carle)2023

mediaTUM Gesamtbestand Hochschulbibliographie 2023 Schools und Fakultäten TUM School of Computation, Information and Technology Informatik 8 - Lehrstuhl für Netzarchitekturen und Netzdienste (Prof. Carle)