15 Dec 2022

Design & Implementation

Intrusion Detection
System by using eBPF in
Linux Kernel
Dept of Computer Science Niranjan B
TKM College of Engineering TKM19CS045

1
 TABLE OF CONTENTS

1. Introduction
2. Motivation
3. Objectives
4. Architecture
5. Methodology
6. Experimental Results
7. Performance Evaluation
8. Conclusion
9. Reference
2
Introduction
IDS - monitors network for malicious activity or policy violations

3
Key Terms
DPDK - Data Plane Development Kit.

1. Polling mode - More CPU Usage

4
Key Terms
XDP - Express Data Path

1. Closer to Network Layer

2. Saves Development Time
3. High Performance
4. Interrupt Based

5
Motivation

Demand for a robust IDS over low throughput conventional IDS

Saving development time using XDP and eBPF

Utilize the advantage of both kernel and user space

6
Objectives

To develop a system to detect and eliminate malicious packets.

Apply Aho-Corasick Algorithm for faster pattern search.

To implement eBPF based data structures for packet filtering

7
 1

Architecture

8
 1 Aho Corasick

METHODOLOGY
2 Snort

3 Proposed Framework

9
METHODOLOGY 1
Aho Corasick

10
 Objective

Locate occurrences of a finite number of keywords in a string of text.

Boyer Moore
vs
Aho Corasick Boyer Moore Aho Corasick
Single Pattern Match Multiple Patterns by
O(Z * N + M ) Scanning Text only
Once. O( N + M + Z )

N - length of text
M - length of pattern
Z - number of patterns. 11
 2 Phases

● State Machine from search patterns

● Using State Machine to process the text string in single pass

Aho Corasick Automaton

Aho Corasick
● Building a Prefix Tree (Trie)
● Avoiding Failing Links
● State Machine -> DFA

Pattern Matching

● Using State Machine each character is processed.

12
Aho Corasick
Automaton

Patterns

● his
● hers
● she

13
 Algorithm
Input: List of all patterns P
Output: A trie T

01: procedure BUILDTRIE( P )

02: T.root ← newNode
03: for each p in P do
Build Trie
04: ADDWORDTOTRIE( p )

05: procedure ADDWORDTOTRIE( p )

06: currentNode ← T.root
07: for each character c in p do
08: if currentNode.next[ c ] = NULL then
09: currentNode.next[ c ] ← newNode
10: currentNode ← currentNode.next[ c ]

14
Add fail links

15
 Algorithm
Input: The trie T
Output: The state machine M with fail links

01: procedure AddFailLinks(T)

02: T.root.fail ← T.root
Add fail links 03: queue ← empty
04: for each child in T.root.children do
05: child.fail ← T.root
06: queue.push(child)
07: while queue ≠ empty do
08: node ← queue.pop()
09: FindFailLinkForNode(T , node)
10: for each child in node.children do
11: queue.push(child)

16
 Algorithm
Input: The trie T
Output: The state machine M with fail links

12: procedure FindFailLinkForNode(T , node)

13: node.fail ← NULL
Add fail links 14: currentNode ← node.parent.fail
15: c ← the character ∋ currentNode .next[c] = node
16: while currentNode ≠ T.root do
17: if currentNode .next[c] ≠ NULL then
18: node.fail ← currentNode
19: break
20: currentNode ← currentNode.fail
21: if node.fail = NULL then
22: node.fail ← T.root

17
 Algorithm
Input: state machine M
Output: state machine M with all transitions determined

01: procedure ComputeDFA(M)

02: queue ← empty
Compute DFA 03: queue.push(M.root)
04: while queue ≠ empty do
05: node ← queue.pop()
06: for each c ∈ [0, 255] do
07: if node.next[c] = NULL then
08: ComputeNextMove(M, node, c)
09: for each child of node do
10: queue.push(child)

18
 Algorithm
Input: state machine M
Output: state machine M with all transitions determined

11: procedure ComputeNextMove(M, node, c)

12: currentNode ← node.fail
Compute DFA 13: while currentNode ≠ M.root do
14: if currentNode.next[c] ≠ NULL then
15: node.next[c] ← currentNode.next[c]
16: break
17: currentNode ← currentNode.fail
18: if currentNode = M.root then
19: if currentNode.next[c] ≠ NULL then
20: node.next[c] ← currentNode.next[c]
21: else
22: node.next[c] ← M.root
19
 State Transitions Matches

0 h →1 s→7 .→0

1 e→2 i→5 h→1 s→7 .→0

2 r→3 h →1 s→7 .→0 he

3 s→4 h →1 .→0

Compute DFA 4 h→8 s→7 .→0 hers

5 s→6 h →1 .→0

6 h→8 s→7 .→0 his

7 h→8 s→7 .→0

8 e→9 i→5 h →1 s→7 .→0

9 r→3 h →1 s→7 .→0 she,he

20
 Algorithm
Input: state machine M, the input string
Output: Patterns matched in the string.

1: procedure MatchPatterns(M, str)

2: state ← M.root
Match patterns 3: for each character c in str do
4: for each pattern matched in state do
5: Output pattern
6: state ← state.next[c]

21
METHODOLOGY 2
SNORT

22
 Open Source IDS

Architecture

Snort

23
 Modes

Operation Modes

Snort
Inline Inline Test Passive

Sniffer Network IDS Packet Logger

24
 Packet dropped; if rule is passed

Snort
Rule Format

25
 Packet dropped; if rule didn’t pass

Snort
Rule Format

Community (Default) Registered Emerging Threats

Total 3917 50,979 27,982

Uncommented 1087 12,630 18,493
Commented 2830 38,349 9489

26
 All Options should be evaluated to True - Logical AND

Actions Alert, Log, Pass

Protocol tcp, udp, icmp, ip

Snort Content Indicate exact pattern to be matched

Options Message Message to be logged when the rule is matched

Urilen Length of Uniform Resource Identifier

IsDataAt Data at a location

27
 FPM - Fast Pattern Matching

alert tep any any —> any any (content: "he"; content: "she";)

alert tcp any any —> any any (content: "where"; content: "which";)
Snort alert tcp any any —> any any (content: "his''; fast_pattern; content: "which";)
Detection
Engine
Rule Tree Matching Engine

● To Match all patterns in the rule

28
 Snort
Rule Tree

29
 METHODOLOGY 3
Proposed Architecture

30
Architecture

31
eBPF Program
Flowchart

32
get_start_state()
Flowchart

33
ac_match()
Flowchart

34
 No Loops, to prevent backward jumps eBPF

for(pos = 0; pos < pkt.len; ++pos) {

// loop through each byte
}

Challenges Bounded Loops can be used

for(pos = 0; pos < MAX_SCAN_LEN; ++pos) {

if(pos >= pkt.len)
break;
// loop through each byte
}

35
 eBPF maps and stacks and cannot dynamically allocate memory from
heaps.

Challenges To overcome this restriction, instead of using heaps, place the dynamic
data in eBPF maps.

36
 Copying data to user space from kernel space takes time

Challenges Copy packet only once for the first match.

37
 CAIDA Traffic Dataset -Generate Real Life Traffic

Experimental
Results

38
 ATTR - Alert Triggering Traffic Ratio (1%)

MPL - Maximum Packet Length (1520)

Parameters
NR - Number of Rules (6000)

39
 Algorithm
Input: ATTR, NR, MPL
Output: Maximum Throughput of IDS

01: procedure Measure(attr, nr, mpl)

Measure 02: lower ← 0.0
03: upper ← 10000.0
Throughput 04: while True do
05: speed = (lower + upper) / 2.0
06: loss ← getLoss(speed, attr, nr, mpl)
07: if loss ≤ 0.0 and upper − lower < 100 then
08: break
09: if loss ≤ 0.0 then
10: lower ← speed
11: else
12: upper ← speed
40
 CPU usage = system + user + softirq

● system usage, percentage of time spend in the kernel context.

● user usage, percentage of time spent in the user context.
● softirq usage, percentage of time spent in the softirq context.
Performance
Evaluation Packet Loss Rate

● percentage of packets that were dropped due to processing

backlog when the IDS cannot keep up with the generated
traffic load

Maximum Throughput

41
Performance
Evaluation
Snort

42
Performance
Evaluation
Proposed
Method

43
 High-performance IDS working in Kernel and User layer

eBPF program pre-check and then pre-drop a large portion of

packets at an early stage - Fast Pattern Match
Conclusion

User program - Rule Tree Matching

44
References

1. Shie-Yuan Wang, Jen-Chieh Chang, Design and implementation of an intrusion detection system
by using Extended BPF in the Linux kernel, Journal of Network and Computer Applications,
Volume 198, 2022, 103283, ISSN 1084-8045, https://doi.org/10.1016/j.jnca.2021.103283.

2. Aho, A.V., Corasick, M.J., 1975. Efficient string matching: An aid to bibliographic search.
Commun. ACM 18 (6), 333–340. http://dx.doi.org/10.1145/360825.360855.

3. Marcos A. M. Vieira, Matheus S. Castanho, Racyus D. G. Pacífico, Elerson R. S. Santos, Eduardo P.

M. Câmara Júnior, and Luiz F. M. Vieira. 2020. Fast Packet Processing with eBPF and XDP:
Concepts, Code, Challenges, and Applications. ACM Comput. Surv. 53, 1, Article 16 (January
2021), 36 pages. https://doi.org/10.1145/3371038

45
Open for Q&A

Thank you for listening!

46