Abordagem Cross-layer para Detecção de Intrusão Integrando eBPF e Machine Learning
Resumo
A crescente sofisticação de ataques multi-vetor desafia a segurança computacional, tornando a correlação eficiente entre eventos de rede e sistema em um mesmo host um problema crítico. Este trabalho apresenta o CrossLayerGuardian, um sistema híbrido de detecção de intrusão (IDS) com arquitetura baseada em eBPF para coleta eficiente e correlação cross-layer. Diferente de abordagens híbridas que apenas combinam fontes de dados, nossa abordagem cross-layer foca na correlação ativa e temporalmente consciente entre eventos de rede e sistema para identificar ataques complexos dentro de um único host. A solução integra processamento de rede de alto desempenho (XDP) e monitoramento granular de syscalls, sincronizados por timestamps de kernel para garantir ordenação causal. Eventos correlacionados são analisados por um ensemble adaptativo de aprendizado de máquina, com pré-filtragem no kernel para reduzir overhead. A avaliação experimental demonstrou throughput de 850 Mbps com overhead de CPU inferior a 8%, comparável a sistemas estado da arte baseados em eBPF. O CrossLayerGuardianalcançou taxas de detecção superiores a 95% para ataques de rede e multi-vetor, com falsos positivos abaixo de 1,2%. Os resultados confirmam que a arquitetura proposta oferece uma solução eficiente para correlação cross-domain em host único, equilibrando desempenho e precisão.
Palavras-chave:
Ebpf, IDS, Cross Layer, XDP, Machine Learning
Referências
Business, V. (2023). 2023 data breach investigations report. Technical report, Verizon Business.
Byrnes, J., Smith, K., & Johnson, R. (2023). A modern implementation of system call sequence based host-based intrusion detection systems. In International Conference on Network and System Security (pp. 145–160).
Chen, Z., Simsek, M., Kantarci, B., Bagheri, M., & Djukic, P. (2023). Host-based intrusion detection approaches. arXiv:2306.09451.
eBPF Community. (2021). ebpf - tutorials & community resources.
Findlay, W. (2020). Host-based anomaly detection with extended BPF.
ENISA. (2023). Enisa threat landscape 2023. Technical report, ENISA.
Center for Internet Security. (2023). Global threat report 2023: Multi-vector attacks on the rise. Technical report, Center for Internet Security.
Hadi, F., Xiao, B., & Wang, H. (2023). Kernel-level intrusion detection mechanisms. IEEE Transactions on Dependable and Secure Computing, 20, 1678–1691.
Khraisat, A., Gondal, I., Vamplew, P., & Kamruzzaman, J. (2019). Survey of intrusion detection systems. Cybersecurity, 2.
Kostopoulos, S. (2023). Machine learning-based near real time intrusion detection and prevention system using eBPF.
Madhavi, M., & Nethravathi, N. (2023). Intrusion detection systems using advanced machine learning. In International Conference on Advances in Electronics, Communication, Computing and Intelligent Information Systems (pp. 139–145).
Quincozes, S., Albuquerque, C., Passos, D., & Mossé, D. (2021). Survey of eBPF security mechanisms. Computer Networks, 184, 107679.
Scikit-learn. (2014). Multi-layer perceptron.
IBM Corporation. (2023). Cost of a data breach report 2023. Technical report, IBM Corporation.
Song, S., Suneja, S., Le, M., & Tak, B. (2023). Value of eBPF in cloud computing security. In IEEE International Conference on Cloud Computing (pp. 296–307).
Vaishali, R. (2023). Hybrid intrusion detection approaches. In 7th International Conference on Computing Methodologies and Communication (pp. 1106–1111).
Wang, G., & Chang, R. (2023). Design and implementation of an intrusion detection system using extended BPF in the Linux kernel. In IEEE/IFIP Network Operations and Management Symposium (pp. 1–9).
Wang, X., & Lu, X. (2020). Host-based intrusion detection mechanisms. Wireless Communications and Mobile Computing, 2020, 1–13.
XGBoost. (2022). Introduction to boosted trees.
Zhang, C., Jia, D., Wang, L., Wang, W., Liu, F., & Yang, A. (2022). Comparative analysis of intrusion detection techniques. Computers & Security, 121, 102861.
Zhang, L., Wu, H., & Lu, W. (2023). Real-time network intrusion detection system. IEEE Transactions on Network Service Management, 20, 1232–1245.
Byrnes, J., Smith, K., & Johnson, R. (2023). A modern implementation of system call sequence based host-based intrusion detection systems. In International Conference on Network and System Security (pp. 145–160).
Chen, Z., Simsek, M., Kantarci, B., Bagheri, M., & Djukic, P. (2023). Host-based intrusion detection approaches. arXiv:2306.09451.
eBPF Community. (2021). ebpf - tutorials & community resources.
Findlay, W. (2020). Host-based anomaly detection with extended BPF.
ENISA. (2023). Enisa threat landscape 2023. Technical report, ENISA.
Center for Internet Security. (2023). Global threat report 2023: Multi-vector attacks on the rise. Technical report, Center for Internet Security.
Hadi, F., Xiao, B., & Wang, H. (2023). Kernel-level intrusion detection mechanisms. IEEE Transactions on Dependable and Secure Computing, 20, 1678–1691.
Khraisat, A., Gondal, I., Vamplew, P., & Kamruzzaman, J. (2019). Survey of intrusion detection systems. Cybersecurity, 2.
Kostopoulos, S. (2023). Machine learning-based near real time intrusion detection and prevention system using eBPF.
Madhavi, M., & Nethravathi, N. (2023). Intrusion detection systems using advanced machine learning. In International Conference on Advances in Electronics, Communication, Computing and Intelligent Information Systems (pp. 139–145).
Quincozes, S., Albuquerque, C., Passos, D., & Mossé, D. (2021). Survey of eBPF security mechanisms. Computer Networks, 184, 107679.
Scikit-learn. (2014). Multi-layer perceptron.
IBM Corporation. (2023). Cost of a data breach report 2023. Technical report, IBM Corporation.
Song, S., Suneja, S., Le, M., & Tak, B. (2023). Value of eBPF in cloud computing security. In IEEE International Conference on Cloud Computing (pp. 296–307).
Vaishali, R. (2023). Hybrid intrusion detection approaches. In 7th International Conference on Computing Methodologies and Communication (pp. 1106–1111).
Wang, G., & Chang, R. (2023). Design and implementation of an intrusion detection system using extended BPF in the Linux kernel. In IEEE/IFIP Network Operations and Management Symposium (pp. 1–9).
Wang, X., & Lu, X. (2020). Host-based intrusion detection mechanisms. Wireless Communications and Mobile Computing, 2020, 1–13.
XGBoost. (2022). Introduction to boosted trees.
Zhang, C., Jia, D., Wang, L., Wang, W., Liu, F., & Yang, A. (2022). Comparative analysis of intrusion detection techniques. Computers & Security, 121, 102861.
Zhang, L., Wu, H., & Lu, W. (2023). Real-time network intrusion detection system. IEEE Transactions on Network Service Management, 20, 1232–1245.
Publicado
19/05/2025
Como Citar
ARIOZA, Daniel; NOBRE, Jeferson Campos; GRANVILLE, Lisandro Zambenedetti.
Abordagem Cross-layer para Detecção de Intrusão Integrando eBPF e Machine Learning. In: SIMPÓSIO BRASILEIRO DE REDES DE COMPUTADORES E SISTEMAS DISTRIBUÍDOS (SBRC), 43. , 2025, Natal/RN.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 29-42.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc.2025.5776.
