SAPO-BOI: Pulando a Pilha de Rede no Desenvolvimento de um NIDS Baseado em BPF/XDP
Resumo
Sistemas de detecção de intrusão em redes (NIDS) analisam diferentes regiões de um pacote para detectar padrões de ataques conhecidos. O surgimento do XDP permitiu implementar NIDS no contexto da pilha de rede do kernel Linux. Neste trabalho, propõe-se o “SAPO-BOI”, um NIDS composto por dois módulos: o de Suspeição (programa XDP que processa pacotes paralelamente, descarta os insuspeitos e redireciona os suspeitos para decisão em espaço de usuário) e o de Avaliação (processo de usuário capaz de encontrar em tempo constante a regra que analisa o pacote suspeito e gerar alertas). Usando um subconjunto modificado de regras do Snort, o SAPO-BOI foi comparado com NIDS tradicionais e em nível de kernel e superou o estado-da-arte.
Referências
Abranches, M., Michel, O., Keller, E., and Schmid, S. (2021). Efficient network monitoring applications in the kernel with ebpf and xdp. In IEEE Conference on Network Function Virtualization and Software Defined Networks, pages 28–34.
Ahmed, Z., Alizai, M. H., and Syed, A. A. (2018). Inkev: In-kernel distributed network virtualization for dcn. ACM SIGCOMM Computer Communication Review, 46(3):1–6.
Aho, A. V. and Corasick, M. J. (1975). Efficient string matching: an aid to bibliographic search. Communications of the ACM, 18(6):333–340.
Alhomoud, A., Munir, R., Disso, J. P., Awan, I., and Al-Dhelaan, A. (2011). Performance evaluation study of intrusion detection systems. Procedia Computer Science, 5.
Baidya, S., Chen, Y., and Levorato, M. (2018). ebpf-based content and computation-aware communication for real-time edge computing. In IEEE Conference on Computer Communications Workshops (INFOCOM), pages 865–870.
Graf, T., Venugopalan, R., et al. (2024). Extended berkeley packet filter. [link]. Acessado em: 25/05/2024.
Gregg, B. (2019). BPF performance tools. Addison-Wesley Professional.
Høiland-Jørgensen, T., Brouer, J. D., Borkmann, D., Fastabend, J., Herbert, T., Ahern, D., and Miller, D. (2018). The express data path: Fast programmable packet processing in the operating system kernel. In International Conference on Emerging Networking Experiments and Technologies, pages 54–66.
Hu, Q., Yu, S.-Y., and Asghar, M. R. (2020). Analysing performance issues of open-source intrusion detection systems in high-speed networks. Journal of Information Security and Applications, 51:102426.
Kostopoulos, S. (2024). Machine learning-based near real time intrusion detection and prevention system using eBPF. Bachelor’s thesis, Hellenic Mediterranean University.
Liao, H.-J., Lin, C.-H. R., Lin, Y.-C., and Tung, K.-Y. (2013). Intrusion detection systems: A comprehensive review. Journal of Network and Comp. Applications, 36(1):16–24.
Lin, P.-C., Lin, Y.-D., Lai, Y.-C., and Lee, T.-H. (2008). Using string matching for deep packet inspection. Computer, 41(4):23–28.
Murphy, B. R. (2019). Comparing the performance of intrusion detection systems: Snort and Suricata. PhD thesis, Colorado Technical University.
Park, W. and Ahn, S. (2017). Performance comparison and detection analysis in snort and suricata environment. Wireless Personal Communications, 94:241–252.
Roesch, M., Henderson, A., et al. (2024). Snort - open source intrusion prevention system. [link]. Acessado em 16/05/2024.
Sundberg, S., Brunstrom, A., Ferlin-Reiter, S., Høiland-Jørgensen, T., and Brouer, J. D. (2023). Efficient continuous latency monitoring with ebpf. In International Conference on Passive and Active Network Measurement, pages 191–208.
Vieira, M. A., Castanho, M. S., Pacífico, R. D., Santos, E. R., Júnior, E. P. C., and Vieira, L. F. (2020). Fast packet processing with ebpf and xdp: Concepts, code, challenges, and applications. ACM Computing Surveys, 53(1):1–36.
Viljoen, N. and Kicinski, J. (2018). Using ebpf as an abstraction for switching. URL [link].
Waleed, A., Jamali, A. F., and Masood, A. (2022). Which open-source ids? snort, suricata or zeek. Computer Networks, 213:109116.
Wang, S.-Y. and Chang, J.-C. (2022). Design and implementation of an intrusion detection system by using extended bpf in the linux kernel. Journal of Network and Computer Applications, 198:103283.
White, J. S., Fitzsimmons, T., and Matthews, J. N. (2013). Quantitative analysis of intrusion detection systems: Snort and suricata. In Cyber sensing, volume 8757.
Woo, S. and Park, K. (2012). Scalable tcp session monitoring with symmetric receive-side scaling. KAIST, Daejeon, Korea, Tech. Rep, 144.
Xhonneux, M., Duchene, F., and Bonaventure, O. (2018). Leveraging ebpf for programmable network functions with ipv6 segment routing. In International Conference on emerging Networking EXperiments and Technologies, pages 67–72.