SAPO-BOI: Jumping the Network Stack in the Development of a BPF/XDP-Based NIDS
Abstract
Network Intrusion Detection Systems (NIDS) analyze different regions of a packet to detect known attack patterns. The advent of XDP has enabled the implementation of NIDS within the context of the Linux kernel network stack. In this work, we propose “SAPO-BOI,” a NIDS composed of two modules: the Suspicion module (an XDP program that processes packets in parallel, discarding non-suspicious ones and redirecting suspicious packets for user-space decision) and the Evaluation module (a user-space process capable of finding the rule that analyzes the suspicious packet in constant time and generating alerts). Using a modified subset of Snort rules, SAPO-BOI was compared with traditional and kernel-level NIDS, outperforming the state-of-the-art.
References
Abhishta, A., van Heeswijk, W., Junger, M., Nieuwenhuis, L. J., and Joosten, R. (2020). Why would we get attacked? an analysis of attacker’s aims behind ddos attacks. J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl., 11(2):3–22.
Abranches, M., Michel, O., Keller, E., and Schmid, S. (2021). Efficient network monitoring applications in the kernel with ebpf and xdp. In IEEE Conference on Network Function Virtualization and Software Defined Networks, pages 28–34.
Ahmed, Z., Alizai, M. H., and Syed, A. A. (2018). Inkev: In-kernel distributed network virtualization for dcn. ACM SIGCOMM Computer Communication Review, 46(3):1–6.
Aho, A. V. and Corasick, M. J. (1975). Efficient string matching: an aid to bibliographic search. Communications of the ACM, 18(6):333–340.
Alhomoud, A., Munir, R., Disso, J. P., Awan, I., and Al-Dhelaan, A. (2011). Performance evaluation study of intrusion detection systems. Procedia Computer Science, 5.
Baidya, S., Chen, Y., and Levorato, M. (2018). ebpf-based content and computation-aware communication for real-time edge computing. In IEEE Conference on Computer Communications Workshops (INFOCOM), pages 865–870.
Graf, T., Venugopalan, R., et al. (2024). Extended berkeley packet filter. [link]. Acessado em: 25/05/2024.
Gregg, B. (2019). BPF performance tools. Addison-Wesley Professional.
Høiland-Jørgensen, T., Brouer, J. D., Borkmann, D., Fastabend, J., Herbert, T., Ahern, D., and Miller, D. (2018). The express data path: Fast programmable packet processing in the operating system kernel. In International Conference on Emerging Networking Experiments and Technologies, pages 54–66.
Hu, Q., Yu, S.-Y., and Asghar, M. R. (2020). Analysing performance issues of open-source intrusion detection systems in high-speed networks. Journal of Information Security and Applications, 51:102426.
Kostopoulos, S. (2024). Machine learning-based near real time intrusion detection and prevention system using eBPF. Bachelor’s thesis, Hellenic Mediterranean University.
Liao, H.-J., Lin, C.-H. R., Lin, Y.-C., and Tung, K.-Y. (2013). Intrusion detection systems: A comprehensive review. Journal of Network and Comp. Applications, 36(1):16–24.
Lin, P.-C., Lin, Y.-D., Lai, Y.-C., and Lee, T.-H. (2008). Using string matching for deep packet inspection. Computer, 41(4):23–28.
Murphy, B. R. (2019). Comparing the performance of intrusion detection systems: Snort and Suricata. PhD thesis, Colorado Technical University.
Park, W. and Ahn, S. (2017). Performance comparison and detection analysis in snort and suricata environment. Wireless Personal Communications, 94:241–252.
Roesch, M., Henderson, A., et al. (2024). Snort - open source intrusion prevention system. [link]. Acessado em 16/05/2024.
Sundberg, S., Brunstrom, A., Ferlin-Reiter, S., Høiland-Jørgensen, T., and Brouer, J. D. (2023). Efficient continuous latency monitoring with ebpf. In International Conference on Passive and Active Network Measurement, pages 191–208.
Vieira, M. A., Castanho, M. S., Pacífico, R. D., Santos, E. R., Júnior, E. P. C., and Vieira, L. F. (2020). Fast packet processing with ebpf and xdp: Concepts, code, challenges, and applications. ACM Computing Surveys, 53(1):1–36.
Viljoen, N. and Kicinski, J. (2018). Using ebpf as an abstraction for switching. URL [link].
Waleed, A., Jamali, A. F., and Masood, A. (2022). Which open-source ids? snort, suricata or zeek. Computer Networks, 213:109116.
Wang, S.-Y. and Chang, J.-C. (2022). Design and implementation of an intrusion detection system by using extended bpf in the linux kernel. Journal of Network and Computer Applications, 198:103283.
White, J. S., Fitzsimmons, T., and Matthews, J. N. (2013). Quantitative analysis of intrusion detection systems: Snort and suricata. In Cyber sensing, volume 8757.
Woo, S. and Park, K. (2012). Scalable tcp session monitoring with symmetric receive-side scaling. KAIST, Daejeon, Korea, Tech. Rep, 144.
Xhonneux, M., Duchene, F., and Bonaventure, O. (2018). Leveraging ebpf for programmable network functions with ipv6 segment routing. In International Conference on emerging Networking EXperiments and Technologies, pages 67–72.
Abranches, M., Michel, O., Keller, E., and Schmid, S. (2021). Efficient network monitoring applications in the kernel with ebpf and xdp. In IEEE Conference on Network Function Virtualization and Software Defined Networks, pages 28–34.
Ahmed, Z., Alizai, M. H., and Syed, A. A. (2018). Inkev: In-kernel distributed network virtualization for dcn. ACM SIGCOMM Computer Communication Review, 46(3):1–6.
Aho, A. V. and Corasick, M. J. (1975). Efficient string matching: an aid to bibliographic search. Communications of the ACM, 18(6):333–340.
Alhomoud, A., Munir, R., Disso, J. P., Awan, I., and Al-Dhelaan, A. (2011). Performance evaluation study of intrusion detection systems. Procedia Computer Science, 5.
Baidya, S., Chen, Y., and Levorato, M. (2018). ebpf-based content and computation-aware communication for real-time edge computing. In IEEE Conference on Computer Communications Workshops (INFOCOM), pages 865–870.
Graf, T., Venugopalan, R., et al. (2024). Extended berkeley packet filter. [link]. Acessado em: 25/05/2024.
Gregg, B. (2019). BPF performance tools. Addison-Wesley Professional.
Høiland-Jørgensen, T., Brouer, J. D., Borkmann, D., Fastabend, J., Herbert, T., Ahern, D., and Miller, D. (2018). The express data path: Fast programmable packet processing in the operating system kernel. In International Conference on Emerging Networking Experiments and Technologies, pages 54–66.
Hu, Q., Yu, S.-Y., and Asghar, M. R. (2020). Analysing performance issues of open-source intrusion detection systems in high-speed networks. Journal of Information Security and Applications, 51:102426.
Kostopoulos, S. (2024). Machine learning-based near real time intrusion detection and prevention system using eBPF. Bachelor’s thesis, Hellenic Mediterranean University.
Liao, H.-J., Lin, C.-H. R., Lin, Y.-C., and Tung, K.-Y. (2013). Intrusion detection systems: A comprehensive review. Journal of Network and Comp. Applications, 36(1):16–24.
Lin, P.-C., Lin, Y.-D., Lai, Y.-C., and Lee, T.-H. (2008). Using string matching for deep packet inspection. Computer, 41(4):23–28.
Murphy, B. R. (2019). Comparing the performance of intrusion detection systems: Snort and Suricata. PhD thesis, Colorado Technical University.
Park, W. and Ahn, S. (2017). Performance comparison and detection analysis in snort and suricata environment. Wireless Personal Communications, 94:241–252.
Roesch, M., Henderson, A., et al. (2024). Snort - open source intrusion prevention system. [link]. Acessado em 16/05/2024.
Sundberg, S., Brunstrom, A., Ferlin-Reiter, S., Høiland-Jørgensen, T., and Brouer, J. D. (2023). Efficient continuous latency monitoring with ebpf. In International Conference on Passive and Active Network Measurement, pages 191–208.
Vieira, M. A., Castanho, M. S., Pacífico, R. D., Santos, E. R., Júnior, E. P. C., and Vieira, L. F. (2020). Fast packet processing with ebpf and xdp: Concepts, code, challenges, and applications. ACM Computing Surveys, 53(1):1–36.
Viljoen, N. and Kicinski, J. (2018). Using ebpf as an abstraction for switching. URL [link].
Waleed, A., Jamali, A. F., and Masood, A. (2022). Which open-source ids? snort, suricata or zeek. Computer Networks, 213:109116.
Wang, S.-Y. and Chang, J.-C. (2022). Design and implementation of an intrusion detection system by using extended bpf in the linux kernel. Journal of Network and Computer Applications, 198:103283.
White, J. S., Fitzsimmons, T., and Matthews, J. N. (2013). Quantitative analysis of intrusion detection systems: Snort and suricata. In Cyber sensing, volume 8757.
Woo, S. and Park, K. (2012). Scalable tcp session monitoring with symmetric receive-side scaling. KAIST, Daejeon, Korea, Tech. Rep, 144.
Xhonneux, M., Duchene, F., and Bonaventure, O. (2018). Leveraging ebpf for programmable network functions with ipv6 segment routing. In International Conference on emerging Networking EXperiments and Technologies, pages 67–72.
Published
2024-09-16
How to Cite
MACHNICKI, Raphael Kaviak; CORREIA, Jorge; PENTEADO, Ulisses; FULBER-GARCIA, Vinicius; GRÉGIO, André.
SAPO-BOI: Jumping the Network Stack in the Development of a BPF/XDP-Based NIDS. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 538-553.
DOI: https://doi.org/10.5753/sbseg.2024.240768.
