Dynamic Fixed-point Values in eBPF: a Case for Fully In-kernel Anomaly Detection
Authors: 
Atsuya Osaki, Manuel Poisson, Seiki Makino, Ryusei Shiiba, Kensuke Fukuda, 
Tadashi Okoshi, Jin NakazawaAuthors Info & Claims
Pages 46 - 54
Abstract
eBPF and XDP are promising technologies that are capable of accelerating packet processing inside the Linux kernel. Despite these benefits, eBPF is constrained by a number of rigorous restrictions that are imposed to protect the kernel. One such restriction is the lack of support for floating-point values, which was introduced to achieve faster execution and avoid non-deterministic behavior. However, this has become a significant obstacle to expanding the functionality of eBPF programs with advanced algorithms. In this paper, we propose dynamic fixed-point as a solution to overcome this challenge within the restrictions of eBPF. Dynamic fixed-point values are an expansion from traditional fixed-point values, with the bit allocation adjusted dynamically. Benefit of dynamic fixed-point is that the accuracy of calculations are improved, which is one of the critical shortcomings of fixed-point. To demonstrate the effectiveness of our approach, we have designed and implemented a prototype of an entropy-based traffic anomaly detection framework and have reported on its throughput and the detection accuracy. Our prototype, which employs dynamic fixed-point, has achieved an 18% improvement in throughput while also matching the detection accuracy of a similar system that employs floating-point values in user space.
References
[1]
[n. d.]. DPDK Homepage [Online]. https://www.dpdk.org. (Accessed on 4/9/2024).
[2]
[n. d.]. Git commit to mainline Linux kernel (1M instruction limit) [Online]. https://github.com/torvalds/linux/commit/04c0d2b968ac45d6ef020316808ef6c82325a82. (Accessed on 4/21/2024).
[3]
[n. d.]. Git commit to mainline Linux kernel (addition of tail call) [Online]. https://github.com/torvalds/linux/commit/04fd61ab36ec065e194ab5e74ae34a5240d992bb. (Accessed on 4/21/2024).
[4]
[n. d.]. Libbpf[Online]. https://github.com/libbpf/libbpf. (Accessed on 5/9/2024).
[5]
[n. d.]. [PATCH v3 bpf-next 0/9] bpf: bounded loops and other features [Online]. https://lwn.net/ml/netdev/[email protected]/. (Accessed on 4/14/2024).
[6]
2003. TMS320C64X DSP Library Programmer’s reference - Texas. https://www.ti.com/lit/ug/spru565b/spru565b.pdf (Accessed on 5/3/2024).
[7]
Muhammad Aamir and Syed Mustafa Ali Zaidi. 2021. Clustering based semi-supervised machine learning for DDoS attack classification. Journal of King Saud University - Computer and Information Sciences 33, 4 (2021), 436–446. https://www.sciencedirect.com/science/article/pii/S131915781831067X
[8]
Nenalikanti Anand, Saifulla M a, and Pavan Aakula. 2023. High-performance Intrusion Detection Systemusing eBPF with Machine Learning algorithms. https://doi.org/10.21203/rs.3.rs-3140072/v1
[9]
Maximilian Bachl, Joachim Fabini, and Tanja Zseby. 2021. A flow-based IDS using Machine Learning in eBPF. arXiv preprint arXiv:2102.09980 (2021).
[10]
Gilberto Bertin. 2017. XDP in practice: integrating XDP into our DDoS mitigation pipeline. In Technical Conference on Linux Networking, Netdev, Vol. 2. The NetDev Society, 1–5.
[11]
Matteo Bertrone, Sebastiano Miano, Fulvio Risso, and Massimo Tumolo. 2018. Accelerating linux security with ebpf iptables. In Proceedings of the ACM SIGCOMM 2018 Conference on Posters and Demos. 108–110.
[12]
Jingde Chen, Subho S. Banerjee, Zbigniew T. Kalbarczyk, and Ravishankar K. Iyer. 2020. Machine learning for load balancing in the Linux kernel. In Proceedings of the 11th ACM SIGOPS Asia-Pacific Workshop on Systems (Tsukuba, Japan) (APSys ’20). Association for Computing Machinery, New York, NY, USA, 67–74. https://doi.org/10.1145/3409963.3410492
[13]
Jisa David and Ciza Thomas. 2015. DDoS Attack Detection Using Fast Entropy Approach on Flow-Based Network Traffic. Procedia Computer Science 50 (2015), 30–36.
[14]
X. Saez de Camara, J. Flores, C. Arellano, A. Urbieta, and U. Zurutuza. 2024. Gotham Testbed: A Reproducible IoT Testbed for Security Experiments and Dataset Generation. IEEE Transactions on Dependable and Secure Computing 21, 01 (jan 2024).
[15]
Cong Fan, Nitheesh Murugan Kaliyamurthy, Shi Chen, He Jiang, Yiwen Zhou, and Carlene Campbell. 2022. Detection of DDoS Attacks in Software Defined Networking Using Entropy. Applied Sciences 12, 1 (2022). https://www.mdpi.com/2076-3417/12/1/370
[16]
Brenden Gregg. 2019. BPF Performance Tools: Linux System and Application Observability. Pearson Education, Hoboken.
[17]
Takanori Hara and Masahiro Sasabe. 2023. On Practicality of Kernel Packet Processing Empowered by Lightweight Neural Network and Decision Tree. In 2023 14th International Conference on Network of the Future (NoF). 89–97. https://doi.org/10.1109/NoF58724.2023.10302811
[18]
Toke Høiland-Jørgensen, Jesper Dangaard Brouer, Daniel Borkmann, John Fastabend, Tom Herbert, David Ahern, and David Miller. 2018. The eXpress data path: fast programmable packet processing in the operating system kernel. In Proceedings of the 14th International Conference on Emerging Networking EXperiments and Technologies (Heraklion, Greece) (CoNEXT ’18). Association for Computing Machinery, New York, NY, USA, 54–66. https://doi.org/10.1145/3281411.3281443
[19]
Tamás Lévai, Balázs Edvárd Kreith, and Gábor Rétvári. 2023. Supercharge WebRTC: Accelerate TURN Services with eBPF/XDP. In Proceedings of the 1st Workshop on eBPF and Kernel Extensions. 70–76.
[20]
Sebastiano Miano, Matteo Bertrone, Fulvio Risso, Mauricio Vásquez Bernal, Yunsong Lu, and Jianwen Pi. 2019. Securing Linux with a faster and scalable iptables. ACM SIGCOMM Computer Communication Review 49, 3 (2019), 2–17.
[21]
Ali Mustapha, Rida Khatoun, Sherali Zeadally, Fadlallah Chbib, Ahmad Fadlallah, Walid Fahs, and Ali El Attar. 2023. Detecting DDoS attacks using adversarial neural network. Computers & Security 127 (2023), 103117. https://www.sciencedirect.com/science/article/pii/S0167404823000275
[22]
Giseop No and Ilkyeun Ra. 2009. An efficient and reliable DDoS attack detection using a fast entropy computation method. In 2009 9th International Symposium on Communications and Information Technology. 1223–1228. https://doi.org/10.1109/ISCIT.2009.5341118
[23]
Sagar Pande, Aditya Khamparia, Deepak Gupta, and Dang N. H. Thanh. 2021. DDOS Detection Using Machine Learning Technique. Springer Singapore, Singapore, 59–68. https://doi.org/10.1007/978-981-15-8469-5_5
[24]
Federico Parola, Roberto Procopio, Roberto Querio, and Fulvio Risso. 2023. Comparing User Space and In-Kernel Packet Processing for Edge Data Centers. SIGCOMM Comput. Commun. Rev. 53, 1 (apr 2023), 14–29. https://doi.org/10.1145/3594255.3594257
[25]
Manuel Poisson, Rodrigo Carnier, and Kensuke Fukuda. 2024. GothX: a generator of customizable, legitimate and malicious IoT network traffic. Proc. 17th Workshop on Cyber Security Experimentation and Test (CSET) (2024), 9.
[26]
Christian Scheich, Marius Corici, Hauke Buhr, and Thomas Magedanz. 2023. eXpress Data Path Extensions for High-Capacity 5G User Plane Functions. In Proceedings of the 1st Workshop on eBPF and Kernel Extensions. 86–88.
[27]
Simon Sundberg, Anna Brunstrom, Simone Ferlin-Reiter, Toke Høiland-Jørgensen, and Jesper Dangaard Brouer. 2023. Efficient continuous latency monitoring with eBPF. In International Conference on Passive and Active Network Measurement. Springer, 191–208.
[28]
Daniel Turull, Peter Sjödin, and Robert Olsson. 2016. Pktgen: Measuring performance on high speed networks. Computer Communications 82 (2016), 39–48.
[29]
Marcos A. M. Vieira, Matheus S. Castanho, Racyus D. G. Pacífico, Elerson R. S. Santos, Eduardo P. M. Câmara Júnior, and Luiz F. M. Vieira. 2020. Fast Packet Processing with eBPF and XDP: Concepts, Code, Challenges, and Applications. ACM Comput. Surv. 53, 1, Article 16 (feb 2020), 36 pages. https://doi.org/10.1145/3371038
[30]
Zicheng Wang, Tiejin Chen, Qinrun Dai, Yueqi Chen, Hua Wei, and Qingkai Zeng. 2024. When eBPF Meets Machine Learning: On-the-fly OS Kernel Compartmentalization. arxiv:2401.05641 [cs.OS]
[31]
Xiaoyong Yuan, Chuanhuang Li, and Xiaolin Li. 2017. DeepDefense: Identifying DDoS Attack via Deep Learning. In 2017 IEEE International Conference on Smart Computing (SMARTCOMP). 1–8. https://doi.org/10.1109/SMARTCOMP.2017.7946998
[32]
Yuhong Zhong, Haoyu Li, Yu Jian Wu, Ioannis Zarkadas, Jeffrey Tao, Evan Mesterhazy, Michael Makris, Junfeng Yang, Amy Tai, Ryan Stutsman, and Asaf Cidon. 2022. XRP: In-Kernel Storage Functions with eBPF. In 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22). USENIX Association, Carlsbad, CA, 375–393. https://www.usenix.org/conference/osdi22/presentation/zhong
Index Terms
- Dynamic Fixed-point Values in eBPF: a Case for Fully In-kernel Anomaly Detection
Recommendations
Understanding Performance of eBPF Maps
eBPF '24: Proceedings of the ACM SIGCOMM 2024 Workshop on eBPF and Kernel ExtensionsThe Linux community has witnessed the rapid development of eBPF technology that allows users to load custom programs into the Linux kernel to extend its capabilities. A key feature that makes eBPF powerful is eBPF maps, which provide data storage and ...
Fast In-kernel Traffic Sketching in eBPF
The extended Berkeley Packet Filter (eBPF) is an infrastructure that allows to dynamically load and run micro-programs directly in the Linux kernel without recompiling it.
In this work, we study how to develop high-performance network measurements in ...
AI & eBPF based performance anomaly detection system
SYSTOR '19: Proceedings of the 12th ACM International Conference on Systems and StorageWe describe means to run eBPF on a production environment for systems inspection. We examine the inspected system outputs in order to train and generate a model for the host. We model the specific application and network traffic usage on the site based ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
August 2024
93 pages
ISBN:9798400709852
DOI:10.1145/3674213
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 August 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
AINTEC '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 15 of 38 submissions, 39%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 359Total Downloads
- Downloads (Last 12 months)359
- Downloads (Last 6 weeks)94
Reflects downloads up to 23 Nov 2024
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in