Design and implementation of an intrusion detection system by using Extended BPF in the Linux kernel

Shie Yuan Wang*, Jen Chieh Chang

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

Abstract

An intrusion detection system (IDS) checks the content of headers and payload of packets to detect intrusions from the network. It is an essential function for network security. Traditionally, an IDS, such as Snort, which is a widely used open source IDS, is implemented as a program running in the user space on a hardware server. Recently, with the availability of Extended BPF (eBPF) in the Linux kernel, efficiently checking and filtering arriving packets directly in the kernel becomes feasible. In this work, we design and implement an IDS that has two parts working together. The first part runs in the Linux kernel. Its uses eBPF to perform fast patterns matching to pre-drop a very large portion of packets that have no chance to match any rule. The second part runs in the user space. It examines the packets left by the first part to find the rules that match them. Using a modified version of the registered ruleset of Snort, experimental results show that the maximum throughput of our IDS system can outperform that of Snort by a factor of 3 under many tested conditions.

Original languageEnglish
Article number103283
JournalJournal of Network and Computer Applications
Volume198
DOIs
StatePublished - Feb 2022

Keywords

  • eBPF
  • Intrusion detection system (IDS)
  • Snort

Fingerprint

Dive into the research topics of 'Design and implementation of an intrusion detection system by using Extended BPF in the Linux kernel'. Together they form a unique fingerprint.

Cite this