Design and implementation of an intrusion detection system by using Extended BPF in the Linux kernel

Shie Yuan Wang*, Jen Chieh Chang

*此作品的通信作者

研究成果: Article同行評審

14 引文 斯高帕斯(Scopus)

摘要

An intrusion detection system (IDS) checks the content of headers and payload of packets to detect intrusions from the network. It is an essential function for network security. Traditionally, an IDS, such as Snort, which is a widely used open source IDS, is implemented as a program running in the user space on a hardware server. Recently, with the availability of Extended BPF (eBPF) in the Linux kernel, efficiently checking and filtering arriving packets directly in the kernel becomes feasible. In this work, we design and implement an IDS that has two parts working together. The first part runs in the Linux kernel. Its uses eBPF to perform fast patterns matching to pre-drop a very large portion of packets that have no chance to match any rule. The second part runs in the user space. It examines the packets left by the first part to find the rules that match them. Using a modified version of the registered ruleset of Snort, experimental results show that the maximum throughput of our IDS system can outperform that of Snort by a factor of 3 under many tested conditions.

原文English
文章編號103283
期刊Journal of Network and Computer Applications
198
DOIs
出版狀態Published - 2月 2022

指紋

深入研究「Design and implementation of an intrusion detection system by using Extended BPF in the Linux kernel」主題。共同形成了獨特的指紋。

引用此