1. 3

Implementation: https://github.com/maxdml/Finelame

    1. 2

      This is an example of using Linux eBPF[1] hooks, to implement HIDS (Host Based intrusion detection) of Denial of service-like (resource exhaustion) attacks.

      Anomaly Detection is based on K-means clustering. Where each ‘dot’ in the cluster is a ‘fingerprint’ consisting of various observed parameters.

      The further a given observation from a ‘normal’ cluster, the more likelihood this is an attack (this is the essence of unsupervised learning by K-means clustering)

      The authors, also suggest that typical NIDS (network intrusion detection solutions) (I assume like Snort [2] ) – are not able to cope with the sophistication of the attacks.

      “ … Due to this increase in sophistication, existing defenses are becoming inadequate [10, 26–28, 31, 40, 54, 60–62]. Network-based defenses are generally ineffective against ADoS attacks because these attacks lack identifiable problematic patterns at the network level. To be successful, network tools would not only need to perform deep packet inspection, but would also need to be able to predict which requests will hog resources a priori—a challenge analogous to solving the halting problem.Similarly, existing application-level defenses are limited in their efficacy: since these attacks can target arbitrary resources and arbitrary components of the service, which may be written in different programming languages and contain multiple binary third-party packages whose source code is not available or with complex dependencies, manual instrumentation of the application is prohibitively difficult, expensive, and time-consuming. … “

      Their choice of probes is definitely language agnostic, but OS-specific (Linux in this case).

      I do not know if other Open source OSes implement BPF-like virtual machine (may be they do, just not aware of it)

      I am also assuming that future for the types of technologies is to continue incorporate both network and host based intrusion detection methods, that are ’orchestrated and configured by a smart, actively self-improving ‘control center’.

      [1] https://www.memsql.com/blog/bpf-linux-performance/

      [2] https://www.snort.org/#documents