In-Kernel Intrusion Detection Systems using eBPF/XDP

eBerkeley Packet Filter (eBPF) and eXpress Data Path (XDP) enable fast in-kernel packet processing without passing packets to the user space. Several studies pointed out the possibility of eBPF to realize intrusion detection systems (IDSs) empowered by simple machine learning (ML) algorithms, e.g., Decision Tree, in the kernel space. To ensure the kernel stability and safety, the eBPF constraints has strict constraints. e.g., violating the floating-point number, which makes it difficult to implement a neural network (NN), widely used in machine learning, in the kernel space. In this research, we aims at investigating the potential of eBPF/XDP-based packet processing empowered by the NN ¹². More specifically, we first train the floating-point NN and quantize it to the fixed-point NN with 8-bit integer values in the user space. We then implement the lightweight NN in the eBPF/XDP program, which is running on the kernel space. We aim at realizing a lightweight and fast in-kernel intrusion detection system based on integer-only-inference using eBPF.