Data

Tools

Indexes

Applications

Experiments

Open Source Science

https://github.com/cn-tu/machine-learning-in-ebpf

This repository contains the code for the paper "A flow-based IDS using Machine Learning in eBPF", Contact: Maximilian Bachl

https://github.com/cn-tu/machine-learning-in-ebpf

Science Score: 23.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
  • DOI references
  • Academic publication links
    Links to: arxiv.org
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (10.3%) to scientific vocabulary

Keywords

decision-trees ebpf linux machine-learning tree-based-methods
Last synced: 5 months ago · JSON representation

Repository

This repository contains the code for the paper "A flow-based IDS using Machine Learning in eBPF", Contact: Maximilian Bachl

Basic Info
Statistics
  • Stars: 95
  • Watchers: 4
  • Forks: 6
  • Open Issues: 0
  • Releases: 0
Topics
decision-trees ebpf linux machine-learning tree-based-methods
Created about 5 years ago · Last pushed almost 2 years ago
Metadata Files
Readme License

README.md

machine-learning-in-ebpf

Contact: Maximilian Bachl

This repository contains the code for the paper A flow-based IDS using Machine Learning in eBPF (arXiv).

Requires Linux kernel >= 5.3 because 5.3 adds support for loops in eBPF. All code was run on Debian Buster.

Tested with Python 3.7.9; Python 3.8 or newer does not seem to work. Requires py-virtnet 1.0.1 (Install with sudo pip3.7 install py-virtnet).

Compiled with g++ 10.2.1.

You'll need the bcc library, which can be installed with sudo apt install bcc on Debian.

Moreover you need the bcc headers, which can be installed with sudo apt install libbpfcc-dev on Debian.

Also, some generic kernel headers might be needed. Install them with sudo apt install linux-headers-$(uname -r) on Debian.

If you encounter some problems, the resolution of this issue might help.

Run in userspace

g++ -DUSERSPACE -fpermissive -I/usr/include/bcc ebpf_wrapper.cc -lbcc -o ebpf_wrapper

sudo python3.7 test.py --run_scenario just_one_flow

Run as eBPF

g++ -fpermissive -I/usr/include/bcc ebpf_wrapper.cc -lbcc -o ebpf_wrapper

sudo python3.7 test.py --run_scenario just_one_flow

By default packets are not dropped for benchmarking reasons. If you want to actually drop packets, you have to make sure to return 0 for "malicious" packets (see ebpf.c, search for a comment starting with "IMPORTANT").

Train a decision tree

To train a decision tree, check out the decision_tree branch of the adversarial-recurrent-ids repository and follow the instructions there to make it work. Train a decision tree like this: 

./learn.py --dataroot flows.pickle --function train_dt

Your trained decision tree will be output in the runs folder. Change the prefix_path in ebpf_wrapper.cc to point to the directory containing your new decision tree and recompile it (see above (Run in userspace) or (Run as eBPF)).

Owner

  • Name: CN Group, Institute of Telecommunications, TU Wien
  • Login: CN-TU
  • Kind: organization
  • Location: Vienna, Austria

Communication Networks Group, TU Wien

GitHub Events

Total
  • Watch event: 18
  • Fork event: 1
Last Year
  • Watch event: 18
  • Fork event: 1