https://github.com/cn-tu/machine-learning-in-ebpf
This repository contains the code for the paper "A flow-based IDS using Machine Learning in eBPF", Contact: Maximilian Bachl
Science Score: 23.0%
This score indicates how likely this project is to be science-related based on various indicators:
-
○CITATION.cff file
-
✓codemeta.json file
Found codemeta.json file -
○.zenodo.json file
-
○DOI references
-
✓Academic publication links
Links to: arxiv.org -
○Academic email domains
-
○Institutional organization owner
-
○JOSS paper metadata
-
○Scientific vocabulary similarity
Low similarity (10.3%) to scientific vocabulary
Keywords
Repository
This repository contains the code for the paper "A flow-based IDS using Machine Learning in eBPF", Contact: Maximilian Bachl
Basic Info
- Host: GitHub
- Owner: CN-TU
- License: gpl-2.0
- Language: C
- Default Branch: master
- Homepage: https://arxiv.org/abs/2102.09980
- Size: 542 KB
Statistics
- Stars: 95
- Watchers: 4
- Forks: 6
- Open Issues: 0
- Releases: 0
Topics
Metadata Files
README.md
machine-learning-in-ebpf
Contact: Maximilian Bachl
This repository contains the code for the paper A flow-based IDS using Machine Learning in eBPF (arXiv).
Requires Linux kernel >= 5.3 because 5.3 adds support for loops in eBPF. All code was run on Debian Buster.
Tested with Python 3.7.9; Python 3.8 or newer does not seem to work. Requires py-virtnet 1.0.1 (Install with sudo pip3.7 install py-virtnet).
Compiled with g++ 10.2.1.
You'll need the bcc library, which can be installed with sudo apt install bcc on Debian.
Moreover you need the bcc headers, which can be installed with sudo apt install libbpfcc-dev on Debian.
Also, some generic kernel headers might be needed. Install them with sudo apt install linux-headers-$(uname -r) on Debian.
If you encounter some problems, the resolution of this issue might help.
Run in userspace
g++ -DUSERSPACE -fpermissive -I/usr/include/bcc ebpf_wrapper.cc -lbcc -o ebpf_wrapper
sudo python3.7 test.py --run_scenario just_one_flow
Run as eBPF
g++ -fpermissive -I/usr/include/bcc ebpf_wrapper.cc -lbcc -o ebpf_wrapper
sudo python3.7 test.py --run_scenario just_one_flow
By default packets are not dropped for benchmarking reasons. If you want to actually drop packets, you have to make sure to return 0 for "malicious" packets (see ebpf.c, search for a comment starting with "IMPORTANT").
Train a decision tree
To train a decision tree, check out the decision_tree branch of the adversarial-recurrent-ids repository and follow the instructions there to make it work. Train a decision tree like this:
./learn.py --dataroot flows.pickle --function train_dt
Your trained decision tree will be output in the runs folder. Change the prefix_path in ebpf_wrapper.cc to point to the directory containing your new decision tree and recompile it (see above (Run in userspace) or (Run as eBPF)).
Owner
- Name: CN Group, Institute of Telecommunications, TU Wien
- Login: CN-TU
- Kind: organization
- Location: Vienna, Austria
- Repositories: 16
- Profile: https://github.com/CN-TU
Communication Networks Group, TU Wien
GitHub Events
Total
- Watch event: 18
- Fork event: 1
Last Year
- Watch event: 18
- Fork event: 1