An eBPF-Based Threat Observability System for Cloud-Oriented Environment
As the types of threats in the cloud and the diversity of attack vectors increase,single-dimensional threat data struggles to accurately portray complex and ever-changing threat behaviors.This paper proposed ETOS(eBPF-based threat observability system),a multi-level threat observation system tailored for cloud environments.By assessing the risk of each action within threat behaviors,ETOS strategically setd up observation points for hierarchical classification of critical actions,dynamically activates eBPF probes as needed on the target machines,and thus acquiring multi-dimensional structured threat behavior data.This approach effectively represents threat behaviors in cloud environments,significantly reduces the preprocessing cost for data analysis.We also designed a generic eBPF threat probe template to automate the expansion of the probe library.ETOS was examined on a container cloud platform by reproducing 18 container escape CVE and observing their threat behaviors.The experimental results show that ETOS is capable of observing threat behaviors on multiple levels,collecting multi-dimensional structured threat data.The introduced overhead on the system and network remains below 2%,meeting the operational requirements of cloud platforms.
NETL
NSTL
万方数据
