基于eBPF的云上威胁观测系统
An eBPF-Based Threat Observability System for Cloud-Oriented Environment
刘斯诺 1阮树骅 1陈兴蜀 1郑涛1
作者信息
- 1. 四川大学网络空间安全学院,成都 610065;四川大学网络空间安全研究院,成都 610065
- 折叠
摘要
随着云上威胁的种类和攻击路径更加多样化,单一维度的威胁数据难以准确刻画复杂多变的威胁行为.文章提出一种基于扩展伯克利数据包过滤器(extended Berkeley Packet Filter,eBPF)的威胁观测系统ETOS(eBPF-Based Threat Observability System),首先,通过评估威胁行为中各动作的危险程度,对关键动作分层分类设置观测点位,从而在目标机器上实现按需动态激活eBPF探针,获取多维结构化威胁行为数据,能够有效表达云环境中的威胁行为,降低数据分析的预处理成本;然后,设计一种通用eBPF探针模板,实现探针库的自动化扩展;最后,文章在容器云平台上复现了 18 个容器逃逸通用漏洞披露(Common Vulnerabilities and Exposures,CVE),并利用ETOS观测威胁行为.实验结果表明,ETOS能够在多个层次观测威胁行为,输出多维结构化威胁数据,引入系统和网络的总体开销均低于2%,满足云平台运行要求.
Abstract
As the types of threats in the cloud and the diversity of attack vectors increase,single-dimensional threat data struggles to accurately portray complex and ever-changing threat behaviors.This paper proposed ETOS(eBPF-based threat observability system),a multi-level threat observation system tailored for cloud environments.By assessing the risk of each action within threat behaviors,ETOS strategically setd up observation points for hierarchical classification of critical actions,dynamically activates eBPF probes as needed on the target machines,and thus acquiring multi-dimensional structured threat behavior data.This approach effectively represents threat behaviors in cloud environments,significantly reduces the preprocessing cost for data analysis.We also designed a generic eBPF threat probe template to automate the expansion of the probe library.ETOS was examined on a container cloud platform by reproducing 18 container escape CVE and observing their threat behaviors.The experimental results show that ETOS is capable of observing threat behaviors on multiple levels,collecting multi-dimensional structured threat data.The introduced overhead on the system and network remains below 2%,meeting the operational requirements of cloud platforms.
关键词
威胁观测/eBPF可观测性/云计算安全/数据采集Key words
threat observability/eBPF observability/cloud computing security/data acquisition引用本文复制引用
基金项目
国家自然科学基金(U19A2081)
中央高校基本科研业务费专项(SCU2023D008)
中央高校基本科研业务费专项(2023SCU12129)
四川大学理工科发展计划(2020SCUNG129)
出版年
2024
NETL
NSTL
万方数据