ebpH

Description

ebpH stands for Extended BPF Process Homeostasis.

ebpH is a modern host-based intrusion detection system for Linux 5.8+ that leverages the power of Extended BPF (eBPF) to monitor processes and detect anomalous behavior. This effectively constitutes an eBPF implementation of pH (Process Homeostasis).

Disclaimer

This product comes with no warranty, and is built as a research system. It should be perfectly safe to run on your system due to the safety guarantees of eBPF, but we make no claims about functionality.

Papers

ebpH

• My thesis

pH

• My supervisor's original dissertation on pH
• A Sense of Self for UNIX Processes
• Lightweight Intrustion Detection for Networked Operating Systems
• Lookahead Pairs and Full Sequences: A Tale of Two Anomaly Detection Methods

Prerequisites

1. Linux 5.8+ compiled with at least CONFIG_BPF=y, CONFIG_BPF_SYSCALL=y, CONFIG_BPF_JIT=y, CONFIG_TRACEPOINTS=y, CONFIG_BPF_LSM=y, CONFIG_DEBUG_INFO=y, CONFIG_DEBUG_INFO_BTF=y, CONFIG_LSM="bpf". pahole >= 0.16 must be installed for the kernel to be built with BTF info.
2. Either the latest version of bcc from https://github.com/iovisor/bcc or bcc version 0.16+.
   • If building from source, be sure to include -DPYTHON_CMD=python3 in your the cmake flags
3. Python 3.8+

Installation

1. Install the prerequisites (see above).
2. git clone https://github.com/willfindlay/ebpH
3. cd ebpH && make install (You will be asked for your password)
4. To install the systemd unit: make systemd (You will be asked for your password)

How to Use / Examples

1. Run $ sudo ebphd start to start the daemon.
2. Run $ sudo ebph admin status to check daemon status.
3. Run $ sudo ebph ps to check monitored processes.
4. Run $ sudo ebph ps -p to list all active profiles.

Or, with systemd:

1. Run $ sudo systemctl start ebphd to start the daemon if not already running.