Next Article in Journal
Experimental Benchmarking of Existing Offline Parameter Estimation Methods for Induction Motor Vector Control
Previous Article in Journal
Development of Power-Delay Product Optimized ASIC-Based Computational Unit for Medical Image Compression
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Technologies
Volume 12
Issue 8
10.3390/technologies12080122
Review Report
technologies-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

iKern: Advanced Intrusion Detection and Prevention at the Kernel Level Using eBPF

Technologies 2024, 12(8), 122; https://doi.org/10.3390/technologies12080122
by Hassan Jalil Hadi 1,*,†, Mubashir Adnan 2,*,†, Yue Cao 1,†, Faisal Bashir Hussain 2,†, Naveed Ahmad 3, Mohammed Ali Alshara 3,4 and Yasir Javed 3
Reviewer 1: Anonymous
Technologies 2024, 12(8), 122; https://doi.org/10.3390/technologies12080122
Submission received: 2 July 2024 / Revised: 25 July 2024 / Accepted: 26 July 2024 / Published: 30 July 2024

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

The authors of this paper focused on intrusion detection and prevention systems at the network level and the overheads they introduce due to their signature-based structure. Instead, the authors, propose a novel solution namely iKern which combines Extended Berkeley Packet Filter (eBPF) with Virtual Network Functions (VNF) to examine and filter network packages at the kernel level before forwarding them to the user space. The solution is tested experimentally.

This a very interesting paper. However, there are a few issues that the reviewer would like to raise with the authors.

The contributions are inflated. They should be summarised in the inception of the proposed solution, the creation of the testbed and its evaluation.

Related work might have omitted some recent approaches such as https://doi.org/10.1145/3452296.3472929 from their sources. Additionally, a summary table with tick boxes would be beneficial to pronounce the novelties of the proposed solution against the literature.

It would be beneficial for the authors to provide more information about the technical and software characteristics of their testbed (RAM, CPU, Hypervisor, etc.). This would assist in the replicability of the results.

All the plots are very clear and informative. However, it would be beneficial to directly compare the proposed solution against the traditional IDSPS solutions, in terms of efficiency and overhead to prove the superiority of the proposed solution.

Comments on the Quality of English Language

No major issues. Another round of proofreading would be enough.

Author Response

Response to the Comments of Reviewer 1

The authors of this paper focused on intrusion detection and prevention systems at the network level and the overheads they introduce due to their signature-based structure. Instead, the authors, propose a novel solution namely iKern which combines Extended Berkeley Packet Filter (eBPF) with Virtual Network Functions (VNF) to examine and filter network packages at the kernel level before forwarding them to the user space. The solution is tested experimentally. This a very interesting paper. However, there are a few issues that the reviewer would like to raise with the authors.

Response:

We appreciate your dedicated efforts in reviewing our manuscript and commend your positive feedback.

Comment 1:

The contributions are inflated. They should be summarized in the inception of the proposed solution, the creation of the testbed and its evaluation.

Response to Comment 1:

 

Thank you for your feedback. More summarized contributions are added as below:

 

This study offers several significant contributions, including the following.

  • An innovative detection and mitigation framework iKern is designed to intercept and analyse high-throughput network traffic up to 1 Gbps using eBPF for dynamic packet filtering at the kernel level, substantially reducing the overhead associated with traditional user-space systems.
  • The development of an optimized data acquisition module that employs PF_RING and eBPF to distribute network load across multiple processor cores efficiently, minimizing CPU overhead and enhancing throughput, ensuring robust real-time processing under heavy network loads.
  • Extensive testing and evaluation of the iKern system demonstrated its effectiveness in improving detection rates and overall system performance, particularly in mitigating volumetric and multi-vector attacks, thus establishing a new standard for intrusion detection and prevention technologies in terms of efficiency and scalability.

Comment 2:

Related work might have omitted some recent approaches such  as https://doi.org/10.1145/3452296.3472929 from their sources. Additionally, a summary table with tick boxes would be beneficial to pronounce the novelties of the proposed solution against the literature.

 

Response to Comment 2:

Thank you for highlighting the omission of recent sources such as the one mentioned. We will address this gap in our revision. Additionally, incorporating a summary table with tick boxes to clearly delineate the novelties of our proposed solution compared to existing literature is a valuable suggestion.

 

Moreover, Xu et al.  explored the optimization of eBPF bytecode through the development of K2, a specialized compiler for program synthesis that enhances eBPF bytecode. Their findings reveal significant improvements, including bytecode size reductions between 6-26%, an increase in packet processing throughput by up to 4.75% per core and reductions in average packet-processing latency ranging from 1.36% to 55.03%. K2 operates independently from the eBPF static verifier, utilizing dual sets of checks. It generates multiple versions of bytecode, which are then submitted to the eBPF verifier. Versions not approved by the verifier are discarded and the performance of the remaining ones is analyzed to assess differences in latency, size, and throughput. However, one limitation of K2 is that it does not integrate directly with the eBPF runtime optimizations, which can limit its applicability in dynamic network environments. This is a gap that my research addresses by proposing a more integrated and context-aware optimization approach.

Additionally, it has been observed that KDMs significantly outperform UDMs in terms of volumetric attack detection accuracy, packet reception rate, packet drop rate, and CPU utilization. However, UDM systems demonstrate better accuracy on average-sized networks while CPU overhead and packet drop rates increase on larger networks. Detection engines operating in user space require more processing power compared to VNFs running within kernel space. Packets received by the network card are copied to the kernel where attacks are detected before the flow is forwarded to other userland applications, thereby reducing CPU overhead. A comparison of related work based on threat detection accuracy, data acquisition methods, and network throughput achieved is shown in Table 1.

 

Comment 3:

Thank you for suggesting the inclusion of detailed technical and software characteristics of our testbed. Providing such information will indeed aid in the replicability of our results.

Response to Comment 3:

Also, the Characteristics of the testbed environment are presented in Table 2.

 

Comment 4:

All the plots are very clear and informative. However, it would be beneficial to directly compare the proposed solution against the traditional IDSPS solutions, in terms of efficiency and overhead to prove the superiority of the proposed solution.

Response to Comment 4:

 

Thank you for your positive feedback on the clarity and informativeness of the plots. We appreciate your suggestion to directly compare the proposed solution with traditional IDPS solutions in terms of efficiency and overhead. This comparison will indeed highlight the superiority of our proposed solution.

 

iKern vs eBPF-Based VNF and IDPS

 

In the comparative analysis of iKern versus eBPF and IDPS, the iKern detection engine demonstrated a 98.84\% accuracy in detecting volumetric and multi-vector floods. These floods were generated at a data rate of 1 Gbps using a network card that supports 1 Gbps. There was a 0\% drop rate on all three cores used for acquiring the large floods, successfully forwarding all packets to the iKern detection engine. All three cores utilized up to 97\% of the average CPU at 1 Gbps throughput. The iKern detection module, using eBPF and Streamed Data Acquisition, also showed 98.84\% accuracy in detecting and mitigating the attacks.

 

Related work on eBPF-based Virtual Network Functions [13], [25], [14], [15], [18], [29], [31]  used the afpacket module for capturing network packets, which performs acquisition using a ring buffer created inside the Linux kernel's default network stack. With afpacket, a packet reception rate of 420 Mbps was achieved for the launched volumetric and multi-vector floods. Detection performed using VNF within the kernel showed a 98.76\% accuracy. Conversely, iKern achieved a throughput of 1000 Mbps using the pf\_ring kernel socket under similar attack conditions. The IDA exhibited a 98.84\% detection accuracy. iKern outperformed the related work in terms of acquisition of volumetric and multi-vector floods at high throughput, achieving a 0\% packet drop rate and 100\% packet reception at 1000 Mbps. The IDA excelled in the detection of floods, maintaining 98.84\% accuracy. A load-balancing technique applied to the iKern DM distributed the load evenly among the three iKern instances.

 

 

Furthermore, IDPS data shows no throughput or CPU usage reported, indicating that these systems might not have been deployed in a comparable environment or with similar metrics. Table 6 presents a comparative analysis of iKern and related work based on achieved throughput and detection accuracy of attacks, including the performance impact on traditional IDPS where applicable.

Author Response File: Author Response.docx

Reviewer 2 Report

Comments and Suggestions for Authors

Congratulations for the paper. The approach using monitoring control of large data flows seems very interesting and its implementation cost does not seem high. The ratios shown in the paper are very useful to analyze the balancing with the use of different cores. Using the iKern tool to detect and eliminate malicious traffic, preventing it from accessing user space, has been very interesting to me.

Author Response

 

Response to the Comments of Reviewer 1

Congratulations for the paper. The approach using monitoring control of large data flows seems very interesting and its implementation cost does not seem high. The ratios shown in the paper are very useful to analyze the balancing with the use of different cores. Using the iKern tool to detect and eliminate malicious traffic, preventing it from accessing user space, has been very interesting to me.

Response:

Thank you for your kind feedback and appreciation of our work with the iKern tool.

 

 

 

Author Response File: Author Response.docx

Round 2

Reviewer 1 Report

Comments and Suggestions for Authors

The authors have addressed all of the reviewer's comments.

Back to TopTop