基于eBPF的云上威胁观测系统  

作　　者：刘斯诺 阮树骅 陈兴蜀 郑涛 LIU Sinuo;RUAN Shuhua;CHEN Xingshu;ZHENG Tao(School of Cyber Science and Engineering,Sichuan University,Chengdu 610065,China;Cyber Science Research Institute,Sichuan University,Chengdu 610065,China)

机构地区：[1]四川大学网络空间安全学院,成都610065 [2]四川大学网络空间安全研究院,成都610065

出　　处：《信息网络安全》2024年第4期534-544,共11页Netinfo Security

基　　金：国家自然科学基金[U19A2081];中央高校基础研究基金[SCU2023D008,2023SCU12129];四川大学理工科发展计划[2020SCUNG129]。

摘　　要：随着云上威胁的种类和攻击路径更加多样化,单一维度的威胁数据难以准确刻画复杂多变的威胁行为。文章提出一种基于扩展伯克利数据包过滤器(extended Berkeley Packet Filter,eBPF)的威胁观测系统ETOS(eBPF-Based Threat Observability System),首先,通过评估威胁行为中各动作的危险程度,对关键动作分层分类设置观测点位,从而在目标机器上实现按需动态激活eBPF探针,获取多维结构化威胁行为数据,能够有效表达云环境中的威胁行为,降低数据分析的预处理成本;然后,设计一种通用eBPF探针模板,实现探针库的自动化扩展;最后,文章在容器云平台上复现了18个容器逃逸通用漏洞披露(Common Vulnerabilities and Exposures,CVE),并利用ETOS观测威胁行为。实验结果表明,ETOS能够在多个层次观测威胁行为,输出多维结构化威胁数据,引入系统和网络的总体开销均低于2%,满足云平台运行要求。As the types of threats in the cloud and the diversity of attack vectors increase,single-dimensional threat data struggles to accurately portray complex and everchanging threat behaviors.This paper proposed ETOS(eBPF-based threat observability system),a multi-level threat observation system tailored for cloud environments.By assessing the risk of each action within threat behaviors,ETOS strategically setd up observation points for hierarchical classification of critical actions,dynamically activates eBPF probes as needed on the target machines,and thus acquiring multi-dimensional structured threat behavior data.This approach effectively represents threat behaviors in cloud environments,significantly reduces the preprocessing cost for data analysis.We also designed a generic eBPF threat probe template to automate the expansion of the probe library.ETOS was examined on a container cloud platform by reproducing 18 container escape CVE and observing their threat behaviors.The experimental results show that ETOS is capable of observing threat behaviors on multiple levels,collecting multi-dimensional structured threat data.The introduced overhead on the system and network remains below 2%,meeting the operational requirements of cloud platforms.

关 键 词：威胁观测 eBPF可观测性 云计算安全 数据采集 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]