Back to overview

Download research

* required

By downloading you indicate that you have taken note of our privacy Statement.

Leveraging eBPF to Build Effective High-Interaction Honeypots

In current times, people and businesses make great use of interconnected information systems (the Internet). This is not without risk, however, as a large portion of individuals and organizations are affected by cyberattacks yearly. Securing an information system depends to a great extent on understanding existing and emerging threats. To achieve this, collecting information about malicious activities is crucial. Honeypots are tools designed to collect such information by intentionally being compromised by attackers and logging their actions, providing insight into attackers’ behavior and motives. The strength of honeypots lies in their ability to collect information not only about known attacks but also about previously unknown zero-day attacks.

There are different types of honeypots, including those that allow minimal interaction with attackers and those that enable high levels of interaction. This research focused on high-interaction honeypots. One method for creating high-interaction honeypots involves using an entire system as the honeypot and leveraging the system’s kernel to monitor the attacker’s activities after a compromise. In the past, kernel modules were commonly used to achieve this. More recently, a new technology called eBPF (extended Berkeley Packet Filter) has been used to extend the Linux kernel’s capabilities.

Building effective high-interaction honeypots

eBPF enables sandboxed programs to run in the privileged context of the kernel, allowing them to extend its functionality without being directly tied to the kernel version. This design reduces the risk of kernel corruption compared to traditional kernel modules. This research focused on utilizing eBPF to build effective high-interaction honeypots and used a gray literature analysis to explore eBPF’s capabilities for system observability, honeypot concealment, and secure log retrieval. This analysis included research on open-source eBPF projects, such as intrusion detection and malware analysis projects, as these contain techniques applicable to honeypots.

Additionally, a proof-of-concept eBPF honeypot was constructed to demonstrate the practical applicability of techniques identified during the literature analysis. However, due to practical constraints, it was deemed infeasible to test all possible techniques. Consequently, the proof-of-concept honeypot implemented only a single method for system observation, one technique for hiding the honeypot, and one approach for log recovery.

To answer the final subquestion, detection methods used against kernel-module-based honeypots, specifically Sebek, were tested on the proof-of-concept honeypot to determine whether eBPF inherently mitigates these detection techniques.

Stay up to date
By signing up for our newsletter you indicate that you have taken note of our privacy statement.
Table of contents
Michael Veentjer

Let's talk!

info@sue.nl +31 345 656 666

* required

By sending this form you indicate that you have taken note of our privacy Statement.

Related resources

Evaluation of current TCP Prague implementation

*Collaboration with the University of Amsterdam* | We have evaluated the different implementations of TCP Prague to ensure fairness of internet usage, addressing the coexistence problem between scalable and non-scalable TCP traffic and between scalable CC implementations, ensuring equal access to the internet for everyone.

Published

10.07.2021

Utilising eBPF for Malware Analysis

*Collaboration the with University of Amsterdam* | An exciting, new feature of the Linux kernel is eBPF. It allows users to to hook programs to many places in the Linux kernel at run-time. In order to evaluate this program suite, we created a framework that executes the emulated malware programs while the eBPF programs are hooked in the system.

Published

22.06.2023

Collaborative Edge-Cloud Computing for Efficient Resource Utilisation

*Collaboration with the University of Amsterdam* | Nowadays, the computing requirements for running different applications keep increasing. When setting up a system to run these apps, there are multiple possibilities to take into account.

Published

09.01.2025

Privacy Overview
This website uses cookies. We use cookies to ensure the proper functioning of our website and services, to analyze how visitors interact with us, and to improve our products and marketing strategies. For more information, please consult our privacy- en cookiebeleid.