Back to overview

Download research

* required

By downloading you indicate that you have taken note of our privacy Statement.

Leveraging eBPF to Build Effective High-Interaction Honeypots

In current times, people and businesses make great use of interconnected information systems (the Internet). This is not without risk however, as can be seen from the fact that a large portion of people and businesses are effected by cyber attacks yearly. Securing an information system depends to a great extent on understanding existing and emerging threats. To do this, collecting information about malicious activities is of great importance. Honeypots are a tool that enables the collection of such information by getting themselves compromised by an attacker and logging the actions of said attacker, giving insight in the attackers behaviour and motives. The strength of honeypots is that they do not only allow for the collection of information about known attacks, but also about previously unknown zero-day attacks. There are different types of honeypots, ones that allow the attacker to have little interaction with the honeypot and ones that allow for high amounts of interaction. This research will focus on high interaction honeypots. There are several methods of achieving a high interaction honeypot, one of them is using an entire system as a honeypot and using the kernel of the system to capture the activities of the attacker once the system is compromised. In the past, kernel modules have been utilised to achieve such a honeypot. Nowadays, there is another technology that allows for the extension of the Linux kernel, eBPF. eBPF allows sandboxed programs to run in the privileged context of the kernel where they can extend its capabilities. The advantage of eBPF over kernel modules is that eBPF programs are not directly dependent on the kernel version and that eBPF is designed to reduce the risk of kernel corruption. In this research we will focuses on the utilisation of eBPF to build effective high-interaction honeypots by answering the following research question:

How can eBPF be leveraged to build effective high-interaction honeypots? To help answer this question, we formulate the following subquestions:

  • What capabilities does eBPF facilitate to get system observability?
  • How can the capabilities of eBPF be used to hide the presence of the honeypot from adversaries?
  • How can logs captured by an eBPF honeypot be recovered without detection?
  • Does the mere usage of eBPF prevent any of the detection methods found for kernel based honeypots?
Stay up to date
By signing up for our newsletter you indicate that you have taken note of our privacy statement.
Dainara Datadin

Let's talk!

info@sue.nl +31 345 656 666

* required

By sending this form you indicate that you have taken note of our privacy Statement.

Related resources

Rainbow RAG: An LLM-Powered RAG System for Contract Review

*Collaboration with Delft University* | Results indicate that our KnowledgeGraph-enhanced RAG framework achieves superior performance in identifying and analyzing complex legal relationships while maintaining computational efficiency.

Published

20.11.2024

Efficacy of cloud-native sandboxing technologies in containing security threats

*Collaboration with the University of Amsterdam* | By encapsulating applications and their dependencies in lightweight, isolated containers, developers can achieve greater agility, scalability, and resource efficiency. However, this shared kernel introduces certain security challenges

Published

15.09.2023

Utilising eBPF for Malware Analysis

*Collaboration the with University of Amsterdam* | An exciting, new feature of the Linux kernel is eBPF. It allows users to to hook programs to many places in the Linux kernel at run-time. In order to evaluate this program suite, we created a framework that executes the emulated malware programs while the eBPF programs are hooked in the system.

Published

22.06.2023

Privacy Overview
This website uses cookies. We use cookies to ensure the proper functioning of our website and services, to analyze how visitors interact with us, and to improve our products and marketing strategies. For more information, please consult our privacy- en cookiebeleid.