Leveraging eBPF to Build Effective High-Interaction Honeypots

In collaboration with:
University of Amsterdam SUE Logo
Back to overview

Download research

* required

By submitting this form, you confirm that you have read and understood our privacy statement.

In collaboration with the University of Amsterdam

This research explores the use of eBPF for designing high-interaction honeypots. It evaluates the capabilities of eBPF in the areas of system observation, concealment, and log retrieval, and examines its resilience against detection techniques traditionally applied to kernel module-based honeypots.

Using eBPF to build effective high-interaction honeypots

Nowadays, people and organizations make intensive use of interconnected information systems (the internet). However, this entails risks, as a large proportion of individuals and organizations are affected by cyber attacks every year. Securing an information system depends to a large extent on understanding existing and emerging threats. Collecting information about malicious activities is therefore crucial. Honeypots are tools specifically designed to collect this information by deliberately compromising themselves and logging the actions of attackers. This provides valuable insight into the behavior and motives of attackers. The power of honeypots lies in their ability to detect not only known attacks, but also previously unknown zero-day attacks.

High-interaction honeypots and eBPF

There are different types of honeypots, ranging from systems with minimal interaction to honeypots that allow a high degree of interaction with attackers. This research focuses specifically on high-interaction honeypots. A commonly used method for implementing such honeypots is to deploy an entire system as a honeypot and use the kernel to monitor an attacker's activities after a compromise. In the past, this was often achieved with kernel modules. However, recent developments show that eBPF (extended Berkeley Packet Filter) is increasingly being used to extend the functionality of the Linux kernel.

Building effective high-interaction honeypots

eBPF makes it possible to run sandboxed programs within the privileged context of the kernel, without being directly dependent on a specific kernel version. This design reduces the risk of kernel corruption compared to traditional kernel modules. The research focused on leveraging eBPF to build effective high-interaction honeypots and used a gray literature analysis to explore the capabilities of eBPF in the areas of system observability, honeypot concealment, and secure log retrieval. This analysis included research into open-source eBPF projects, such as intrusion detection and malware analysis projects, in which techniques relevant to honeypots are applied.

Proof of concept and detection tests

In addition, a proof of concept eBPF honeypot was developed to demonstrate the practical applicability of the identified techniques. However, due to practical limitations, it was not feasible to implement and test all possible techniques. Therefore, the proof of concept included only one method for system observation, one technique for hiding the honeypot, and one approach for log recovery.

To answer the last subquestion, detection methods traditionally used against kernel module-based honeypots, specifically Sebek, were tested. These tests were performed on the proof of concept honeypot to determine whether eBPF can inherently mitigate these detection techniques.

Download
Share this:
Share this:
Table of Contents

Related research

In collaboration with the University of Amsterdam

Using eBPF for Malware Analysis

Cybercrime costs organizations trillions each year, with increasingly sophisticated malware designed to evade traditional detection. This research explores how eBPF, a powerful Linux kernel technology, can be used to trace and monitor malicious activity more effectively. It offers deeper insights into malware behavior and helps strengthen cyber defenses. A Collaboration with Tilburg University.
Expertise: Cloud Security
Read more
In collaboration with the University of Amsterdam

Analysis of the Security Posture of eBPF

A new and promising feature of the Linux kernel is eBPF. This technology makes it possible to link programs to different parts of the Linux kernel during runtime. To evaluate this program suite, a framework has been developed that executes the emulated malware programs while the eBPF programs are actively linked to the system.
Expertise: Cloud Security
Read more
In collaboration with Utrecht University of Applied Sciences

Cloud Infrastructure Visibility at Scale: Automated Resource Discovery and Interactive Topology Mapping

This research focuses on automating the detection and visualization of AWS resources and their interrelationships to address documentation and visibility gaps. It demonstrates how SQL-based cloud querying, combined with interactive graph visualizations, provides real-time and vendor-neutral insights into cloud topology. This simplifies troubleshooting, security audits, and optimization.
Expertise: Cloud Migration, Cloud Security, Data & AI
Read more
Privacy overview
This website uses cookies. We use cookies to ensure that our website and services function properly, to gain insight into the use of our website, and to improve our products and marketing. For more information, please read our privacy and cookie policy.