Back to overview

Download research

* required

By downloading you indicate that you have taken note of our privacy Statement.

Utilizing eBPF for Malware Analysis

Cybercrime poses a huge financial problem for organizations worldwide. In 2021, the financial damages caused by cybercrime were estimated to approach up to 6 trillion dollars. Cybercriminals use malware to steal sensitive data, take data hostage, and perform other malicious activities. Many types of malware are highly specialized for specific targets. To protect against these threats, it is essential to understand the malware.

Malware analysis is the practice of determining the purpose and functionality of a piece of malware. One method of malware analysis is static analysis, where the malware sample is analyzed without executing it. However, malware is often obfuscated, which makes static analysis difficult. In such cases, researchers turn to dynamic malware analysis, where the malware sample is executed to analyze its purpose and functionality. To prevent the malware from causing real harm, it is executed in a sandboxed environment. However, cybercriminals have adapted their malware to detect and evade attempts to analyze its behavior.

Advanced Tracing and Monitoring with eBPF

eBPF is a highly anticipated feature of the Linux kernel, allowing for extensive tracing and monitoring of various events in the Linux kernel. It is often considered an improved method of adding programmability to the Linux kernel compared to kernel modules. Kernel modules can crash the Linux kernel, but eBPF programs have better safeguards. Before they are allowed to run, eBPF programs are verified to ensure they are safe and cannot damage the system or use excessive resources. eBPF can hook into predefined tracepoints in the kernel and userspace, as well as certain system calls. Additionally, using the Express Data Path (XDP), eBPF can install packet processing programs, enabling advanced networking monitoring.

This research investigated the effectiveness of using eBPF’s observability features to analyze malware targeting Linux systems. The research involved studying how Linux-based malware typically behaves and developing several programs, each simulating one aspect of Linux malware. A proof-of-concept suite of eBPF programs was then implemented and evaluated for its effectiveness in classifying the behavior of each malware-emulating program.

Stay up to date
By signing up for our newsletter you indicate that you have taken note of our privacy statement.
Table of contents
Dainara Datadin

Let's talk!

info@sue.nl +31 345 656 666

* required

By sending this form you indicate that you have taken note of our privacy Statement.

Related resources

Application Profiling for Automated VM to Container Migrations

*Collaboration with Fontys University of Applied Sciences* | This study introduces a novel process-level profiling methodology to automate the migration of applications from Linux-based VMs to containers.

Published

16.01.2025

Leveraging eBPF to Build Effective High-Interaction Honeypots

*Collaboration with the University of Amsterdam* | In current times, people and businesses make great use of interconnected information systems (the Internet). This is not without risk, however, as a large portion of individuals and organizations are affected by cyberattacks yearly.

Published

22.07.2024

Investigating Open Source Transformer Techniques for Question Answering Systems on Cloud Domain

*Collaboration with Utrecht University* | In recent times, there has been considerable interest in Question Answering (QA) systems, making them a prominent area of study in Natural Language Processing (NLP).

Published

08.08.2024

Privacy Overview
This website uses cookies. We use cookies to ensure the proper functioning of our website and services, to analyze how visitors interact with us, and to improve our products and marketing strategies. For more information, please consult our privacy- en cookiebeleid.