Detecção de intrusões em dispositivos de rede com o filtro de pacote Berkeley
| Ano de defesa: | 2023 |
|---|---|
| Autor(a) principal: | |
| Orientador(a): | |
| Banca de defesa: | |
| Tipo de documento: | Dissertação |
| Tipo de acesso: | Acesso aberto |
| Idioma: | por |
| Instituição de defesa: |
Universidade Federal de Santa Maria
Brasil Ciência da Computação UFSM Programa de Pós-Graduação em Ciência da Computação Centro de Tecnologia |
| Programa de Pós-Graduação: |
Não Informado pela instituição
|
| Departamento: |
Não Informado pela instituição
|
| País: |
Não Informado pela instituição
|
| Palavras-chave em Português: | |
| Link de acesso: | http://repositorio.ufsm.br/handle/1/30182 |
Resumo: | Modern intrusion detection systems are commonly developed using machine learning algorithms and feature selection. However, the computational cost of these algorithms limits the ability to respond immediately to intrusions. This is because these algorithms are typically run on controllers, which are centralized devices that process information received from probes on the network in order to obtain a classification result for the analyzed network traffic. As a result, problems such as delays in threat identification may arise, as well as the possibility of overloading the centralized device if attacks are occurring on multiple devices simultaneously. In this work, an architecture for real-time intrusion detection on network devices compatible with eBPF is proposed, using models optimized asynchronously through a feature selection strategy to optimize ML models. Such optimization is necessary to deal with the constraints imposed by eBPF technology when executed on network devices, which impose limitations on generated programs in terms of memory, functions, and program size to be executed. This architecture aims to configure a classifier that can be employed on network devices such as switches. In this way, classification can be performed directly on these devices, eliminating the need for probes that send information to controllers. As a proof of concept, a model can be constructed, starting from a computer that performs the evaluation and configuration of a classifier compatible with eBPF devices in the Linux system kernel. The results obtained reveal that the proposed solution is capable of detecting and preventing intrusions in real-time with low overhead for the evaluated scenarios. |