Karma IDS
A Linux based real-time Network Intrusion Detection System which uses eBPF for live packet capturing and LSTM for a threat classification model.
Created on 20th April 2024
•
Karma IDS
A Linux based real-time Network Intrusion Detection System which uses eBPF for live packet capturing and LSTM for a threat classification model.
The problem Karma IDS solves
Traditional security methods might not catch an attack until after damage. eBPF's real-time monitoring allows for quicker detection and response, minimizing the impact of an attack and keeping the target safer.
Cyberattacks often target specific organizations, but successful attacks can have ripple effects. By strengthening overall cybersecurity, eBPF helps protect the interconnected systems that society relies on, from online banking to medical records.
Improved Cybersecurity: Our project offers a more robust intrusion detection and prevention system, leading to better protection against cyberattacks. This translates to greater security for individuals and society, as cyberattacks can target critical infrastructure and personal data. Early detection of threats can prevent data breaches. Financial losses, identity theft, and reputational damage are all potential outcomes of a data breach. Our project helps to mitigate these risks.
More Efficient Use of Security Resources: By minimizing false positives and negatives using machine learning, our system allows security teams to focus on real threats, optimizing their time and resources.
Scalability for Growing Needs: The ability to adapt to increasing traffic and new threats is crucial in the face of constantly evolving cyber threats. Our project's scalability helps to ensure that it remains effective over time. The user-friendly interface gives security professionals the tools to analyze network activity and act against threats effectively. This can lead to more secure systems and networks for everyone.
Challenges we ran into
The challenges started with learning about the low level programming of the eBPF technology. We encountered issues with probing and the implementation of the count feature for the captured packets. Figuring out where exactly in the network stack should we attach the bpf probe to. We encountered many, many errors along the way. Some were solvable - like some segmentation faults and key errors, while some like the bit-field requested errors for the C program were something we had to work our way around. eBPF is a sandboxed technology and the JIT compiler means that there are certain limitations to what all we can access. The integration of the eBPF technology with the AI model was prone with challeneges as we had to figure out what was the best way to integrate it so that the security risks are minimized. The time for which each program had to run and the order had to be figured out.
There were also challenges we faced in the LSTM modelling part. The dataset itself that we used had great differences in the categorization of the attacks. We had to figure which loss function to minimize this and increase the accuracy to an good percentage.
There were, of course, a lot of dimensional errors runtime errors that we figured out along the way.
Kernel programs are extremely hard to debug so it was challenging to identify each problem and debug at a kernel/OS level as we have limited prior experience.
Tracks Applied (2)