Contact: Maximilian Bachl

This repository contains the code for the paper A flow-based IDS using Machine Learning in eBPF (arXiv).

Requires Linux kernel >= 5.3 because 5.3 adds limited support for loops in eBPF. All code was run on Debian Buster.

Tested with Python 3.7.9; Python 3.8 or newer does not seem to work. Requires py-virtnet 1.0.1 (Install with sudo pip3.7 install py-virtnet).

Compiled with g++ 10.2.1.

You'll need the bcc library, which can be installed with sudo apt install bcc on Debian.

Moreover you need the bcc headers, which can be installed with sudo apt install libbpfcc-dev on Debian.

Also, some generic kernel headers might be needed. Install them with sudo apt install linux-headers-$(uname -r) on Debian.

If you encounter some problems, the resolution of this issue might help.

g++ -DUSERSPACE -fpermissive -I/usr/include/bcc ebpf_wrapper.cc -lbcc -o ebpf_wrapper

sudo python3.7 test.py --run_scenario just_one_flow

g++ -fpermissive -I/usr/include/bcc ebpf_wrapper.cc -lbcc -o ebpf_wrapper

sudo python3.7 test.py --run_scenario just_one_flow

To train a decision tree, check out the decision_tree branch of the adversarial-recurrent-ids repository and follow the instructions there to make it work. Train a decision tree like this:

./learn.py --dataroot flows.pickle --function train_dt

Your trained decision tree will be output in the runs folder. Change the prefix_path in ebpf_wrapper.cc to point to the directory containing your new decision tree and recompile it (see above (Run in userspace) or (Run as eBPF)).