SlideShare una empresa de Scribd logo

In-kernel Analytics and Tracing with eBPF for OpenStack Clouds

Descargar como PPTX, PDF
P
PLUMgrid

As the movement of applications from bare metal to the cloud continues, considerations around analytics and tracing are becoming more prevalent for security, monitoring, and accounting. As an open source project under the Linux Foundation, the IO Visor Project is working with the kernel community on extending BPF (eBPF) and is being used by many companies for security, tracing, and analytics. This talk will describe how an OpenStack micro-segmentation framework using eBPF can be utilized for analytics and tracing to secure application workloads. Use cases around application security, intrusion detection using service insertion, identity will be described. While networking is one piece of the solution, sandboxing applications to avoid attacks is also important. We will also touch upon how eBPF technology and a unified policy framework can secure application workloads in areas beyond networking.

Tecnología
1 de 27
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds October 2016 Brenden Blanco PLUMgrid Ali Khayam PLUMgrid
Thank You to Sponsoring Members 2
IO Visor Project, What is in it? • A set of development tools, IO Visor Dev Tools • A set of IO Visor Tools for management and operations of the IO Visor Engine • A set of Applications, Tools and open IO Modules build on top of the IO Visor framework • A set of possible use cases & applications like Networking, Security, Tracing & others 3
The promise of Microservices: Better cloud app lifecycle …… but what about security? 4 Shared kernel Larger attack surface? Self service Developer = Security Expert? Shared Infrastructure Insider threats? Fast Development & Iteration Compromised zero trust?
Where should microservices security be implemented? All layers…. but from the app cloud provider’s perspective: best to trust what you build/operate/control => “Security-as-a-Service” in the cloud infrastructure Infrastructure Operator Application Developer
An ideal Security-as-a-Service offering Transparent: Application shouldn’t be aware of this layer No new software installation/configuration Generically applicable: Should be able to characterize microservice security profiles for diverse applications, without having visibility into service behavior Efficient: No compromises on performance or scalability
What features can characterize a Microservice Security Profile? API API call, payload len Traffic bytes tx/rx, packets rx/rx Disk I/O Disk I/O rx/tx Tenants # of active tenants …. how to get these features without compromising transparency and efficiency
How to extract features for Microservice Security Profiles? Objectives: Transparency, Seamlessness, Efficiency IO Visor instrumented infra to extract features for service security profiles: ▪ already present in Linux kernels ▪ capture API calls and resource usage ▪ system-call level insight ▪ real-time monitoring ▪ without efficiency degradation 8 Automation Developers IOVisor framework Advanced Monitoring Security Automation / Operations Machine Learning Infrastructure Monitor Ops/Automation Maintain
Plugging features into an ML model to learn Microservice security profiles 9 ComputeNode UserSpaceKernelSpace API / Traffic Data Disk/Memory Data Microservice Collector Machine Learning API Traffic (Ingress / Egress) Microservice Security Profiles
IO Visor Code Snippet (Userspace)
IO Visor Code Snippet (Kernel) www.iovisor.org
Preliminary Evaluation 1) OpenStack Controller Services as Microservices 12
OpenStack Controller Services as Microservices IO Visor instrumentation is used to build security profiles of all controller services nova, neutron, keystone, cinder, etc. API calls learned as they arrive on the services’ veth interface no pre-training of API calls IO Visor hooks to monitor vfs_{read/write} accesses from each service separated based on PIDs for each container ML algorithm builds security profiles based on initial (training) data then security profile deviations are used for attack detection on run-time data
Attack: Bruteforce password cracking on keystone Lots of Background (benign) Traffic: Continuous CRUD APIs from a real-world app cloud use case All API calls (incl. service-to-service) must get auth_token from keystone first Attack Traffic: 2-4 password attempts per second Attack continued for a sustained period of time
Results of brute-force password attack on keystone Attack Detection Rate False Positive Rate 97% 0% • Results obtained from an ROC curve by tuning the detection threshold • API and Traffic features are the main contributors to these results
Preliminary Evaluation 2) Database container using MySQL 16
MySQL Microservice instrumentation MySQL Docker image (MySQL version 5.7, docker 1.12 ) SQL queries (TCP packets) intercepted by IOVisor hooks on veth pairs handshakes, teardown and acks ignored IOVisor hooks for vfs_{read/write} for queries into a large DB (180Mb) separated on PID and TID for docker 17
Attack: First order SQL injection Benign traffic consisted of Simulated SQL queries Generated randomly and continuously Attack results in extracting large segments of the DB Segment size varying In parallel to benign traffic on the microservice 18
Results of brute-force password attack on keystone Attack Detection Rate False Positive Rate 93.5% 3.5% • Results obtained from an ROC curve by tuning the detection threshold • Correlating Traffic and disk access was essential for detection
Dashboard
Conclusion: Meeting the requirements of an ideal Security-as-a- Service offering 21
Transparency Application shouldn’t be aware of this layer IO Visor works on eBPF constructs that are present in >4.x upstream kernels IO Visor instrumentation runs in kernel and is not visible to the developer The only non-standard dependency is github.com/iovisor/bcc python library
Generic Applicability Should be able to characterize microservice security profiles for diverse applications, without having visibility into service behavior Trained/Tested on SQL Trained/Tested on OpenStack services Future Work: Train/Test for DNS attacks Train/Test for ransomware attacks
Efficiency No compromises on performance or scalability eBPF counting is done inside the kernel with little or no overhead Main overhead is kernel to userspace interaction Data polled by userspace every 1 minute All data structures are reset after polling; data cannot grow indefinitely Data is exported by the userspace application to a collector node Machine learning and classification is applied on the collector node i.e. no impact to performance on computes
Efficiency No compromises on performance or scalability Data structures have low overhead: vfs_read (BFP_HASH): size at time ti = Ni x 3, where: Ni = # of read process at ti the map has: {key: pid, value1: # of reads, value2: aggregate size of all reads vfs_write (BFP_HASH): has the the same structure as vfs_read traffic (BFP_HASH): size at time ti = Fi x 7, where: Fi = # of active TCP flows at ti the map’s key is a 5-tuple flow id, and values are the same as vfs_{read/write} http_traffic (BPF_HISTOGRAM): size at time ti = Si x LSi x 7, where: key is a 5-tuple flow id of http packets Si = # of active HTTP session at ti LSi = # of HTTP packets with unique lengths received on session Si
How to Contribute github.com/akhayam/conmon (this presentation) www.iovisor.org github.com/iovisor #iovisor at irc.oftc.net lists.iovisor.org/mailman/listinfo/iovisor-dev 26
Questions?

Recomendados

Evolving Virtual Networking with IO Visor
Evolving Virtual Networking with IO VisorEvolving Virtual Networking with IO Visor
Evolving Virtual Networking with IO Visor
Larry Lang
 
Tungsten Fabric Overview
Tungsten Fabric OverviewTungsten Fabric Overview
Tungsten Fabric Overview
Michelle Holley
 
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
IO Visor Project
 
The Universal Dataplane
The Universal DataplaneThe Universal Dataplane
The Universal Dataplane
Michelle Holley
 
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Michelle Holley
 
TLDK - FD.io Sept 2016
TLDK - FD.io Sept 2016 TLDK - FD.io Sept 2016
TLDK - FD.io Sept 2016
Benoit Hudzia
 
Openstack Pakistan Workshop (intro)
Openstack Pakistan Workshop (intro)Openstack Pakistan Workshop (intro)
Openstack Pakistan Workshop (intro)
Affan Syed
 
SDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingSDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center Networking
Thomas Graf
 

Recomendados

Evolving Virtual Networking with IO Visor
Evolving Virtual Networking with IO VisorEvolving Virtual Networking with IO Visor
Evolving Virtual Networking with IO Visor
Larry Lang
 
Tungsten Fabric Overview
Tungsten Fabric OverviewTungsten Fabric Overview
Tungsten Fabric Overview
Michelle Holley
 
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
IO Visor Project
 
The Universal Dataplane
The Universal DataplaneThe Universal Dataplane
The Universal Dataplane
Michelle Holley
 
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Michelle Holley
 
TLDK - FD.io Sept 2016
TLDK - FD.io Sept 2016 TLDK - FD.io Sept 2016
TLDK - FD.io Sept 2016
Benoit Hudzia
 
Openstack Pakistan Workshop (intro)
Openstack Pakistan Workshop (intro)Openstack Pakistan Workshop (intro)
Openstack Pakistan Workshop (intro)
Affan Syed
 
SDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingSDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center Networking
Thomas Graf
 
SDN Scale-out Testing at OpenStack Innovation Center (OSIC)
SDN Scale-out Testing at OpenStack Innovation Center (OSIC)SDN Scale-out Testing at OpenStack Innovation Center (OSIC)
SDN Scale-out Testing at OpenStack Innovation Center (OSIC)
PLUMgrid
 
Crossing the river by feeling the stones from legacy to cloud native applica...
Crossing the river by feeling the stones from legacy to cloud native applica...Crossing the river by feeling the stones from legacy to cloud native applica...
Crossing the river by feeling the stones from legacy to cloud native applica...
OPNFV
 
Intel® RDT Hands-on Lab
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on Lab
Michelle Holley
 
DPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii TkachukDPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii Tkachuk
Intel
 
Opensource approach to design and deployment of Microservices based VNF
Opensource approach to design and deployment of Microservices based VNFOpensource approach to design and deployment of Microservices based VNF
Opensource approach to design and deployment of Microservices based VNF
Michelle Holley
 
OpenStack & OpenContrail in Production
OpenStack & OpenContrail in ProductionOpenStack & OpenContrail in Production
OpenStack & OpenContrail in Production
Edgar Magana
 
LF_DPDK17_Abstract APIs for DPDK and ODP
LF_DPDK17_Abstract APIs for DPDK and ODPLF_DPDK17_Abstract APIs for DPDK and ODP
LF_DPDK17_Abstract APIs for DPDK and ODP
LF_DPDK
 
Platform Independent Packet Processing with ODL
Platform Independent Packet Processing with ODLPlatform Independent Packet Processing with ODL
Platform Independent Packet Processing with ODL
OPNFV
 
Deployment of Juniper Contrail in AVG Technologies
Deployment of Juniper Contrail in AVG TechnologiesDeployment of Juniper Contrail in AVG Technologies
Deployment of Juniper Contrail in AVG Technologies
MarketingArrowECS_CZ
 
Summit 16: Service Function Chaining: Demo and Usage
Summit 16: Service Function Chaining: Demo and UsageSummit 16: Service Function Chaining: Demo and Usage
Summit 16: Service Function Chaining: Demo and Usage
OPNFV
 
NFV & Openstack
NFV & OpenstackNFV & Openstack
NFV & Openstack
Marie-Paule Odini
 
Delivering Composable NFV Services for Business, Residential and Mobile Edge
Delivering Composable NFV Services for Business, Residential and Mobile EdgeDelivering Composable NFV Services for Business, Residential and Mobile Edge
Delivering Composable NFV Services for Business, Residential and Mobile Edge
PLUMgrid
 
Summit 16: Deploying Virtualized Mobile Infrastructures on Openstack
Summit 16: Deploying Virtualized Mobile Infrastructures on OpenstackSummit 16: Deploying Virtualized Mobile Infrastructures on Openstack
Summit 16: Deploying Virtualized Mobile Infrastructures on Openstack
OPNFV
 
Summit 16: OPNFV on ARM - Hardware Freedom of Choice Has Arrived!
Summit 16: OPNFV on ARM - Hardware Freedom of Choice Has Arrived!Summit 16: OPNFV on ARM - Hardware Freedom of Choice Has Arrived!
Summit 16: OPNFV on ARM - Hardware Freedom of Choice Has Arrived!
OPNFV
 
Scaling the Container Dataplane
Scaling the Container Dataplane Scaling the Container Dataplane
Scaling the Container Dataplane
Michelle Holley
 
OpenContrail SDN for Kubernetes
OpenContrail SDN for KubernetesOpenContrail SDN for Kubernetes
OpenContrail SDN for Kubernetes
Michelle Holley
 
Dpdk Validation - Liu, Yong
Dpdk Validation - Liu, YongDpdk Validation - Liu, Yong
Dpdk Validation - Liu, Yong
harryvanhaaren
 
Naveen nimmu sdn future of networking
Naveen nimmu sdn future of networkingNaveen nimmu sdn future of networking
Naveen nimmu sdn future of networking
suniltomar04
 
如何用k8s打造國產5G NFV平臺? 剖析經濟部5G核網技術的關鍵
如何用k8s打造國產5G NFV平臺? 剖析經濟部5G核網技術的關鍵如何用k8s打造國產5G NFV平臺? 剖析經濟部5G核網技術的關鍵
如何用k8s打造國產5G NFV平臺? 剖析經濟部5G核網技術的關鍵
Jace Liang
 
OPNFV: Road to Next-Generation Network
OPNFV: Road to Next-Generation NetworkOPNFV: Road to Next-Generation Network
OPNFV: Road to Next-Generation Network
OPNFV
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
PLUMgrid
 
Lying, Cheating, and Winning with Containers in Networking
Lying, Cheating, and Winning with Containers in NetworkingLying, Cheating, and Winning with Containers in Networking
Lying, Cheating, and Winning with Containers in Networking
Sargun Dhillon
 

Más contenido relacionado

La actualidad más candente

SDN Scale-out Testing at OpenStack Innovation Center (OSIC)
SDN Scale-out Testing at OpenStack Innovation Center (OSIC)SDN Scale-out Testing at OpenStack Innovation Center (OSIC)
SDN Scale-out Testing at OpenStack Innovation Center (OSIC)
PLUMgrid
 
Crossing the river by feeling the stones from legacy to cloud native applica...
Crossing the river by feeling the stones from legacy to cloud native applica...Crossing the river by feeling the stones from legacy to cloud native applica...
Crossing the river by feeling the stones from legacy to cloud native applica...
OPNFV
 
Opensource approach to design and deployment of Microservices based VNF
Opensource approach to design and deployment of Microservices based VNFOpensource approach to design and deployment of Microservices based VNF
Opensource approach to design and deployment of Microservices based VNF
Michelle Holley
 
Summit 16: Deploying Virtualized Mobile Infrastructures on Openstack
Summit 16: Deploying Virtualized Mobile Infrastructures on OpenstackSummit 16: Deploying Virtualized Mobile Infrastructures on Openstack
Summit 16: Deploying Virtualized Mobile Infrastructures on Openstack
OPNFV
 
Summit 16: OPNFV on ARM - Hardware Freedom of Choice Has Arrived!
Summit 16: OPNFV on ARM - Hardware Freedom of Choice Has Arrived!Summit 16: OPNFV on ARM - Hardware Freedom of Choice Has Arrived!
Summit 16: OPNFV on ARM - Hardware Freedom of Choice Has Arrived!
OPNFV
 
Scaling the Container Dataplane
Scaling the Container Dataplane Scaling the Container Dataplane
Scaling the Container Dataplane
Michelle Holley
 
OpenContrail SDN for Kubernetes
OpenContrail SDN for KubernetesOpenContrail SDN for Kubernetes
OpenContrail SDN for Kubernetes
Michelle Holley
 
Naveen nimmu sdn future of networking
Naveen nimmu sdn future of networkingNaveen nimmu sdn future of networking
Naveen nimmu sdn future of networking
suniltomar04
 

La actualidad más candente (20)

SDN Scale-out Testing at OpenStack Innovation Center (OSIC)
SDN Scale-out Testing at OpenStack Innovation Center (OSIC)SDN Scale-out Testing at OpenStack Innovation Center (OSIC)
SDN Scale-out Testing at OpenStack Innovation Center (OSIC)
 
Crossing the river by feeling the stones from legacy to cloud native applica...
Crossing the river by feeling the stones from legacy to cloud native applica...Crossing the river by feeling the stones from legacy to cloud native applica...
Crossing the river by feeling the stones from legacy to cloud native applica...
 
Intel® RDT Hands-on Lab
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on Lab
 
DPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii TkachukDPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii Tkachuk
 
Opensource approach to design and deployment of Microservices based VNF
Opensource approach to design and deployment of Microservices based VNFOpensource approach to design and deployment of Microservices based VNF
Opensource approach to design and deployment of Microservices based VNF
 
OpenStack & OpenContrail in Production
OpenStack & OpenContrail in ProductionOpenStack & OpenContrail in Production
OpenStack & OpenContrail in Production
 
LF_DPDK17_Abstract APIs for DPDK and ODP
LF_DPDK17_Abstract APIs for DPDK and ODPLF_DPDK17_Abstract APIs for DPDK and ODP
LF_DPDK17_Abstract APIs for DPDK and ODP
 
Platform Independent Packet Processing with ODL
Platform Independent Packet Processing with ODLPlatform Independent Packet Processing with ODL
Platform Independent Packet Processing with ODL
 
Deployment of Juniper Contrail in AVG Technologies
Deployment of Juniper Contrail in AVG TechnologiesDeployment of Juniper Contrail in AVG Technologies
Deployment of Juniper Contrail in AVG Technologies
 
Summit 16: Service Function Chaining: Demo and Usage
Summit 16: Service Function Chaining: Demo and UsageSummit 16: Service Function Chaining: Demo and Usage
Summit 16: Service Function Chaining: Demo and Usage
 
NFV & Openstack
NFV & OpenstackNFV & Openstack
NFV & Openstack
 
Delivering Composable NFV Services for Business, Residential and Mobile Edge
Delivering Composable NFV Services for Business, Residential and Mobile EdgeDelivering Composable NFV Services for Business, Residential and Mobile Edge
Delivering Composable NFV Services for Business, Residential and Mobile Edge
 
Summit 16: Deploying Virtualized Mobile Infrastructures on Openstack
Summit 16: Deploying Virtualized Mobile Infrastructures on OpenstackSummit 16: Deploying Virtualized Mobile Infrastructures on Openstack
Summit 16: Deploying Virtualized Mobile Infrastructures on Openstack
 
Summit 16: OPNFV on ARM - Hardware Freedom of Choice Has Arrived!
Summit 16: OPNFV on ARM - Hardware Freedom of Choice Has Arrived!Summit 16: OPNFV on ARM - Hardware Freedom of Choice Has Arrived!
Summit 16: OPNFV on ARM - Hardware Freedom of Choice Has Arrived!
 
Scaling the Container Dataplane
Scaling the Container Dataplane Scaling the Container Dataplane
Scaling the Container Dataplane
 
OpenContrail SDN for Kubernetes
OpenContrail SDN for KubernetesOpenContrail SDN for Kubernetes
OpenContrail SDN for Kubernetes
 
Dpdk Validation - Liu, Yong
Dpdk Validation - Liu, YongDpdk Validation - Liu, Yong
Dpdk Validation - Liu, Yong
 
Naveen nimmu sdn future of networking
Naveen nimmu sdn future of networkingNaveen nimmu sdn future of networking
Naveen nimmu sdn future of networking
 
如何用k8s打造國產5G NFV平臺? 剖析經濟部5G核網技術的關鍵
如何用k8s打造國產5G NFV平臺? 剖析經濟部5G核網技術的關鍵如何用k8s打造國產5G NFV平臺? 剖析經濟部5G核網技術的關鍵
如何用k8s打造國產5G NFV平臺? 剖析經濟部5G核網技術的關鍵
 
OPNFV: Road to Next-Generation Network
OPNFV: Road to Next-Generation NetworkOPNFV: Road to Next-Generation Network
OPNFV: Road to Next-Generation Network
 

Destacado

Linux BPF Superpowers
Linux BPF SuperpowersLinux BPF Superpowers
Linux BPF Superpowers
Brendan Gregg
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016]
Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016]Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016]
Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016]
IO Visor Project
 
P4, EPBF, and Linux TC Offload
P4, EPBF, and Linux TC OffloadP4, EPBF, and Linux TC Offload
P4, EPBF, and Linux TC Offload
Open-NFP
 
CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016]
IO Visor Project
 
Linux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene PirogovLinux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene Pirogov
Pivorak MeetUp
 
Monitoring and observability
Monitoring and observabilityMonitoring and observability
Monitoring and observability
Theo Schlossnagle
 

Destacado (20)

EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
 
Lying, Cheating, and Winning with Containers in Networking
Lying, Cheating, and Winning with Containers in NetworkingLying, Cheating, and Winning with Containers in Networking
Lying, Cheating, and Winning with Containers in Networking
 
Linux BPF Superpowers
Linux BPF SuperpowersLinux BPF Superpowers
Linux BPF Superpowers
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
 
Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016]
Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016]Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016]
Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016]
 
P4, EPBF, and Linux TC Offload
P4, EPBF, and Linux TC OffloadP4, EPBF, and Linux TC Offload
P4, EPBF, and Linux TC Offload
 
BPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable DatapathBPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable Datapath
 
Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containers Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containers
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
 
CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016]
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
 
Linux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene PirogovLinux Tracing Superpowers by Eugene Pirogov
Linux Tracing Superpowers by Eugene Pirogov
 
Implementing vCPE with OpenStack and Software Defined Networks
Implementing vCPE with OpenStack and Software Defined NetworksImplementing vCPE with OpenStack and Software Defined Networks
Implementing vCPE with OpenStack and Software Defined Networks
 
Monitoring and observability
Monitoring and observabilityMonitoring and observability
Monitoring and observability
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPF
 
OpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgridOpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgrid
 
NFV management and orchestration framework architecture
NFV management and orchestration framework architectureNFV management and orchestration framework architecture
NFV management and orchestration framework architecture
 

Similar a In-kernel Analytics and Tracing with eBPF for OpenStack Clouds

Trend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationTrend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning Presentation
Graeme Wood
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery Pipelines
Avi Networks
 

Similar a In-kernel Analytics and Tracing with eBPF for OpenStack Clouds (20)

Trend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationTrend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning Presentation
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
 
Using Modern Tools and Technologies to Improve Your Software Architecture
Using Modern Tools and Technologies to Improve Your Software ArchitectureUsing Modern Tools and Technologies to Improve Your Software Architecture
Using Modern Tools and Technologies to Improve Your Software Architecture
 
Cisco Cyber Threat Defense for the Data Center Solution: Cisco Validated Design
Cisco Cyber Threat Defense for the Data Center Solution: Cisco Validated DesignCisco Cyber Threat Defense for the Data Center Solution: Cisco Validated Design
Cisco Cyber Threat Defense for the Data Center Solution: Cisco Validated Design
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
What are the best tools used in cybersecurity in 2023.pdf
What are the best tools used in cybersecurity in 2023.pdfWhat are the best tools used in cybersecurity in 2023.pdf
What are the best tools used in cybersecurity in 2023.pdf
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery Pipelines
 
Inherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV DeploymentsInherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV Deployments
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New Reality
 
Cloud-Native Security
Cloud-Native SecurityCloud-Native Security
Cloud-Native Security
 
The Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating SystemThe Future of Embedded and IoT Security: Kaspersky Operating System
The Future of Embedded and IoT Security: Kaspersky Operating System
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
 
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
 

Más de PLUMgrid

Monitoring Security Policies for Container and OpenStack Clouds
Monitoring Security Policies for Container and OpenStack CloudsMonitoring Security Policies for Container and OpenStack Clouds
Monitoring Security Policies for Container and OpenStack Clouds
PLUMgrid
 
Service Discovery and Registration in a Microservices Architecture
Service Discovery and Registration in a Microservices ArchitectureService Discovery and Registration in a Microservices Architecture
Service Discovery and Registration in a Microservices Architecture
PLUMgrid
 
You Can Build Your OpenStack and Consume it Too
You Can Build Your OpenStack and Consume it TooYou Can Build Your OpenStack and Consume it Too
You Can Build Your OpenStack and Consume it Too
PLUMgrid
 
See Your OpenStack Network Like Never Before with Real-time Visibility and Mo...
See Your OpenStack Network Like Never Before with Real-time Visibility and Mo...See Your OpenStack Network Like Never Before with Real-time Visibility and Mo...
See Your OpenStack Network Like Never Before with Real-time Visibility and Mo...
PLUMgrid
 
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron IntegrationNetworking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
PLUMgrid
 
Hands-on Lab: Test Drive Your OpenStack Network
Hands-on Lab: Test Drive Your OpenStack NetworkHands-on Lab: Test Drive Your OpenStack Network
Hands-on Lab: Test Drive Your OpenStack Network
PLUMgrid
 

Más de PLUMgrid (20)

Monitoring Security Policies for Container and OpenStack Clouds
Monitoring Security Policies for Container and OpenStack CloudsMonitoring Security Policies for Container and OpenStack Clouds
Monitoring Security Policies for Container and OpenStack Clouds
 
Service Discovery and Registration in a Microservices Architecture
Service Discovery and Registration in a Microservices ArchitectureService Discovery and Registration in a Microservices Architecture
Service Discovery and Registration in a Microservices Architecture
 
Design and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesDesign and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use Cases
 
How to Quickly Implement a Secure Cloud for Government and Military | Webinar
How to Quickly Implement a Secure Cloud for Government and Military | WebinarHow to Quickly Implement a Secure Cloud for Government and Military | Webinar
How to Quickly Implement a Secure Cloud for Government and Military | Webinar
 
OpenStack and Application Delivery: Joy and Pain of an Intricate Relationship
OpenStack and Application Delivery: Joy and Pain of an Intricate RelationshipOpenStack and Application Delivery: Joy and Pain of an Intricate Relationship
OpenStack and Application Delivery: Joy and Pain of an Intricate Relationship
 
You Can Build Your OpenStack and Consume it Too
You Can Build Your OpenStack and Consume it TooYou Can Build Your OpenStack and Consume it Too
You Can Build Your OpenStack and Consume it Too
 
You Can Build Your OpenStack and Consume it Too
You Can Build Your OpenStack and Consume it TooYou Can Build Your OpenStack and Consume it Too
You Can Build Your OpenStack and Consume it Too
 
See Your OpenStack Network Like Never Before with Real-time Visibility and Mo...
See Your OpenStack Network Like Never Before with Real-time Visibility and Mo...See Your OpenStack Network Like Never Before with Real-time Visibility and Mo...
See Your OpenStack Network Like Never Before with Real-time Visibility and Mo...
 
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron IntegrationNetworking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
 
Hands-on Lab: Test Drive Your OpenStack Network
Hands-on Lab: Test Drive Your OpenStack NetworkHands-on Lab: Test Drive Your OpenStack Network
Hands-on Lab: Test Drive Your OpenStack Network
 
Securing Micro Services in Cloud Foundry
Securing Micro Services in Cloud FoundrySecuring Micro Services in Cloud Foundry
Securing Micro Services in Cloud Foundry
 
Docker Networking in Swarm, Mesos and Kubernetes [Docker Meetup Santa Clara |...
Docker Networking in Swarm, Mesos and Kubernetes [Docker Meetup Santa Clara |...Docker Networking in Swarm, Mesos and Kubernetes [Docker Meetup Santa Clara |...
Docker Networking in Swarm, Mesos and Kubernetes [Docker Meetup Santa Clara |...
 
Unified Underlay and Overlay SDNs for OpenStack Clouds
Unified Underlay and Overlay SDNs for OpenStack CloudsUnified Underlay and Overlay SDNs for OpenStack Clouds
Unified Underlay and Overlay SDNs for OpenStack Clouds
 
Building a Scalable Federated Hybrid Cloud
Building a Scalable Federated Hybrid CloudBuilding a Scalable Federated Hybrid Cloud
Building a Scalable Federated Hybrid Cloud
 
Managing Multi-hypervisor OpenStack Cloud with Single Virtual Network
Managing Multi-hypervisor OpenStack Cloud with Single Virtual NetworkManaging Multi-hypervisor OpenStack Cloud with Single Virtual Network
Managing Multi-hypervisor OpenStack Cloud with Single Virtual Network
 
Revolutionizing IT and Telecom Industry with OpenStack, SDN and NFV
Revolutionizing IT and Telecom Industry with OpenStack, SDN and NFVRevolutionizing IT and Telecom Industry with OpenStack, SDN and NFV
Revolutionizing IT and Telecom Industry with OpenStack, SDN and NFV
 
See Your OpenStack Network Like Never Before
See Your OpenStack Network Like Never BeforeSee Your OpenStack Network Like Never Before
See Your OpenStack Network Like Never Before
 
Federation manager demo
Federation manager demoFederation manager demo
Federation manager demo
 
Network Monitoring and Analytics
Network Monitoring and AnalyticsNetwork Monitoring and Analytics
Network Monitoring and Analytics
 
Navigating OpenStack Networking
Navigating OpenStack NetworkingNavigating OpenStack Networking
Navigating OpenStack Networking
 

Último

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Último (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

In-kernel Analytics and Tracing with eBPF for OpenStack Clouds

  • 1. In-kernel Analytics and Tracing with eBPF for OpenStack Clouds October 2016 Brenden Blanco PLUMgrid Ali Khayam PLUMgrid
  • 2. Thank You to Sponsoring Members 2
  • 3. IO Visor Project, What is in it? • A set of development tools, IO Visor Dev Tools • A set of IO Visor Tools for management and operations of the IO Visor Engine • A set of Applications, Tools and open IO Modules build on top of the IO Visor framework • A set of possible use cases & applications like Networking, Security, Tracing & others 3
  • 4. The promise of Microservices: Better cloud app lifecycle …… but what about security? 4 Shared kernel Larger attack surface? Self service Developer = Security Expert? Shared Infrastructure Insider threats? Fast Development & Iteration Compromised zero trust?
  • 5. Where should microservices security be implemented? All layers…. but from the app cloud provider’s perspective: best to trust what you build/operate/control => “Security-as-a-Service” in the cloud infrastructure Infrastructure Operator Application Developer
  • 6. An ideal Security-as-a-Service offering Transparent: Application shouldn’t be aware of this layer No new software installation/configuration Generically applicable: Should be able to characterize microservice security profiles for diverse applications, without having visibility into service behavior Efficient: No compromises on performance or scalability
  • 7. What features can characterize a Microservice Security Profile? API API call, payload len Traffic bytes tx/rx, packets rx/rx Disk I/O Disk I/O rx/tx Tenants # of active tenants …. how to get these features without compromising transparency and efficiency
  • 8. How to extract features for Microservice Security Profiles? Objectives: Transparency, Seamlessness, Efficiency IO Visor instrumented infra to extract features for service security profiles: ▪ already present in Linux kernels ▪ capture API calls and resource usage ▪ system-call level insight ▪ real-time monitoring ▪ without efficiency degradation 8 Automation Developers IOVisor framework Advanced Monitoring Security Automation / Operations Machine Learning Infrastructure Monitor Ops/Automation Maintain
  • 9. Plugging features into an ML model to learn Microservice security profiles 9 ComputeNode UserSpaceKernelSpace API / Traffic Data Disk/Memory Data Microservice Collector Machine Learning API Traffic (Ingress / Egress) Microservice Security Profiles
  • 10. IO Visor Code Snippet (Userspace)
  • 11. IO Visor Code Snippet (Kernel) www.iovisor.org
  • 12. Preliminary Evaluation 1) OpenStack Controller Services as Microservices 12
  • 13. OpenStack Controller Services as Microservices IO Visor instrumentation is used to build security profiles of all controller services nova, neutron, keystone, cinder, etc. API calls learned as they arrive on the services’ veth interface no pre-training of API calls IO Visor hooks to monitor vfs_{read/write} accesses from each service separated based on PIDs for each container ML algorithm builds security profiles based on initial (training) data then security profile deviations are used for attack detection on run-time data
  • 14. Attack: Bruteforce password cracking on keystone Lots of Background (benign) Traffic: Continuous CRUD APIs from a real-world app cloud use case All API calls (incl. service-to-service) must get auth_token from keystone first Attack Traffic: 2-4 password attempts per second Attack continued for a sustained period of time
  • 15. Results of brute-force password attack on keystone Attack Detection Rate False Positive Rate 97% 0% • Results obtained from an ROC curve by tuning the detection threshold • API and Traffic features are the main contributors to these results
  • 16. Preliminary Evaluation 2) Database container using MySQL 16
  • 17. MySQL Microservice instrumentation MySQL Docker image (MySQL version 5.7, docker 1.12 ) SQL queries (TCP packets) intercepted by IOVisor hooks on veth pairs handshakes, teardown and acks ignored IOVisor hooks for vfs_{read/write} for queries into a large DB (180Mb) separated on PID and TID for docker 17
  • 18. Attack: First order SQL injection Benign traffic consisted of Simulated SQL queries Generated randomly and continuously Attack results in extracting large segments of the DB Segment size varying In parallel to benign traffic on the microservice 18
  • 19. Results of brute-force password attack on keystone Attack Detection Rate False Positive Rate 93.5% 3.5% • Results obtained from an ROC curve by tuning the detection threshold • Correlating Traffic and disk access was essential for detection
  • 21. Conclusion: Meeting the requirements of an ideal Security-as-a- Service offering 21
  • 22. Transparency Application shouldn’t be aware of this layer IO Visor works on eBPF constructs that are present in >4.x upstream kernels IO Visor instrumentation runs in kernel and is not visible to the developer The only non-standard dependency is github.com/iovisor/bcc python library
  • 23. Generic Applicability Should be able to characterize microservice security profiles for diverse applications, without having visibility into service behavior Trained/Tested on SQL Trained/Tested on OpenStack services Future Work: Train/Test for DNS attacks Train/Test for ransomware attacks
  • 24. Efficiency No compromises on performance or scalability eBPF counting is done inside the kernel with little or no overhead Main overhead is kernel to userspace interaction Data polled by userspace every 1 minute All data structures are reset after polling; data cannot grow indefinitely Data is exported by the userspace application to a collector node Machine learning and classification is applied on the collector node i.e. no impact to performance on computes
  • 25. Efficiency No compromises on performance or scalability Data structures have low overhead: vfs_read (BFP_HASH): size at time ti = Ni x 3, where: Ni = # of read process at ti the map has: {key: pid, value1: # of reads, value2: aggregate size of all reads vfs_write (BFP_HASH): has the the same structure as vfs_read traffic (BFP_HASH): size at time ti = Fi x 7, where: Fi = # of active TCP flows at ti the map’s key is a 5-tuple flow id, and values are the same as vfs_{read/write} http_traffic (BPF_HISTOGRAM): size at time ti = Si x LSi x 7, where: key is a 5-tuple flow id of http packets Si = # of active HTTP session at ti LSi = # of HTTP packets with unique lengths received on session Si
  • 26. How to Contribute github.com/akhayam/conmon (this presentation) www.iovisor.org github.com/iovisor #iovisor at irc.oftc.net lists.iovisor.org/mailman/listinfo/iovisor-dev 26