The latest articles on DEV Community by Daniel Seo (@younggi). https://dev.to/younggi https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3845481%2Fef0b7654-c98a-4508-b914-7ad9dc8ab3ee.jpeg https://dev.to/younggi en Daniel Seo Wed, 22 Apr 2026 02:00:00 +0000 https://dev.to/younggi/ebpf-dsa-security-monitoring-framework-5gin https://dev.to/younggi/ebpf-dsa-security-monitoring-framework-5gin <h2> Introduction </h2> <p><em>Real-time security monitoring architecture combining eBPF kernel observability and Data Structures &amp; Algorithms (DSA) for scalable threat detection.</em></p> <h2> Overview </h2> <p>This project presents a next-generation security monitoring framework designed for modern systems such as AI-driven applications, cloud infrastructure, and distributed environments.</p> <h2> The architecture integrates: </h2> <p>eBPF (Extended Berkeley Packet Filter) for kernel-level telemetry collection Data Structures &amp; Algorithms (DSA) for scalable and deterministic analysis</p> <p>Unlike traditional security systems that rely on static logs or rule-based detection, this framework transforms security into a data-driven, algorithmic problem.</p> <ul> <li> <strong>Kernel Event Capture (eBPF Instrumentation)</strong>: Use the eBPF program to intercept bot-related events (e.g., network connections, authentication calls, etc.) in real time at the kernel level. For example, <code>tracepoint:syscalls:sys_enter_connect</code> or <code>kprobe/tcp_connect</code> to monitor connection attempts to the bot server, and send events to user space via <code>BPF_PERF_OUTPUT</code> <a href="https://medium.com/@swabhimankhadka2001/ebpf-and-security-watching-over-the-kernel-9e8c24e7dac5#:~:text=Here%20are%20a%20few%20ways,being%20used%20for%20Linux%20security" rel="noopener noreferrer">1</a> <a href="https://medium.com/@swabhimankhadka2001/ebpf-and-security-watching-over-the-kernel-9e8c24e7dac5#:~:text=sudo%20bpftrace%20,%E2%80%99" rel="noopener noreferrer">2</a>. Use a <code>BPF_HASH</code> map inside the kernel to store session information by PID, You can accumulate the number of authentication attempts. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="c1">// trace_connect.c (eBPF): Detecting connect() calls and sending events to userspace</span> <span class="cp">#include</span> <span class="cpf">&lt;uapi/linux/ptrace.h&gt;</span><span class="cp"> </span><span class="n">BPF_PERF_OUTPUT</span><span class="p">(</span><span class="n">events</span><span class="p">);</span> <span class="k">struct</span> <span class="n">data_t</span> <span class="p">{</span> <span class="n">u32</span> <span class="n">pid</span><span class="p">;</span> <span class="n">u64</span> <span class="n">ts</span><span class="p">;</span> <span class="p">};</span> <span class="kt">int</span> <span class="nf">trace_connect</span><span class="p">(</span><span class="k">struct</span> <span class="n">pt_regs</span> <span class="o">*</span><span class="n">ctx</span><span class="p">)</span> <span class="p">{</span> <span class="k">struct</span> <span class="n">data_t</span> <span class="n">evt</span> <span class="o">=</span> <span class="p">{};</span> <span class="n">evt</span><span class="p">.</span><span class="n">pid</span> <span class="o">=</span> <span class="n">bpf_get_current_pid_tgid</span><span class="p">();</span> <span class="n">evt</span><span class="p">.</span><span class="n">ts</span> <span class="o">=</span> <span class="n">bpf_ktime_get_ns</span><span class="p">();</span> <span class="n">events</span><span class="p">.</span><span class="n">perf_submit</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">evt</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">evt</span><span class="p">));</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <strong>User space detection (DSA-based analysis):</strong> Listen to events sent from the kernel using BCC/PyBPF, etc. In user space, track session status (e.g., the number of authentication failures by PID) with <strong>a hash map</strong>, and detect repeated attempts over a short period of time with <strong>a sliding window</strong>. For example, if a session has more than 5 connection attempts within 10 seconds, it can trigger an alert. By introducing <strong>a graph data structure</strong>, you can model the client-server-API flow as nodes/trunks and detect abnormal paths (bypass, lateral movement). In addition, <strong>the State Machine</strong> can define the "before/after" state to block access to key functions without authentication, and implement allow and block logic according to the type of request with <strong>a simple rule engine</strong>. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">bcc</span> <span class="kn">import</span> <span class="n">BPF</span> <span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">defaultdict</span> <span class="c1"># Load eBPF C code into Python BCC </span><span class="n">bpf_text</span> <span class="o">=</span> <span class="nf">open</span><span class="p">(</span><span class="sh">"</span><span class="s">trace_connect.c</span><span class="sh">"</span><span class="p">).</span><span class="nf">read</span><span class="p">()</span> <span class="n">b</span> <span class="o">=</span> <span class="nc">BPF</span><span class="p">(</span><span class="n">text</span><span class="o">=</span><span class="n">bpf_text</span><span class="p">)</span> <span class="n">b</span><span class="p">.</span><span class="nf">attach_kprobe</span><span class="p">(</span><span class="n">event</span><span class="o">=</span><span class="sh">"</span><span class="s">__arm64_sys_connect</span><span class="sh">"</span><span class="p">,</span> <span class="n">fn_name</span><span class="o">=</span><span class="sh">"</span><span class="s">trace_connect</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># __arm64_sys_connect can be altered by __x64_sys_connect </span> <span class="c1"># sessions = {} # {pid: [timestamp_list]} </span><span class="n">sessions</span> <span class="o">=</span> <span class="nf">defaultdict</span><span class="p">(</span><span class="nb">list</span><span class="p">)</span> <span class="c1"># Hash Map (key: pid, value: timestamp list) </span> <span class="k">def</span> <span class="nf">handle_event</span><span class="p">(</span><span class="n">cpu</span><span class="p">,</span> <span class="n">data</span><span class="p">,</span> <span class="n">size</span><span class="p">):</span> <span class="n">evt</span> <span class="o">=</span> <span class="n">b</span><span class="p">[</span><span class="sh">"</span><span class="s">events</span><span class="sh">"</span><span class="p">].</span><span class="nf">event</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="n">pid</span> <span class="o">=</span> <span class="n">evt</span><span class="p">.</span><span class="n">pid</span><span class="p">;</span> <span class="n">ts</span> <span class="o">=</span> <span class="n">evt</span><span class="p">.</span><span class="n">ts</span> <span class="o">/</span> <span class="mf">1e9</span> <span class="c1"># ns -&gt; s </span> <span class="n">sessions</span><span class="p">.</span><span class="nf">setdefault</span><span class="p">(</span><span class="n">pid</span><span class="p">,</span> <span class="p">[]).</span><span class="nf">append</span><span class="p">(</span><span class="n">ts</span><span class="p">)</span> <span class="c1"># Warning for 5 attempts within 10 seconds </span> <span class="n">window</span> <span class="o">=</span> <span class="p">[</span><span class="n">t</span> <span class="k">for</span> <span class="n">t</span> <span class="ow">in</span> <span class="n">sessions</span><span class="p">[</span><span class="n">pid</span><span class="p">]</span> <span class="k">if</span> <span class="n">ts</span> <span class="o">-</span> <span class="n">t</span> <span class="o">&lt;</span> <span class="mi">10</span><span class="p">]</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">window</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="mi">5</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">!! Detect duplicate connections : PID=</span><span class="si">{</span><span class="n">pid</span><span class="si">}</span><span class="s">, Count=</span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">window</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">b</span><span class="p">[</span><span class="sh">"</span><span class="s">events</span><span class="sh">"</span><span class="p">].</span><span class="nf">open_perf_buffer</span><span class="p">(</span><span class="n">handle_event</span><span class="p">)</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">b</span><span class="p">.</span><span class="nf">kprobe_poll</span><span class="p">()</span> </code></pre> </div> <ul> <li> <strong>Linked design:</strong> eBPF is responsible for <strong>real-time data collection with low overhead</strong>, while DSA (Data Structure and Algorithm) <strong>efficiently analyzes</strong> the collected data. For example, by quickly processing kernel events obtained by eBPF with in-memory hashmaps and sliding windows, it can detect anomalies (abnormal authentication, suspicious network flows) of bots with ultra-low latency [1]. This combination enables the implementation of a comprehensive security monitoring system that spans from the kernel/network level to application logic.</li> </ul> <blockquote> <p>[1] [2] Security monitoring case using eBPF<br> <u>________________________________________</u><br> [1] [2] eBPF and Security — Watching Over the Kernel | by Samiksha Khadka | Medium<br> <a href="https://medium.com/@swabhimankhadka2001/ebpf-and-security-watching-over-the-kernel-9e8c24e7dac5" rel="noopener noreferrer">https://medium.com/@swabhimankhadka2001/ebpf-and-security-watching-over-the-kernel-9e8c24e7dac5</a></p> </blockquote> python c datastructures ai