As modern security threats evolve, purely stateless defenses cannot capture the progressive nature of malicious behaviors. To address this limitation, we propose to track potentially malicious actions via stateful abstractions based on the eXtended Finite-State Machine (XFSM) paradigm, enabling not only the modeling of process evolution but also the management of system components-including physical ones like RAM frames-within the operating system kernel. By leveraging extended Berkeley Packet Filter (eBPF) technology, our approach ensures minimal performance overhead while facilitating flexible, real-time detection of complex attack patterns. We demonstrate its effectiveness through functional evaluations on real-world scenarios and confirm its practical feasibility via comprehensive performance assessments. Our solution delivers a powerful yet user-friendly defense mechanism, balancing kernel-level complexity with adaptability to contemporary security challenges.
Quinci, A., Belocchi, G., Quaglia, F., Bianchi, G. (2025). Stateful Handling of Critical Events: Leveraging eBPF to Realize eXtended Finite State Machine Abstractions. In CEUR Workshop Proceedings. CEUR-WS.
Stateful Handling of Critical Events: Leveraging eBPF to Realize eXtended Finite State Machine Abstractions
Quinci, A;Belocchi, G;Quaglia, F;Bianchi, G
2025-01-01
Abstract
As modern security threats evolve, purely stateless defenses cannot capture the progressive nature of malicious behaviors. To address this limitation, we propose to track potentially malicious actions via stateful abstractions based on the eXtended Finite-State Machine (XFSM) paradigm, enabling not only the modeling of process evolution but also the management of system components-including physical ones like RAM frames-within the operating system kernel. By leveraging extended Berkeley Packet Filter (eBPF) technology, our approach ensures minimal performance overhead while facilitating flexible, real-time detection of complex attack patterns. We demonstrate its effectiveness through functional evaluations on real-world scenarios and confirm its practical feasibility via comprehensive performance assessments. Our solution delivers a powerful yet user-friendly defense mechanism, balancing kernel-level complexity with adaptability to contemporary security challenges.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
