Detecting unusual processes on your servers without writing a single rule
A new system for detecting unusual processes on servers has been developed, eliminating the need for predefined rules. This system utilizes eBPF to capture kernel-level events and represent them as vectors for analysis. By learning what is considered 'normal' automatically, it can identify deviations without prior configuration.
- ▪Traditional security tools rely on predefined rules to identify threats, which can miss novel attacks.
- ▪The new system captures process execution events at the kernel level using eBPF, allowing for real-time monitoring.
- ▪Each process execution is transformed into a fixed-length vector for comparison, enabling the detection of unusual behavior.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3948466) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } Gretl Posted on May 24 Detecting unusual processes on your servers without writing a single rule #linux #machinelearning #monitoring #security Most security tooling works by asking you to define what "bad" looks like upfront. Falco gives you YAML rules. OSSEC has signatures. Wazuh has a 5,000-line ruleset that ships with the product and still misses half of what matters in your specific environment.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).
Discussion
0 commentsMore from DEV.to (Top)
