Evaluating eBPF as an Alternative to Virtual Machine Introspection for High-Interaction Honeypot Implementation
摘要
Virtual machine introspection (VMI) has been widely used for stealthy monitoring of guest systems. However, context switching between monitoring system and monitored target introduces considerable overhead, especially for tracing common system calls, and deployment of VMI-based setups is complex. This work investigates whether extended Berkeley Packet Filter (eBPF) based tracing, a low-overhead kernel-level monitoring technique, can serve as an alternative. We compare the two paradigms in terms of performance, stealthiness, and practical applicability. Using micro-benchmarks and a prototype high-interaction SSH honeypot, we evaluate the capabilities and limitations of eBPF-based monitoring in adversarial settings. Our results highlight advantages and limitations of both, providing insights for the design of future security monitoring systems.