IEEE Access (Jan 2025)
ESX: A Self-Generated Control Policy for Remote Access With SSH Based on eBPF
Abstract
Cloud systems that provide remote data and computational access through networks face significant security challenges. Secure Shell (SSH) is one of the most popular methods for remote access, but the leakage of login information presents a substantial security threat, enabling attackers to exploit identities and disrupt systems. Consequently, ensuring robust security in cloud-system operations is paramount. Access control, a crucial security mechanism in operating systems, is becoming increasingly complex due to the intricate nature of control mechanisms and the difficulty in developing precise Access Control Lists (ACLs). Traditional ACLs require extensive resources for each user or role, struggle in complex scenarios, and risk system vulnerability by granting excessive privileges. To mitigate these issues, we introduce Extend Security boX (ESX), a novel solution that combines a lightweight system call restriction system with machine learning method. ESX utilizes rule learning through itemset mining to analyze user behavior and generate system call control lists, thereby significantly reducing system vulnerability. By employing extended Berkeley Packet Filter (eBPF) program hooks, ESX effectively audits and restricts remote user behavior at the system call level. Our results show that ESX’s rule-mining algorithm achieves over 99% accuracy in generating access control policies, using only 40% of the log entries for mining. Additionally, ESX presents a lower overhead compared to established security solutions, such as AppArmor, enhancing the overall operating system security.
Keywords
