Sapo-boi: Bypassing Linux Kernel Network Stack in the Implementation of an XDP-based NIDS
DOI:
https://doi.org/10.5753/jbcs.2026.5551Keywords:
Network Intrusion Detection Systems, BPF, XDP, XDP sockets, AF_XDPAbstract
Network intrusion detection systems (NIDS) must inspect multiple parts of a packet to detect patterns of known attacks. With the advent of XDP, it has become feasible to implement such a system within the kernel's own network stack for the evaluation of ingress traffic. In this work, we propose Sapo-boi, an NIDS solution consisting of two modules: (i) the Suspicion Module, an XDP program capable of processing packets in parallel, discarding packets considered safe, and redirecting suspicious packets for verdict in user space through XDP sockets (Af_XDP); and (ii) the Evaluation Module, a user-level process capable of finding the rule to which the suspicious packet should be analyzed in constant time and triggering notifications if the suspicion is confirmed. The system demonstrated superior results in terms of packet analysis rates and CPU usage compared to traditional NIDS alternatives (Snort and Suricata).
Downloads
References
Abhishta, A., van Heeswijk, W., Junger, M., Nieuwenhuis, L. J., and Joosten, R. (2020). Why would we get attacked? an analysis of attacker's aims behind ddos attacks. J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl., 11(2):3-22. DOI: 10.22667/jowua.2020.06.30.003.
Abranches, M., Michel, O., Keller, E., and Schmid, S. (2021). Efficient network monitoring applications in the kernel with ebpf and xdp. In IEEE Conference on Network Function Virtualization and Software Defined Networks, pages 28-34. DOI: 10.1109/nfv-sdn53031.2021.9665095.
Ahmed, Z., Alizai, M. H., and Syed, A. A. (2018). Inkev: In-kernel distributed network virtualization for dcn. ACM SIGCOMM Computer Communication Review, 46(3):1-6. DOI: 10.1145/3243157.3243161.
Aho, A. V. and Corasick, M. J. (1975). Efficient string matching: an aid to bibliographic search. Communications of the ACM, 18(6):333-340. DOI: 10.1145/360825.360855.
Albin, E. and Rowe, N. C. (2012). A realistic experimental comparison of the suricata and snort intrusion-detection systems. In International Conference on Advanced Information Networking and Applications Workshops, pages 122-127. IEEE. DOI: 10.1109/waina.2012.29.
Bace, R. and Mell, P. (2001). Intrusion detection systems. DOI: 10.6028/nist.sp.800-31.
Baidya, S., Chen, Y., and Levorato, M. (2018). ebpf-based content and computation-aware communication for real-time edge computing. In IEEE Conference on Computer Communications Workshops (INFOCOM), pages 865-870. DOI: 10.1109/infcomw.2018.8407006.
Biscosi, M., Cardigliano, A., et al. (2024). Pf_ring - high-speed packet capture, filtering, and analysis. Available at:[link] Accessed in 05/25/2024.
Conole, A., Richardson, B., et al. (2024). Data plane development kit. Available at:[link] Accessed in 05/25/2024.
Du, Y., Chang, K., Shi, J., Zhou, Y., and Liu, M. (2023). A survey on mechanisms for fast network packet processing. In International Conference on Computing, Networks and Internet of Things, pages 57-66. DOI: 10.1145/3603781.3603792.
Erlacher, F. and Dressler, F. (2018). Fixids: A high-speed signature-based flow intrusion detection system. In NOMS 2018-2018 IEEE/IFIP Network Operations and Management Symposium, pages 1-8. IEEE. DOI: 10.1109/noms.2018.8406247.
Høiland-Jørgensen, T., Brouer, J. D., Borkmann, D., Fastabend, J., Herbert, T., Ahern, D., and Miller, D. (2018). The express data path: Fast programmable packet processing in the operating system kernel. In International Conference on Emerging Networking Experiments and Technologies, pages 54-66. DOI: 10.1145/3281411.3281443.
Hu, Q., Yu, S.-Y., and Asghar, M. R. (2020). Analysing performance issues of open-source intrusion detection systems in high-speed networks. Journal of Information Security and Applications, 51:102426. DOI: 10.1016/j.jisa.2019.102426.
Karlsson, M. and Töpel, B. (2018). The path to dpdk speeds for af xdp. In Linux Plumbers Conference, volume 37, page 38. Available at:[link].
Kernel, L. (2024). Af xdp. Available at:[link] Accessed in 05/26/2024.
Kostopoulos, S. (2024). Machine learning-based near real time intrusion detection and prevention system using eBPF. Bachelor's thesis, Hellenic Mediterranean University. Available at:[link].
Liao, H.-J., Lin, C.-H. R., Lin, Y.-C., and Tung, K.-Y. (2013). Intrusion detection systems: A comprehensive review. Journal of Network and Comp. Applications, 36(1):16-24. DOI: 10.1016/j.jnca.2012.09.004.
Lin, P.-C. and Lee, J.-H. (2013). Re-examining the performance bottleneck in a nids with detailed profiling. Journal of Network and Computer Applications, 36(2):768-780. DOI: 10.1016/j.jnca.2012.12.009.
Lin, P.-C., Lin, Y.-D., Lai, Y.-C., and Lee, T.-H. (2008). Using string matching for deep packet inspection. Computer, 41(4):23-28. DOI: 10.1109/mc.2008.138.
Murphy, B. R. (2019). Comparing the performance of intrusion detection systems: Snort and Suricata. PhD thesis, Colorado Technical University. Book.
Park, W. and Ahn, S. (2017). Performance comparison and detection analysis in snort and suricata environment. Wireless Personal Communications, 94:241-252. DOI: 10.1007/s11277-016-3209-9.
Roesch, M., Henderson, A., et al. (2024a). Snort - open source intrusion prevention system. Available at:[link] Accessed in 05/16/2024.
Roesch, M., Henderson, A., et al. (2024b). tcpdump. Available at:[link] Accessed in 05/26/2024.
Scholz, D., Raumer, D., Emmerich, P., Kurtz, A., Lesiak, K., and Carle, G. (2018). Performance implications of packet filtering with linux ebpf. In International Teletraffic Congress, pages 209-217. DOI: 10.1109/itc30.2018.00039.
Shuai, L. and Li, S. (2021). Performance optimization of snort based on dpdk and hyperscan. Procedia Computer Science, 183:837-843. DOI: 10.1016/j.procs.2021.03.007.
Sundberg, S., Brunstrom, A., Ferlin-Reiter, S., Høiland-Jørgensen, T., and Brouer, J. D. (2023). Efficient continuous latency monitoring with ebpf. In International Conference on Passive and Active Network Measurement, pages 191-208. DOI: 10.1007/978-3-031-28486-1_9.
Vieira, M. A., Castanho, M. S., Pac'ıfico, R. D., Santos, E. R., Júnior, E. P. C., and Vieira, L. F. (2020). Fast packet processing with ebpf and xdp: Concepts, code, challenges, and applications. ACM Computing Surveys, 53(1):1-36. DOI: 10.1145/3371038.
Viljoen, N. and Kicinski, J. (2018). Using ebpf as an abstraction for switching. Available at:[link].
Waleed, A., Jamali, A. F., and Masood, A. (2022). Which open-source ids? snort, suricata or zeek. Computer Networks, 213:109116. DOI: 10.1016/j.comnet.2022.109116.
Wang, S.-Y. and Chang, J.-C. (2022). Design and implementation of an intrusion detection system by using extended bpf in the linux kernel. Journal of Network and Computer Applications, 198:103283. DOI: 10.1016/j.jnca.2021.103283.
White, J. S., Fitzsimmons, T., and Matthews, J. N. (2013). Quantitative analysis of intrusion detection systems: Snort and suricata. In Cyber sensing, volume 8757. DOI: 10.1117/12.2015616.
Woo, S. and Park, K. (2012). Scalable tcp session monitoring with symmetric receive-side scaling. KAIST, Daejeon, Korea, Tech. Rep, 144. Available at:[link].
Xhonneux, M., Duchene, F., and Bonaventure, O. (2018). Leveraging ebpf for programmable network functions with ipv6 segment routing. In International Conference on emerging Networking EXperiments and Technologies, pages 67-72. DOI: 10.1145/3281411.3281426.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Raphael Kaviak Machnicki, João Ribeiro Andreotti, Ulisses Penteado, Jorge Pires Correia, Vinicius Fulber-Garcia, André Grégio
This work is licensed under a Creative Commons Attribution 4.0 International License.
