Souveränes Security Operations Center mit innovativem eBPF
Security Operations Center have the requirement to persist data over long timescales and across system layers in order to allow the future forensic triage of an attack. This prevailing “collect-everything” paradigm leads to excessive costs, low signal-to-noise ratios, and analyst alert fatigue.
We propose a novel and digitally souvereign kernel-level anomaly based approach realised by eBPF and signed behavioral profiles (“Software Bill of Behavior”, SBoB). Our prototype continuously monitors system calls, network traffic, and file operations, detects significant deviations in real time, and triggers event-driven, forensic-grade data capture.
© Constanze Roedig
A key research question is to measure the reduction of resulting data volumes while preserving detection quality. We thus compare various false-positives-tuning approaches. Additionally, we provide a Kubernetes-based testbed for scalable evaluation against known attack patterns (mapped to MITRE ATT&CK). The project contributes to more efficient cyber defense and strengthens digital sovereignty by shifting from passive, large-scale data collection to active, context-aware analysis.
Our long term vision is to use this technology as basis for a nationwide scalable defense of all Linux systems that make up the critical infrastructure of our country.