X-IDS and R-XIDS: An eBPF-based solution for security attacks in IoT environments

The rise of Internet of Things (IoT) devices including smart thermostats, industrial sensors, and medical wearables has transformed automation and connectivity across various domains. However, these devices are often resource-constrained and lack robust security mechanisms, exposing them to threats such as Distributed Denial of Service (DDoS) and routing-based attacks. Traditional user-space security systems are often too resource-intensive or static to defend against these evolving threats effectively.

This thesis investigates using the Extended Berkeley Packet Filter (eBPF) as a lightweight, kernel-level framework to enhance security in constrained IoT environments. Two Intrusion Detection Systems (IDS) are proposed and evaluated: X-IDS, which targets high-volume network-based attacks such as DDoS using eBPF and eXpress Data Path (XDP), and R-XIDS, which focuses on detecting sophisticated routing anomalies through MAC entropy, Time-To-Live (TTL) variance, and route path deviations. The study aims to answer the following questions: How can eBPF enhance security in resource-constrained systems, such as the Internet of Things (IoT)? What specific eBPF capabilities enable efficient defense against DDoS and routing attacks? And what implementation challenges arise during real-world deployment?

Experimental evaluations are conducted on both IDS systems. X-IDS demonstrated a substantial reduction in CPU usage (stabilizing around 30 - 36\% under load) and significantly low processing latencies (approximately 4~$\mu$s ), while dropping up to 40\% of attack traffic before it reached the host stack. R-XIDS, in contrast, proved effective in detecting and mitigating route manipulation attempts, with selective packet drops triggered by MAC rotation and TTL heuristics. Notably, both systems showed minimal overhead and strong responsiveness, with real-time packet filtering and adaptive mitigation based on eBPF maps.

The results validate that eBPF-based IDS solutions can offer high-speed, low-latency, and dynamic protection tailored for IoT devices. X-IDS provides a scalable defense against volumetric attacks, and R-XIDS complements this by addressing stealthier routing-layer threats. Together, they form a comprehensive strategy to enhance security in future IoT deployments in diverse and resource-sensitive environments.