Kubesentry

KubeSentry is a security platform that leverages eBPF (Extended Berkeley Packet Filter) to detect, isolate, and visualize backdoor activities like BPFdoor in real-time within Kubernetes clusters.

Comment

Inspiration

In recent years, eBPF-based backdoor attacks have been dramatically increased globally. These attacks exploit kernel-level packet filtering mechanisms to bypass firewalls and maintain stealthy persistence.

According to. Cybersecurity Ventures,the Cybercrime damage worldwide is projected to increase from $3 trillion in 2015 to over $10.5 trillion USD by 2025, making proactive detection critical.

Moreover, Threat intelligence firms such as Trend Micro also reported BPFdoor activity across Korea, Hong Kong, Myanmar, Malaysia, and Egypt, showing that the threat is not regional but global expodure millions of their customers personal information.

These real incidents motivated us to design a system that detects kernel-level backdoor behavior in real time inside Kubernetes clusters and automatically responds before data is exfiltrated.

What it does

Using Tetragon (eBPF-powered runtime security), it monitors suspicious behaviors such as:

Raw-socket-based TCP communication patterns (BPFdoor signatures) Untrusted or unexpected binary executions Processes running from temporary or suspicious file paths Potential malware behavior inside containers or pods

It Automatically isolates the compromised pod using Kubernetes NetworkPolicies.

Blocks further incoming/outgoing malicious communication.

Sends immediate Slack notifications for human awareness and incident response.

Streams all security events into Grafana for real-time dashboards and visualization.

How we built it

We deployed KubeSentry on a vanilla Kubernetes cluster running on headless servers. Our architecture includes:

Tetragon for eBPF-based runtime event monitoring

Custom detection policies for BPFdoor-like behavior

Prometheus + ServiceMonitor for metric scraping

Grafana dashboards for visualizing security events

Slack Alertmanager integration for instant notifications

Automated isolation controller implemented in Python

Simulated attacker pods to validate real-world BPFdoor scenarios

We built everything without cloud-managed services that everything ran on bare Kubernetes nodes.

Challenges we ran into

  1. The worker nodes in configured cluster are not able to get image from container registry due to network policy that I made so have to find the different environment to develop the project.

  2. Tetragon pods repeatedly crash-looping due to BTF.

  3. Alertmanager template rendering errors causing Slack notifications to fail that not able for slack to show messages from container.

4.Loki log integration issues preventing Grafana queries from loading (PromQL and LogQL issue).

  1. Automated isolation controller not starting due to environment mismatches.

  2. NetworkPolicy conflicts with Calico’s standard security layers

  3. Prometheus not scraping custom Tetragon metrics due to ServiceMonitor misconfigurations

These issues required deep debugging of Kubernetes networking, CNI plugins, eBPF behavior, and the entire Prometheus alerting stack.

Accomplishments that we're proud of

Despite major errors and issues, we successfully:

1.Built a fully automated eBPF-powered detection + isolation pipeline

2.Simulated real-world BPFdoor attacks and confirmed successful detection

3.Created visual dashboards showing threat flows inside the cluster

4.Sent working to Slack-based alerting system for real-time security notification.

  1. Made sure the system proactively protects sensitive data in Kubernetes workloads

Even It took me most of the holidays working on the project with barely sleeping, We are proud that able to fix the issues and error by checking, googling, asking, bunch of logs and finally made fully function system.

Also the system can realistically serve as a cornerstone for protecting personal data and enterprise systems from kernel-level threats. which currently out going

What we learned

Through this project

  1. How useful, powerful and complex eBPF-based observability and security can be.

  2. How to integrate multiple open-source components (Tetragon, Prometheus, Grafana) into one.

  3. How to design automated response systems inside Kubernetes.

  4. How to balance runtime performance with deep visibility into system calls and network events.

  5. AI really not good at designing network and security structure.

This project gave us not only the understanding and knowledge of system designing and developing skill but also the confident to be pursue to build the future projects and career.

What's next for Kubesentry

Improve security features: Incorporate additional attack patterns such as ICMP-based C2, DNS tunneling, and privilege-escalation patterns. Adding new Tetragon rules for malware families beyond BPFdoor.

Enhanced Visualization Build a more advanced Grafana security dashboard Include heatmaps, timelines, and cluster-wide threat topology (Geo mapping)

Built With

Share this project:

Updates