Comparative Analysis of eBPF-Based Runtime Security Monitoring Tools in Monitoring and Threat Detection on Kubernetes

Aldien Asy Syairozi; Arizal

doi:10.5220/0014272700004928

Comparative Analysis of eBPF-Based Runtime Security Monitoring Tools in Monitoring and Threat Detection on Kubernetes

Aldien Asy Syairozi, Arizal

2025

Abstract

The rapid adoption of Kubernetes for managing cloud-native applications has increased the importance of runtime security. Extended Berkeley Packet Filter (eBPF)-based monitoring tools, such as Falco, Tetragon, and Tracee, offer real-time visibility and effective threat detection. This study evaluates and compares the Key Performance Indicator (KPI) and efficiency of these tools in addressing Container Escape, Denial of Service (DoS), and Cloud Cryptomining attacks based on the OWASP Kubernetes Top 10. Evaluation metrics include Mean Time to Detect (MTTD), Detection Rate (DR), False Positive Rate (FPR), as well as CPU and memory usage. The results show that Tetragon excels in detection time for Container Escape and Cryptomining threats, Falco excels in detecting DoS attacks, while Tracee has relatively lower detection speed. All tools can detect attacks with full accuracy without false positives. Resource usage analysis revealed minimal differences between baseline and attack conditions, indicating that detection activities did not significantly increase system load. Among the tools, Tetragon was the most efficient in CPU usage, Falco in memory consumption, while Tracee offered balanced resource utilization.

Download

Paper Citation

in Harvard Style

Syairozi A. and Arizal. (2025). Comparative Analysis of eBPF-Based Runtime Security Monitoring Tools in Monitoring and Threat Detection on Kubernetes. In Proceedings of the 1st International Conference on Research and Innovations in Information and Engineering Technology - Volume 1: RITECH; ISBN 978-989-758-784-9, SciTePress, pages 136-141. DOI: 10.5220/0014272700004928

in Bibtex Style

@conference{ritech25,
author={Aldien Asy Syairozi and Arizal},
title={Comparative Analysis of eBPF-Based Runtime Security Monitoring Tools in Monitoring and Threat Detection on Kubernetes},
booktitle={Proceedings of the 1st International Conference on Research and Innovations in Information and Engineering Technology - Volume 1: RITECH},
year={2025},
pages={136-141},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0014272700004928},
isbn={978-989-758-784-9},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 1st International Conference on Research and Innovations in Information and Engineering Technology - Volume 1: RITECH
TI - Comparative Analysis of eBPF-Based Runtime Security Monitoring Tools in Monitoring and Threat Detection on Kubernetes
SN - 978-989-758-784-9
AU - Syairozi A.
AU - Arizal.
PY - 2025
SP - 136
EP - 141
DO - 10.5220/0014272700004928
PB - SciTePress