@article{M25399162,
title = "Monitoring and Controlling Internal Container Activity Using LSM + eBPF in a Multi-Container Environment",
journal = "Journal of KIISE, JOK",
year = "2026",
issn = "2383-630X",
doi = "10.5626/JOK.2026.53.1.1",
author = "Yejune Ko, Hyeonseok Kim, Mingyu Jeong, Changhyun Lee, Harksu Lim, Sunghyun Jeon",
keywords = "eBPF, LSM, container, system-security",
abstract = "This paper explores real-time monitoring and control techniques utilizing an eBPF (extended Berkeley Packet Filter) and the LSM (Linux Security Module) in multi-container environments and Kubernetes-based orchestration systems. Traditional security methods struggle to maintain consistent policies due to the dynamic nature of container creation and termination, limiting fine-grained control at the individual container level. In this study, we employ eBPF to monitor system calls, network activities, and file accesses at the kernel level, while also implementing mechanisms to restrict specific container behaviors. Furthermore, we assess the feasibility of applying consistent security policies in Kubernetes environments, experimentally validating policy management and monitoring techniques at the namespace, pod, and label levels. Our experimental results indicate that eBPF-based monitoring and control functions efficiently in multi-container environments with minimal performance overhead, allowing for flexible and scalable security policy enforcement in orchestration systems like Kubernetes. This research advances the development of cloud-native security solutions that leverage utilizing eBPF."
}