TY  - JOUR
T1  - Monitoring and Controlling Internal Container Activity Using LSM + eBPF in a Multi-Container Environment
AU  - Ko, Yejune 
AU  - Kim, Hyeonseok 
AU  - Jeong, Mingyu 
AU  - Lee, Changhyun 
AU  - Lim, Harksu 
AU  - Jeon, Sunghyun 
JO  - Journal of KIISE, JOK
PY  - 2026
DA  - 2026/1/14
DO  - 10.5626/JOK.2026.53.1.1
KW  - eBPF
KW  - LSM
KW  - container
KW  - system-security
AB  - This paper explores real-time monitoring and control techniques utilizing an eBPF (extended Berkeley Packet Filter) and the LSM (Linux Security Module) in multi-container environments and Kubernetes-based orchestration systems. Traditional security methods struggle to maintain consistent policies due to the dynamic nature of container creation and termination, limiting fine-grained control at the individual container level. In this study, we employ eBPF to monitor system calls, network activities, and file accesses at the kernel level, while also implementing mechanisms to restrict specific container behaviors. Furthermore, we assess the feasibility of applying consistent security policies in Kubernetes environments, experimentally validating policy management and monitoring techniques at the namespace, pod, and label levels. Our experimental results indicate that eBPF-based monitoring and control functions efficiently in multi-container environments with minimal performance overhead, allowing for flexible and scalable security policy enforcement in orchestration systems like Kubernetes. This research advances the development of cloud-native security solutions that leverage utilizing eBPF.