in

A Cloud-Native Host-Based Intrusion Detection solution project to provide next-generation Threat Detection


(Originated from AgentSmith-HIDS, but now it’s not just HIDS)

English | 简体中文

Elkeid is a support cloud-native and base linux host security(Intrusion detection and risk identification) solution.

Elkeid Architecture

Elkeid Host Ability

  • Elkeid Agent Linux userspace agent,responsible for managing various plugin,communication with Elkeid Server.
  • Elkeid Driver Driver can collect data on Linux Kernel, support container environment, communication with Elkeid Driver Plugin.
  • Elkeid RASP Support CPython、Golang、JVM、NodeJS runtime data probe, supports dynamic injection into the runtime.
  • Elkeid Agent Plugin List
    • Driver Plugin: Responsible for managing Elkeid Driver, and process the driver data.
    • Collector Plugin: Responsible for the collection of assets/log information on the Linux System, such as user list, crontab, package information, etc.
    • Journal Watcher: Responsible for monitoring systemd logs, currently supports ssh related log collection and reporting.
    • Scanner Plugin: Responsible for static detection of malicious files on the host, currently supports yara.
    • RASP Plugin: Responsible for managing RASP components and processing data collected from RASP, not open source yet.

The above components can provide these data:

  • Elkeid AgentCenter Responsible for communicating with the Agent, collecting Agent data and simply processing it and then summing it into the MQ, is also responsible for the management of the Agent, including Agent upgrade, configuration modification, task distribution, etc.
  • Elkeid ServiceDiscovery Each component in the background needs to register and synchronize service information with the component regularly, so as to ensure that the instances in each service module are visible to each other and facilitate direct communication.
  • Elkeid Manager Responsible for the management of the entire backend, and provide related query and management API.

Elkeid Advantage

The current open source module lacks a rule engine and detection rule, and cannot provide intrusion detection capabilities. However, the current open source part can be easily integrated with other HIDS/NIDS/XDR solutions, or you can perform data processing on the collected data to meet your own needs. Elkeid has the following main advantages:

  • Excellent Performance: With the help of Elkeid Driver and many custom developments, the end-to-end capability is excellent
  • Born For Intrusion Detection: Data collection is based on high-intensity confrontation, and targeted data collection is available for many advanced confrontation scenarios such as Kernel Rootkit, privilege escalation, and fileless attacks.
  • Support Cloud Native: Cloud native environment is supported from end-to-end capabilities to back-end deployment.
  • One-million-level Production Environment Verification: The whole has been internally verified at a million-level, and the stability and performance have been tested from end to server. Elkeid is not just a PoC, it is production-level; the open source version is the internal Release Version.
  • Secondary Development Friendly: Elkeid facilitates secondary development and increased demand for customization.

Quick Start

Contact us && Cooperation

Lark Group

License

  • Elkeid Driver: GPLv2
  • Elkeid RASP: Apache-2.0
  • Elkeid Agent: Apache-2.0
  • Elkeid Server: Apache-2.0

404StarLink 2.0 – Galaxy

Elkeid has joined 404Team 404StarLink 2.0 – Galaxy

GitHub

https://github.com/bytedance/Elkeid




Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

GIPHY App Key not set. Please check settings

Nehera Spring 2022 Ready-to-Wear thumbnail

Nehera Spring 2022 Ready-to-Wear

GOLI LYRICS – Gur Sidhu, Deepak Dhillon