AccuKnox Patent for In-Kernel Instrumentation of Kernel-Level Processes
AccuKnox has been granted a new patent for a computer-implemented system, method, and program that facilitates robust in-kernel instrumentation and monitoring of kernel-level processes.
About Patent
The patent, titled “COMPUTER-IMPLEMENTED SYSTEM AND METHOD FOR PERFORMING IN-KERNEL INSTRUMENTATION OF KERNEL-LEVEL EVENTS”, was filed with the USPTO on September 9, 2022 and has now been granted dated March 14, 2024. It builds upon AccuKnox’s growing portfolio of over 10+ patents across domains such as cloud computing, network security, application security, end points security, and enterprise software risk assessment and remediation.
How does it work
The increasing sophistication of malware and other cyber threats requires security solutions that can operate seamlessly within the kernel to detect and mitigate attacks.
Our patented in-kernel instrumentation technology represents a breakthrough in delivering high-performance, real-time security monitoring capabilities to our enterprise customers.
RAHUL JADHAV
CTO & Co-founder
AccuKnox
- The patented technology, invented by a team of AccuKnox’s top researchers and engineers including Rahul Jadhav, Goyang Nam, Seungsoo Lee, and Dong-Gu, addresses a critical gap in conventional user-space-based security monitoring tools.
- The solution implements an extended Berkley Packet Filter (eBPF) kernel module within the kernel space, allowing for the creation of sophisticated eBPF maps to track key kernel-level events and process information.
Features of the patented technology
- Virtual memory is divided into separate kernel and user areas.
- eBPF kernel module implementation to generate maps for monitoring namespaces, instrumentation probes, events, and process IDs
- The capacity to assess kernel-level event data fully within the kernel space by comparing it to predetermined rules.
- Regular context switching between user and kernel domains eliminates performance overhead
- Real-time process identification and classification as harmful or legitimate
The computer-implemented system, method, and product enable in-kernel instrumentation of kernel-level processes uniquely. The main novelty is its zero dependence on or contact with user space; all instrumentation and monitoring are done exclusively within the kernel area. To do this, an expanded Berkeley Packet Filter (eBPF) kernel module is implemented in kernel space. Custom eBPF maps are made via the eBPF kernel module.
They keep important data regarding kernel operations. Process IDs, namespaces, context, arguments, and references to directives are among the details included. The system avoids expensive context shifts between the kernel and user regions by keeping the instrumentation logic and processing data inside the kernel space. Unlike user-space-based methods, this enables effective real-time monitoring and instrumentation of kernel-level operations without compromising speed.