How PacketScope Combines eBPF and LLMs for Real‑Time Kernel‑Level Attack Defense

PacketScope is a generic defense framework for TCP/IP stacks built on eBPF, which dynamically observes each packet’s processing path, visualizes protocol interactions, and leverages large language models (LLMs) for security analysis and zero‑latency defense.

According to Cybercrime Magazine, cyber‑crime losses could reach US$10.5 trillion by 2025, highlighting the urgent need for effective network‑attack mitigation.

The main challenges are (1) difficulty in detecting sophisticated, multi‑protocol attacks that require long‑context semantic reasoning, and (2) difficulty in intercepting attacks because manual rule creation is complex and time‑consuming.

PacketScope’s Guarder module fuses LLM‑driven long‑context inference with eBPF/XDP kernel‑level programmability to achieve intelligent detection and automatic in‑stack blocking of hidden attacks.

LLM‑Enabled Kernel‑Level Defense Workflow

Guarder attaches an eBPF program to the XDP hook on the NIC, capturing packets before they enter the main protocol stack with near‑zero overhead.

The captured metadata (TCP/UDP, ICMP, etc.) is passed to user space via BPF maps.

An AI analysis module structures the real‑time traffic data and sends it to a configurable LLM (e.g., ChatGPT, DeepSeek, TrafficLLM, or self‑hosted vLLM/Ollama).

The LLM evaluates the traffic, identifies malicious behavior, and generates one or more eBPF filter rules for blocking.

The generated rules are immediately loaded into the XDP hook, discarding malicious packets before they consume system resources.

Version 1.1 of PacketScope has been tested on Ubuntu 24.04 (Linux 6.8) and can automatically recognize and block common attack patterns such as ICMP ping flooding.

Future Outlook

Future work will extend to application‑layer protocol tracing, distributed cross‑host analysis, and more flexible programming interfaces for custom observation points.