Speaker
Description
You’ve probably heard of traditional Linux security tools intrusion detection systems, antivirus agents, log monitors. They sit on top of the OS, scanning files, parsing logs, and raising alerts. Useful, but often late to the party. By the time they notice something, the attack has already happened. Now imagine moving one layer deeper right into the Linux kernel itself. With technologies like eBPF, Ubuntu can watch processes, system calls, and network activity in real time, at the point of execution. Instead of scraping logs after the fact, you get live telemetry from the kernel that shows you exactly what’s happening as it happens.
But what does “kernel-level detection” actually mean in practice? How do you collect useful data without slowing everything down? How do you separate normal activity from malicious patterns? And what tools exist today on Ubuntu that make this more approachable for developers, sysadmins, and security teams?
This talk will map out the current landscape of kernel-level threat detection on Ubuntu. We’ll explore eBPF based approaches, integration with Ubuntu’s security stack (AppArmor, auditd, systemd tools), and emerging projects that bring visibility directly into the kernel. will see how different methods compare their tradeoffs in performance, usability, and detection accuracy.
Most importantly, will show what all this means for you as an Ubuntu user. Whether you’re running a laptop, a fleet of servers, or Kubernetes clusters, kernel-level detection is changing how we think about defense. By the end of the session, you’ll walk away with a clear sense of what’s possible today, what’s experimental, and how you can start using Ubuntu itself as a first-class security observability platform.