🔐 Combined
Jibril combines two powerful monitoring capabilities - file access and execution - to create a comprehensive security solution. This integrated approach tracks both how processes interact with the filesystem and which programs are being executed, providing complete visibility into system activity.
🔗 Correlation Unlocks Detection Power
By correlating file access with program execution, Jibril detects sophisticated attacks invisible to single-vector monitoring. When a process accesses sensitive files after executing from an unusual location, that's actionable intelligence.
⚙️ How Combined Monitoring Works
📁 File Operation Tracking
Jibril intercepts and logs every file operation in the system, including opens, reads, writes, modifications, deletions, and permission changes. For each operation, it records:
- The exact file path and name
- Timestamp of the access
- Process ID and name that performed the operation
- User context under which the access occurred
- Type of operation performed
- Amount of data read or written
🚀 Binary Execution Tracking
Simultaneously, Jibril continuously monitors all program executions on the system, capturing detailed information about every binary that runs. This includes system utilities, user applications, scripts, and other executable content.
📝 Argument Pattern Analysis
When programs execute, Jibril captures and analyzes their command-line arguments. Certain argument patterns can indicate malicious intent-for example, unusual flag combinations, obfuscated commands, or attempts to exploit parameter vulnerabilities.
🎯 Execution Context Evaluation
Jibril examines the conditions surrounding program execution, including:
- The user context (particularly privilege level and whether elevation occurred)
- Timing patterns (executions during unusual hours)
- Parent-child process relationships
- Directory location of execution (e.g., from temporary folders)
- Environmental variables and system state
🧩 Correlation Engine
By combining file access and execution data, Jibril can establish powerful correlations between:
- 🔄 Process-File Relationships
Which processes are accessing which files - ⏱️ Temporal Sequences
The sequence of file operations relative to program executions - 🔍 Behavioral Patterns
Patterns of file access that precede or follow specific program executions - ⚠️ Anomaly Detection
Unusual combinations of file access and program execution indicating malicious activity
⚡ eBPF-powered Implementation
Using eBPF technology, Jibril attaches to kernel functions responsible for both file operations and process execution, allowing it to:
- Monitor system activity with minimal performance impact
- Operate without modifying the kernel or requiring special modules
- Maintain visibility even into privileged processes
- Store and correlate data efficiently in kernel space
📍 Where Combined Monitoring Operates
Jibril's monitoring capabilities operate at multiple levels within the system:
🔧 Kernel Space
eBPF hooks intercept both file-related and execution-related syscalls directly in the kernel
🗄️ VFS Layer
File monitoring at the Virtual File System layer provides visibility across all filesystem types
🌱 Process Creation Points
Execution monitoring occurs at the precise moment when new processes are spawned
📦 Binary Loading Phase
Interception during the ELF loader process provides early detection opportunities
🌐 System-wide Coverage
All file operations and execution events across the entire system are captured, regardless of which user initiated them
✨ Why Combined Monitoring Is Important
🛡️ Comprehensive Attack Coverage
By monitoring both file access and execution, Jibril covers the two most fundamental aspects of system operation-how processes interact with data and what code is running. Most attack vectors involve one or both of these activities.
🔬 Advanced Correlation Capabilities
The combination of file access and execution data enables sophisticated pattern detection that would be impossible with either capability alone. For example, Jibril can identify when a process accesses sensitive files immediately after being executed from an unusual location.
⚡ Early Detection
By monitoring at both the file and execution levels, threats can be identified at their initial stages before they achieve persistence or lateral movement.
✅ Reduced False Positives
The rich contextual information from both monitoring systems allows for more accurate threat determination compared to single-vector detection approaches.
🔬 Forensic Value
The detailed historical record of both file operations and program executions provides invaluable evidence for incident response, allowing security teams to reconstruct attack timelines and understand breach methodologies.