FedMon: Federated eBPF Monitoring for Distributed Anomaly Detection in Multi-Cluster Cloud Environments
Sehar Zehra, Hassan Jamil Syed, Ummay Faseeha
TL;DR
Kubernetes multi-cluster environments face privacy, bandwidth, and heterogeneity challenges for anomaly detection. FedMon merges in-kernel telemetry via eBPF with federated learning and a hybrid detector (VAE plus Isolation Forest) to enable privacy-preserving, cross-cluster anomaly detection without sharing raw data. The approach yields strong detection performance (F1 ≈ 0.92; precision ≈ 0.94; recall ≈ 0.91) and substantial bandwidth savings (>60%) while maintaining low runtime overhead and providing Byzantine-robust aggregation. This work advances practical cloud-native security by demonstrating collaborative, kernel-level anomaly detection across clusters with real-time, risk-aware enforcement and optional differential privacy features.
Abstract
Kubernetes multi-cluster deployments demand scalable and privacy-preserving anomaly detection. Existing eBPF-based monitors provide low-overhead system and network visibility but are limited to single clusters, while centralized approaches incur bandwidth, privacy, and heterogeneity challenges. We propose FedMon, a federated eBPF framework that unifies kernel-level telemetry with federated learning (FL) for cross-cluster anomaly detection. Lightweight eBPF agents capture syscalls and network events, extract local statistical and sequence features, and share only model updates with a global server. A hybrid detection engine combining Variational Autoencoders (VAEs) with Isolation Forests enables both temporal pattern modeling and outlier detection. Deployed across three Kubernetes clusters, FedMon achieves 94% precision, 91% recall, and an F1-score of 0.92, while cutting bandwidth usage by 60% relative to centralized baselines. Results demonstrate that FedMon enhances accuracy, scalability, and privacy, providing an effective defense for large-scale, multi-tenant cloud-native environments.