Kubernetes multi-cluster deployments demand scalable and privacy-preserving anomaly detection. Existing eBPF-based monitors provide low-overhead system and network visibility but are limited to single clusters, while centralized approaches incur bandwidth, privacy, and heterogeneity challenges. We propose FedMon, a federated eBPF framework that unifies kernel-level telemetry with federated learning (FL) for cross-cluster anomaly detection. Lightweight eBPF agents capture syscalls and network events, extract local statistical and sequence features, and share only model updates with a global server. A hybrid detection engine combining Variational Autoencoders (VAEs) with Isolation Forests enables both temporal pattern modeling and outlier detection. Deployed across three Kubernetes clusters, FedMon achieves 94% precision, 91% recall, and an F1-score of 0.92, while cutting bandwidth usage by 60% relative to centralized baselines. Results demonstrate that FedMon enhances accuracy, scalability, and privacy, providing an effective defense for large-scale, multi-tenant cloud-native environments.

翻译：Kubernetes多集群部署需要可扩展且保护隐私的异常检测方案。现有的基于eBPF的监控器虽能提供低开销的系统与网络可见性，但仅限于单集群场景；而集中式方法则面临带宽、隐私和异构性挑战。本文提出FedMon，一个将内核级遥测与联邦学习（FL）相结合的联邦eBPF框架，用于跨集群异常检测。轻量级eBPF代理捕获系统调用与网络事件，提取本地统计特征与序列特征，并仅向全局服务器共享模型更新。通过结合变分自编码器（VAEs）与孤立森林的混合检测引擎，该框架同时支持时序模式建模与异常值检测。在三个Kubernetes集群中的部署实验表明，FedMon实现了94%的精确率、91%的召回率以及0.92的F1分数，同时相较于集中式基线减少了60%的带宽占用。结果证明，FedMon在提升检测准确性、可扩展性与隐私保护能力的同时，为大规模多租户云原生环境提供了有效的防御机制。