AgentSight: System-Level Observability for AI Agents Using eBPF

Abstract: Modern software infrastructure increasingly relies on LLM agents for development and maintenance, such as Claude Code and Gemini-cli. However, these AI agents differ fundamentally from traditional deterministic software, posing a significant challenge to conventional monitoring and debugging. This creates a critical semantic gap: existing tools observe either an agent's high-level intent (via LLM prompts) or its low-level actions (e.g., system calls), but cannot correlate these two views. This blindness makes it difficult to distinguish between benign operations, malicious attacks, and costly failures. We introduce AgentSight, an AgentOps observability framework that bridges this semantic gap using a hybrid approach. Our approach, boundary tracing, monitors agents from outside their application code at stable system interfaces using eBPF. AgentSight intercepts TLS-encrypted LLM traffic to extract semantic intent, monitors kernel events to observe system-wide effects, and causally correlates these two streams across process boundaries using a real-time engine and secondary LLM analysis. This instrumentation-free technique is framework-agnostic, resilient to rapid API changes, and incurs less than 3% performance overhead. Our evaluation shows AgentSight detects prompt injection attacks, identifies resource-wasting reasoning loops, and reveals hidden coordination bottlenecks in multi-agent systems. AgentSight is released as an open-source project at https://github.com/agent-sight/agentsight.

• The paper presents AgentSight, a framework that leverages eBPF to correlate AI agents' semantic intents with their system actions.
• It uses boundary tracing and dual probes on network and kernel levels to detect prompt injection and reasoning loops with minimal overhead (<3%).
• The hybrid correlation engine combines real-time heuristic linking with LLM-based semantic analysis to effectively monitor and mitigate security risks.

AgentSight: System-Level Observability for AI Agents Using eBPF

The paper "AgentSight: System-Level Observability for AI Agents Using eBPF" explores the complexities posed by the integration of AI agents in modern software infrastructures and the challenges in monitoring these agents. The paper proposes a novel framework, AgentSight, which leverages eBPF for bridging the gap between high-level semantic intents of AI agents and their low-level system actions.

Introduction to AgentSight

AgentSight addresses the fundamental challenge of effectively monitoring AI agents, which are characterized by the use of LLMs and direct system interaction capabilities. Unlike deterministic software applications, AI agents use LLMs to dynamically generate executable code that can have ramifications on system security and performance. These characteristics make it difficult for conventional monitoring systems to correlate agents' intent with their operational actions, leading to potential vulnerabilities such as malicious prompt injections. AgentSight adopts boundary tracing, an innovative approach to observing agents at stable interfaces—system boundaries—thus alleviating the need for direct instrumentation within the volatile agent code.

Figure 1: Agent Framework Overview

System Architecture and Design

The AgentSight architecture is composed of eBPF probes that monitor system interactions at two critical boundaries: the network for intercepting traffic intended for LLM communication and the kernel for observing system calls and process events. This setup allows for comprehensive monitoring without interfering with the application code. The system utilizes a correlation engine designed to link network intents with system-level actions, effectively bridging the semantic gap. Core mechanisms include process lineage tracking and temporal proximity correlation, supplemented by LLM-based semantic analysis to ensure robust threat detection.

Figure 2: AgentSight System Architecture.

Implementation Details

AgentSight is implemented using a combination of Rust for a high-performance eBPF orchestration and TypeScript for the frontend. The eBPF probes are configured to intercept decrypted data streams from network operations and to track relevant syscalls for system actions. At the core of the implementation is a hybrid correlation engine, which employs real-time heuristic linking and a structured logging approach to prepare data for semantic analysis by a secondary LLM.

Evaluation and Numerical Results

The evaluation of AgentSight was conducted on an Ubuntu server using AI agents such as Claude Code. The results demonstrate AgentSight's capability to detect prompt injection attacks and reasoning loops while maintaining sub-3% overhead. Performance benchmarks reveal minimal impact on system efficiency across tested workflows, highlighting the framework's practicality for large-scale deployments.

Case Studies

1. Prompt Injection Detection: AgentSight excels in detecting indirect prompt injection attacks by correlating LLM-generated intents with system-level actions, revealing inconsistencies between intended and executed operations.
2. Reasoning Loop Detection: The framework identifies agents stuck in infinite reasoning loops by observing repetitive tool invocation sequences, allowing for prompt corrective measures.
3. Multi-Agent Coordination: By monitoring multiple agents, AgentSight provides insights into coordination failures and optimizes task distribution, shedding light on system bottlenecks that are not typically visible through application-level monitoring.

Conclusion

AgentSight introduces a robust method for AI agent observability by leveraging boundary tracing and eBPF technology. This framework significantly advances the ability to correlate semantic intents with system actions, thus providing a comprehensive approach to monitor and mitigate risks associated with AI agents in production environments.

The research underscores the importance of a system-level observability approach in AI agent deployment, paving the way for future enhancements in security and reliability of autonomous tools.