Function classify_ebpf_map 

pub fn classify_ebpf_map(map_type: u32, name: &str, _value_size: u32) -> bool

Classify whether an eBPF map is suspicious.

Flags high-risk map types (perf_event_array=3, ringbuf=26) and maps whose names match known rootkit patterns.