Skip to content

KernelTrace AI is a proactive security agent that monitors system calls directly from the Linux kernel and uses machine learning to identify suspicious process behavior. #360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Skip06 wants to merge 8 commits into
base: master
Choose a base branch
from
Open

KernelTrace AI is a proactive security agent that monitors system calls directly from the Linux kernel and uses machine learning to identify suspicious process behavior. #360

Skip06 wants to merge 8 commits into from

Conversation

@Skip06
Copy link

@Skip06 Skip06 commented Dec 21, 2025

KernelTrace AI: Real-time eBPF Anomaly Detection

KernelTrace AI is a professional-grade security monitor that bridges the gap between low-level Linux kernel tracing and high-level machine learning. It uses eBPF to capture system calls in real-time and a Scikit-Learn AI model to detect suspicious patterns without relying on traditional virus signatures.

Architecture & Stack

This project implements a full-stack security pipeline:

  • Kernel Layer (C/eBPF): High-performance tracepoints hooked into sys_enter_openat to monitor file access.
  • AI Brain (Python): An unsupervised Isolation Forest model that detects anomalies in process behavior.
  • Middleware (Unix Pipe): Zero-latency data transfer between the C loader and the Python detector.
  • Dashboard (Bun/TS): A real-time web interface that streams alerts via WebSockets.

The AI Intelligence (Sliding Window & Normalization)

To handle "noisy" applications like Spotify or Zen Browser, the AI uses two advanced techniques:

  1. Path Normalization: Uses regex to strip random hashes and hex strings from filenames (e.g., .sqlite-wal or cache blobs), allowing the AI to learn structural patterns instead of specific files.
  2. Adaptive Sliding Window: The model maintains a memory of the last 2,000 events and retrains itself every 300 events. This allows the "Safe Zone" to evolve as you open or close different applications.

Getting Started

Prerequisites

  • OS: Fedora/Linux (Kernel 5.8+ recommended for Ring Buffer)
  • Tools: LLVM, Clang, libbpf-devel, Python 3.10+, and Bun

Installation & Run

  1. Build the Kernel Component:

    make

  2. Start the Engine:

    # Runs the C spy, pipes to Python AI (-u for unbuffered), and then to the Bun Dashboard
sudo ./spy | python3 -u brain.py | bun run server.ts

  3. View Dashboard:
    Open http://localhost:3000 in your browser.

Security Simulation (The Red Team Test)

The effectiveness of the detector was verified by simulating a "zero-day" attack:

  • Baseline: Normal system usage (Browsing, Music, Coding).
  • Attack: A script creating deep, hidden directory structures (e.g., ~/.vault/hidden/keys/v1/) and performing rapid file touches.
  • Result: The AI successfully ignored thousands of Spotify cache updates but instantly flagged the deep-directory attack with an anomaly score below -0.05.

Project Structure

  • spy.bpf.c: The eBPF C code that runs in the kernel.
  • spy.c: The user-space loader that reads from the Ring Buffer.
  • brain.py: The Scikit-Learn Isolation Forest implementation.
  • server.ts: The Bun/TypeScript WebSocket server.
  • index.html: The real-time "Matrix-style" dashboard UI.

License

MIT License - Created for educational and security research purposes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Skip06