KernelTrace AI is a proactive security agent that monitors system calls directly from the Linux kernel and uses machine learning to identify suspicious process behavior.

[Skip06]

KernelTrace AI: Real-time eBPF Anomaly Detection

KernelTrace AI is a professional-grade security monitor that bridges the gap between low-level Linux kernel tracing and high-level machine learning. It uses eBPF to capture system calls in real-time and a Scikit-Learn AI model to detect suspicious patterns without relying on traditional virus signatures.

Architecture & Stack

This project implements a full-stack security pipeline:

• Kernel Layer (C/eBPF): High-performance tracepoints hooked into sys_enter_openat to monitor file access.
• AI Brain (Python): An unsupervised Isolation Forest model that detects anomalies in process behavior.
• Middleware (Unix Pipe): Zero-latency data transfer between the C loader and the Python detector.
• Dashboard (Bun/TS): A real-time web interface that streams alerts via WebSockets.

---

The AI Intelligence (Sliding Window & Normalization)

To handle "noisy" applications like Spotify or Zen Browser, the AI uses two advanced techniques:

1. Path Normalization: Uses regex to strip random hashes and hex strings from filenames (e.g., .sqlite-wal or cache blobs), allowing the AI to learn structural patterns instead of specific files.
2. Adaptive Sliding Window: The model maintains a memory of the last 2,000 events and retrains itself every 300 events. This allows the "Safe Zone" to evolve as you open or close different applications.

---

Getting Started

Prerequisites

• OS: Fedora/Linux (Kernel 5.8+ recommended for Ring Buffer)
• Tools: LLVM, Clang, libbpf-devel, Python 3.10+, and Bun

Installation & Run

1. Build the Kernel Component:

   make

2. Start the Engine:

   # Runs the C spy, pipes to Python AI (-u for unbuffered), and then to the Bun Dashboard
   sudo ./spy | python3 -u brain.py | bun run server.ts

3. View Dashboard:
   Open http://localhost:3000 in your browser.

---

Security Simulation (The Red Team Test)

The effectiveness of the detector was verified by simulating a "zero-day" attack:

• Baseline: Normal system usage (Browsing, Music, Coding).
• Attack: A script creating deep, hidden directory structures (e.g., ~/.vault/hidden/keys/v1/) and performing rapid file touches.
• Result: The AI successfully ignored thousands of Spotify cache updates but instantly flagged the deep-directory attack with an anomaly score below -0.05.

---

Project Structure

• spy.bpf.c: The eBPF C code that runs in the kernel.
• spy.c: The user-space loader that reads from the Ring Buffer.
• brain.py: The Scikit-Learn Isolation Forest implementation.
• server.ts: The Bun/TypeScript WebSocket server.
• index.html: The real-time "Matrix-style" dashboard UI.

---

License

MIT License - Created for educational and security research purposes.

[anakryiko]

@Skip06 libbpf-bootstrap is meant as a collection of minimal and simple examples to get people started, it's not really a repository of tools. Looking at BPF bits, it's not that much different from bootstrap example, so I don't think we should land it.