Key points:
- Polls /proc for new processes (works on any Linux kernel 2.6+)
- Random Forest model trained on EMBER 2018 dataset (2.3M samples)
- Heuristic rules for crypto miners, ransomware, rootkits
- ~20MB RAM, <1% CPU, sub-millisecond scan latency
- Pure C, zero runtime dependencies
- Model embedded directly in binary (50KB)
Why I built this: Existing solutions either require modern kernels (eBPF) or are heavy/proprietary. I wanted something lightweight that works everywhere - servers, containers, old distros.
Detection approach: Extract features from executables (entropy, imports, sections), run ML prediction, apply heuristic rules, combine scores. If above threshold, kill the process.
Happy to discuss implementation details or Linux security in general.