Skip to content
/ kernel-anomaly-detector Public

A Linux kernel module for real-time anomaly detection of CPU processes.

0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

sequint/kernel-anomaly-detector

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
.vscode
.vscode
 
 
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
kernel_module.c
kernel_module.c
 
 

Repository files navigation

Kernel Anamoly Detector

License Issues Version Platform Kernel Development

Table of Contents

About

A Linux kernel module for real-time anomaly detection of processes. The module monitors CPU time, memory usage, and network send/receive bandwidth for all running processes and flags anomalies when configurable thresholds are exceeded.

Key features:

  • Dynamic thresholds: thresholds update automatically based on historical averages.
  • Manual override: administrators can update thresholds at runtime via sysfs.
  • Threaded monitoring: lightweight kernel thread checks every 30 seconds.
  • Structured logging: anomalies are timestamped and logged to dmesg.

This project demonstrates system-level programming, concurrency control (mutex, RCU), and integration of monitoring directly in the Linux kernel.

Installation

Note: These instructions assume you’re running on a Linux system with kernel headers installed.

  1. Clone repo into a local project directory
  2. Open a bash terminal and follow the following commands to install linux headers: 
    sudo apt update
sudo apt install gcc make linux-headers-$(uname -r)

VSCode c_cpp properties

c_cpp_properties.json file has been included for use in VSCode IDE. If you are not using Code for development, delete this directory. If using Code, in a Bash shell enter the command 'uname -r' after installing the above packages. Copy the result and replace the <uname -r> portions of the json file with the value.

Build and Run

# Navigate to the directory you cloned the module into
cd ~/module_dir_path

# Compile the kernel module
make

# If running on Safe Mode in a Linux OS, create a kernel key, then sign it using the below script
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 \
  ~/kernel-keys/MOK.priv ~/kernel-keys/MOK.der kernel_module.ko


# Load module (insure the ko file was generated after the make build first)
sudo insmod kernel_module.ko

# Check to see if the module loaded
lsmod | grep kernel_module

# Open and view the anomaly logs in real time
sudo dmesg -w | grep "ANOMALY MONITOR"

# Unload the module
sudo rmmod kernel_module

# Confirm that the module was removed
sudo dmesg | tail -1
lsmod | grep kernel_module

# Clear make files (optional)
make clean

Sysfs Interface (runtime threshold updates)

Once the module is loaded, you can update thresholds at runtime:

# Update thresholds: CPU MEM SEND RECV
echo "90 200000 15 60" | sudo tee /sys/anomaly_module/thresholds

# Reset thresholds back to automatic (adaptive) mode
echo 1 | sudo tee /sys/anomaly_module/reset_thresholds

Future Integrations

  1. Add persistent logging to /var/log/anomaly_monitor.log.
  2. Explore fault-tolerance mechanisms for noisy or unreliable environments.
  3. Extend module for domain-specific use cases (e.g., critical infrastructure, embedded radiation monitoring).

About

A Linux kernel module for real-time anomaly detection of CPU processes.

Topics

linux-kernel c-programming threat-detection

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages