A kernel-level runtime defense framework for Linux. KB detects, classifies, and contains anomalous process behavior at Ring 0 — using eBPF instrumentation, a Behavioral Scoring Engine, and an optional multi-agent AI coordination layer (AADS).
Modern Linux systems underpin critical infrastructure ranging from cloud servers to containerized microservices. Existing defense mechanisms share a fundamental blind spot: they cannot see behavioral transitions — only individual events in isolation.
KB was designed to close that gap by observing and enforcing behavior at its source — inside the kernel — without requiring intrusive kernel modifications or custom modules.
Signature-based tools (antivirus, IDS/IPS) are reactive by design and fail against novel or obfuscated zero-day attacks that have no known signature.
Policy-based LSMs (SELinux, AppArmor) enforce static administrator-defined rules that cannot adapt when a legitimate binary is hijacked or an attacker operates entirely within permitted syscalls.
Userland monitoring (audit daemons, SIEM agents) lacks the vantage point for true behavioral analysis — a sufficiently privileged attacker can silence userland observers without touching the kernel log.
Kernel rootkits operate beneath every userland control plane, manipulating the very data structures defenders rely upon.
An execve following a privilege escalation inside an unexpected process lineage after a burst of mmap calls is an attack. The same execve in isolation is not.
KB evaluates behavioral transitions over time across six weighted dimensions — enabling detection of sophisticated multi-stage attacks that appear innocuous at each individual step.
The system simultaneously functions as a production-grade runtime defense platform and a research instrument for studying post-exploitation process behavior under live attack conditions.
Each layer communicates only with its immediate neighbors, limiting blast radius in the event of component failure. The AADS layer is optional and advisory — enforcement continues without it.
kbctl CLI exposes the full gRPC API for scripted management. kb-tui provides SSH-accessible terminal interface via Bubble Tea + Wish.BTF relocations let a single compiled kb-core.o load correctly across kernel versions at boot — no per-kernel rebuilds, no DKMS, no header matching at deploy time.
Every process is continuously assigned to one of three execution zones based on its smoothed Behavioral Risk Score St. Zone transition is the unit of analysis — not individual syscalls.
Passive observation. The process exhibits normal behavioral patterns within expected bounds. No enforcement action is taken.
Elevated risk detected. Network syscalls blocked via seccomp filter. Increased monitoring frequency. Alerting raised to AADS layer.
Critical behavioral anomaly. Process is isolated using Linux namespaces and cgroup v2 throttling. Termination is available as a final enforcement step.
Optional. Strictly advisory. No enforcement action ever occurs on an agent's word alone — the Control Plane always has final authority. Disable AADS entirely and deterministic enforcement keeps running.
Consumes the KB event stream and correlates behavioral patterns across time windows, producing structured alerts with confidence scores.
Cross-validates Judge alerts against historical process profiles, suppresses known false positives, and produces validated decision records.
Translates validated decisions into Control Plane API calls within its scoped capability token — and nothing outside it.
JJE doesn't act alone. Each decision is carried out by a swarm of scoped sub-agents, coordinating over Kafka and ZeroMQ.
Continuous behavioral surveillance across the live process tree.
Actively tracks flagged processes — lineage, lateral movement, escalation.
Remediation and recovery — restores Safe-zone state once a threat clears.
Executes isolation — namespaces, cgroup throttling, the physical perimeter.
Carries telemetry and consensus messages across the swarm mesh.
Every hop between layers is a named, typed pipeline — never a shared file, never a polling loop.
Each subsystem owns a complete vertical slice of the stack. No shared mutable state across boundaries. Full contributor workflow in docs/.
eBPF programs loaded at Ring 0 — six hook points capturing the full behavioral surface of every running process. Perf ring buffer transport, CO-RE / BTF relocations, compiled once and deployed anywhere Linux 5.8+ runs.
The kbd daemon — Consumes ring buffer events, manages a dual-tiered state topology (L1 lock-free Go heap cache backed by an asynchronous L2 embedded SQLite WAL data engine), evaluates YAML-defined operator policies, and exposes a gRPC-over-UDS API. All enforcement actions are authorized and executed exclusively through this layer. To mitigate ephemeral eBPF ring buffer volatility on boot, a cold-start initialization routine synchronizes current state by direct scraping of the /proc file system. Validated audit logs are committed out-of-band to an immutable, append-only SHA-256 chained JSON ledger within the L2 persistent layer.
Behavioral reasoning and multi-agent coordination — Judge, Jury, Executor over a decentralized, brokerless ZeroMQ mesh utilizing native Unix Domain Sockets with protobuf serialization. Optional and advisory: no enforcement occurs on agent recommendation alone. MARL infrastructure, QLoRA fine-tuning, Ray RLlib.
React + TypeScript operator dashboard. Real-time zone distribution, per-process behavioral scores, and swarm topology as a live D3.js force graph over WebSockets. The primary human-in-the-loop interface for live defense operations.
SSH-accessible terminal operator interface built with Bubble Tea and Wish. No browser required — full system visibility and control from any machine that can reach port 2222. Designed for headless server environments and rapid incident response.
Rust-native static analysis and safety verification engine. Pre-execution script analysis, policy constraint checking, and enforcement gate validation — ensuring no action violates the operator-defined safety boundary before it reaches the Control Plane.
Technical architecture notes, installation guides, hook point references, contributor workflows, and project whitepapers. Read in order: README → installation → requirements → hookpoints → kb-team.
Installation utilities, test orchestration, CI helpers, and attack-lab tooling for controlled adversarial simulation. Everything needed to bring up the full KB stack on a fresh Ubuntu 22 or 24.04 LTS machine.
Three surfaces for watching and overriding the system. Each built for a different context — browser, shell, or headless server. The system never stops if one is absent.
Real-time zone distribution, per-process behavioral scores, and the swarm as a living D3 force graph — nodes shifting, edges tightening, threat state made visible. Everything over a persistent WebSocket. No polling. No stale state.
The full Control Plane gRPC API from the shell. Policy reload, manual zone override, process isolation, audit export. Designed for scripted playbooks, CI pipelines, and rapid incident automation — every operation is a typed protobuf call.
SSH into a live operator terminal from any machine, on port 2222. No browser. No agent install. Full visibility and control rendered in a Bubble Tea TUI, served over Wish — the Charm SSH server. Built for headless environments and zero-overhead incident response.
Four engineers working across Linux kernel development, eBPF, AI/MARL, distributed systems, security research, and frontend engineering. Full ownership breakdown lives in docs/kb-team.md.
Systems Architecture · Linux Kernel · eBPF · Rust
AI & Agentic Systems · MARL · Offensive Security
Control Plane · Defensive Security · TUI · Go
Dashboard · Frontend Engineering · UI/UX · CLI
Complete installation instructions, architecture docs, and development workflow live in docs/. Start here, read in order.
Requires: Linux 5.8+ · BTF support · Ubuntu 22/24.04 LTS recommended