This script monitors processes on a system, extracts behavioral features, and uses machine learning (an Isolation Forest) to detect anomalous or potentially malicious behavior. When an anomaly is detected, it can take actions like suspending or terminating the process.
- CPU usage
- Memory usage
- I/O operations (read/write counts)
- Thread and file descriptor counts
- Network connections
Collected via
psutil.
- Stores extracted features in an SQLite database (
behavior.db) - Maintains a rolling history of process features for training
- Uses
IsolationForestfromscikit-learnto detect anomalous processes - Retrains periodically using recent data
- Supports synthetic augmentation for training
- Configurable actions on anomaly detection:
"suspend": temporarily stop the process"kill": terminate the process"log": record the anomaly only
- Suspends processes immediately if
SUSPEND_ON_ANOMALYis enabled - Can create a snapshot of metadata for quarantining
- Paths for database and ML model
- Retrain interval (
RETRAIN_INTERVAL_SEC) - Minimum samples for training
- Rolling max rows for database to prevent overflow
- Contamination level for IsolationForest (
CONTAMINATION)
- Uses threading (
Thread) to run monitoring and retraining loops LockandEventobjects ensure safe access to the ML model and clean shutdown
- Ensure the database table exists
- Load or initialize the machine learning model
- Periodically scan all running processes
- Extract behavioral features
- Save features to SQLite
- Predict if each process behavior is anomalous
- If anomalous, take configured action (
suspend,kill, orlog)
- Periodically retrain the Isolation Forest on recent feature data
- Apply safe synthetic augmentation if needed
- Save updated model
This script acts as a self-updating, process-level anomaly detector capable of automatically containing malware or suspicious behavior.