Sentinel Sandbox
// Project Overview
Section titled “// Project Overview”Sentinel Sandbox is a research-oriented runtime analysis system designed to study program behavior at the Linux kernel level using system call (syscall) monitoring and lightweight machine learning.
Unlike traditional antivirus software that relies on static file signatures (hashes), Sentinel observes how a program behaves at runtime by intercepting its interactions with the Linux kernel.
The system focuses on behavioral anomaly detection, rather than signature matching or static analysis.
// Core Hypothesis
Section titled “// Core Hypothesis”“Malicious behavior is better characterized by how a program interacts with the kernel than by how its code appears on disk.”
All programs—benign or malicious—must request services from the kernel using system calls (e.g., open, read, write, execve).
By modeling patterns of syscall usage, it is possible to distinguish normal behavior from anomalous or suspicious execution.
// Why System Calls?
Section titled “// Why System Calls?”- Syscalls represent ground-truth behavior
- They cannot be obfuscated away
- Even packed or encrypted malware must interact with the kernel
- Behavioral patterns remain observable even when code changes
Sentinel treats syscall activity as a behavioral signal, not a signature.
// Technology Stack
Section titled “// Technology Stack”| Component | Technology | Purpose |
|---|---|---|
| Interceptor | C / ptrace | Attaches to processes and intercepts system calls at syscall entry points |
| Behavior Bridge | Python 3 | Converts syscall streams into structured, binary representations |
| Detection Engine | Weightless Neural Network (DWN/WiSARD) | Learns statistical patterns of normal behavior using lookup-table-based learning |
| Execution Model | Bare Metal (User Space) | No kernel modules, no virtualization, minimal system interference |
Note: The current implementation operates on the host system using
ptrace. Containerization and isolation are considered future extensions.
// Research Goals
Section titled “// Research Goals”-
Behavioral Detection:
Detect anomalous program execution based on syscall behavior rather than file signatures. -
Lightweight ML:
Explore Weightless Neural Networks as an alternative to deep learning for runtime security tasks. -
CPU-Only Operation:
Design a system that functions without GPUs or hardware acceleration. -
Kernel-Level Fidelity:
Preserve accurate syscall semantics while minimizing analysis overhead.
// Research Status
Section titled “// Research Status”- ✔ Syscall interception validated on real Linux programs
- ✔ End-to-end pipeline from kernel tracing to ML training completed
- ✔ Differentiable Weightless Neural Network (DWN) integrated
- 🔜 Anomaly scoring and evaluation experiments in progress
// Scope & Intent
Section titled “// Scope & Intent”Sentinel Sandbox is a research and learning platform, not a production malware sandbox.
Its primary purpose is to:
- understand low-level program behavior
- study lightweight ML techniques
- explore the intersection of systems security and machine learning
// Experimental Finding: Temporal Structure Matters
Section titled “// Experimental Finding: Temporal Structure Matters”Initial experiments using syscall frequency histograms showed limited separation between benign and abnormal executions. While syscall counts capture what operations occur, they fail to capture when they occur.
To address this, Sentinel introduced temporal bucketing, where each syscall window is divided into ordered segments and processed independently.
This change significantly improved anomaly score separation without modifying the underlying Weightless Neural Network.
Implication:
Effective syscall-based detection depends more on behavioral representation than on model complexity.