Phase 1 Summary
Research Period: Days 1–15
Section titled “Research Period: Days 1–15”Status: ✅ Completed Focus: Linux Kernel Hardening, Anomaly Detection Theory, and Prototype v0.7.
This phase focused on establishing the “Ground Truth” for the Sentinel environment. Before we can detect anomalies, we must mathematically define what a “normal” Linux process looks like.
Key Achievements
Section titled “Key Achievements”1. The Interceptor Prototype (v0.7)
Section titled “1. The Interceptor Prototype (v0.7)”We successfully engineered a raw C interceptor using ptrace that demonstrates Active Defense:
- Mechanism:
PTRACE_SYSCALLloop. - Detection: Identified
mkdirsyscalls (ID 83). - Response: Neutralized the call by rewriting the
RAXregister to-1(Operation not permitted).
2. The “Brain” Architecture
Section titled “2. The “Brain” Architecture”We moved away from standard Random Forests and implemented a Weightless Neural Network (WiSARD) approach:
- Why: Traditional NN is too slow for runtime interception.
- Method: Boolean RAM-based learning (One-Shot Learning).
- Metric: Hamming Distance for anomaly scoring.
3. Environment Hardening
Section titled “3. Environment Hardening”To ensure the researcher (us) is safe while handling malware, the lab was hardened:
- Network: UFW Firewall automation.
- Access: SSH Key-only auth + Fail2Ban IPS.
- Integrity: SHA-256 File Integrity Monitoring (FIM).
Raw Logs
Section titled “Raw Logs”For the daily experimental logs and source code, refer to the Systems Security Foundations Repository.