Skip to content

rootali-dev/AI-IDA

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

14 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

πŸ›‘οΈ AI-IDA β€” Intelligent Defense Architecture

Asynchronous, AI-driven, kernel-space packet filtering for the Linux network stack

Kernel Core Control Plane ML Status


AI-IDA (Intelligent Defense Architecture) is an ultra-high-performance, programmable Linux kernel firewall subsystem engineered to neutralize volumetric and structural cyberattacks β€” DDoS floods, port scans, protocol amplification β€” directly at line rate, before they ever touch host CPU cycles.

It fuses XDP (eXpress Data Path) interception via Rust/Aya at the NIC driver layer with a non-blocking Go control plane driven by a matrix-free, compiled machine learning pipeline. Malicious traffic is dropped in nanoseconds, leaving host resources β€” even on budget hardware (Intel Core i3 class) β€” completely untouched.

Core Engineering Philosophy β€” Decouple Computation from the Data Path. Traditional firewalls degrade under high PPS due to sk_buff allocation overhead and context-switch cost in the Linux network stack. AI-IDA bypasses this entirely via an asynchronous, three-tier architecture: deterministic kernel-space enforcement, lockless telemetry transport, and out-of-band user-space inference.


🧬 Architecture Overview

graph TD
    NIC["🏁 PACKET INGRESS (NIC)"]
    
    subgraph KernelSpace["πŸ”Ή KERNEL SPACE (Rust / XDP Driver Layer - Aya)"]
        LP["1. Token-Bucket Rate Limiter (PERCPU_HASH)"]
        PG["2. Static L4 Port Gate (O(1) Lookup)"]
        RM["3. Reputation & Signature Match (LPM_TRIE)"]
        
        LP --> PG --> RM
        
        RM -->|MATCH| D["❌ XDP_DROP / XDP_TX (Reflective RST)"]
        RM -->|MISS| P["βœ… XDP_PASS (To Network Stack)"]
        RM -->|DISTRIBUTE| R["πŸ”€ XDP_REDIRECT (RSS-aware steering)"]
    end

    subgraph UserSpace["πŸ”Έ USER SPACE (Go Runtime Control Plane)"]
        BC["1. Lockless Ring Buffer Consumer (Zero-copy)"]
        FA["2. Flow Aggregator (Time-Window 100ms IAT)"]
        IE["3. Concurrent Inference Engine (Worker Pool)"]
        ML{"Compiled ML Model <br> P(malicious) > 0.85"}
        SE["4. Structural Pattern Extraction & Signature Synthesis"]
        
        BC --> FA --> IE --> ML
        ML -->|True| SE
    end

    NIC --> LP
    P -->|Lockless Ring Buffer: 24B Metadata| BC
    SE -->|eBPF Map Updates| RM

    %% Styling
    style NIC fill:#2f3640,stroke:#f5f6fa,stroke-width:2px,color:#fff
    style KernelSpace fill:#1e272e,stroke:#34e7e4,stroke-width:2px,color:#fff
    style UserSpace fill:#1e272e,stroke:#ffdd59,stroke-width:2px,color:#fff
    style D fill:#eb4d4b,stroke:#ff7675,stroke-width:1px,color:#fff
    style P fill:#4cd137,stroke:#44bd32,stroke-width:1px,color:#fff
    style R fill:#eccc68,stroke:#ffa502,stroke-width:1px,color:#000
Loading

⚑ Core Engineering Features

1. In-Driver Ingress Filtering (Rust / eBPF)

  • Zero-Allocation Dropping β€” malicious packets are destroyed via XDP_DROP before the kernel allocates an sk_buff, eliminating allocator pressure under flood conditions.
  • Stateless Token-Bucket Limiting β€” implemented natively in eBPF context using BPF_MAP_TYPE_PERCPU_HASH, regulating per-flow burst rates with $O(1)$ lookup and no cross-CPU synchronization.
  • Static L4 Port Gating β€” instantly drops traffic targeting unmapped endpoints, shielding internal OS routines from exposure.
  • Reflective Mitigation (XDP_TX) β€” synthesizes TCP RST packets in-driver for stateless connection termination without round-tripping to user space.
  • Multi-Queue Steering (XDP_REDIRECT) β€” redistributes ingress load across CPU queues/NICs for RSS-aware scaling.

2. High-Throughput Control Plane (Go)

  • Asynchronous Telemetry Layer β€” consumes a lockless eBPF Ring Buffer carrying a compact 24-byte structured metadata schema per flow, minimizing cross-boundary memory bandwidth.
  • Native Concurrency Engine β€” a dedicated Goroutine worker pool handles flow aggregation and inference dispatch in parallel, preventing pipeline stalls under burst telemetry load.
  • Time-Window Flow Aggregator β€” evaluates rolling 100ms windows rather than per-packet classification, enabling detection of distributed/IP-rotated botnet behavior.

3. Native Matrix-Free ML Inference

  • Zero Runtime Overhead β€” LightGBM gradient-boosted trees are trained offline on CIC-IDS intrusion datasets, then compiled directly into native Go if/else conditional trees via a modified m2cgen pipeline.
  • Microsecond Execution Boundaries β€” eliminates the Python interpreter from the production path entirely; inference cost is reduced to branch evaluation, not floating-point matrix multiplication.
  • Closed-Loop Signature Synthesis β€” detected anomalies trigger structural pattern extraction, feeding new entries back into the kernel-space LPM_TRIE reputation map.

πŸ”¬ Mathematical Feature Engineering

AI-IDA classifies flows, not individual packets, via a dynamic Time-Window Flow Aggregator (100ms intervals) β€” neutralizing botnets that rely on IP rotation or spoofing to evade per-packet heuristics.

Packet Inter-Arrival Time Standard Deviation ($IAT_{std}$)

$$\sigma = \sqrt{\frac{1}{N}\sum_{i=1}^{N}(t_i - \mu)^2}$$

Human traffic exhibits natural high variance ($IAT_{std} &gt; 50\text{ms}$); automated script/botnet engines emit tight, mechanical microsecond-precision patterns ($\sigma \approx 0$).

Asymmetric Flow Density ($Ratio_{flow}$)

$$Ratio_{flow} = \frac{Packets_{Inbound}}{Packets_{Outbound}}$$

Measures TCP handshake state compliance. Volumetric floods exhibit structural divergence ($Ratio_{flow} \gg 100$).

Shannon Entropy of Destination Ports ($Entropy_{port}$)

$$H(P) = -\sum_{i=1}^{n} P(p_i)\log_2 P(p_i)$$

Sharp entropy expansion on a single source IP signals systematic port enumeration (scanning behavior) rather than organic application traffic.


🎯 Production Mitigation Matrix

Target Vector Detection Metric Mitigating Kernel Action
SYN Flood / Botnets Asymmetric ingress $Ratio_{flow}$ + fixed TCP window anomalies Dynamic signature β†’ signature_map injection, XDP_DROP
TCP Port Scanning Sharp $Entropy_{port}$ expansion on a single source IP Source IP blocked globally via reputation_map (LPM_TRIE)
DNS / NTP Amplification Surge in $Payload_{mean}$ originating from port 53/123 Structural match on IP packet identification fields, XDP_DROP

πŸ›£οΈ Roadmap & Implementation Milestones

Phase 1 β€” Zero-Feature Ingress Pipeline βœ… Completed

  • Cross-compilation toolchain: bpf-linker + Rust compiler target
  • Minimal XDP driver (Aya) β€” generic pass-through (XDP_PASS)
  • Raw telemetry line via lockless eBPF Ring Buffer β†’ Go agent

Phase 2 β€” Protocol Parsing & Static Controls πŸ”„ In Progress

  • Robust L3/L4 header parsing in Rust driver space, verifier-safe
  • $O(1)$ hash map configuration for port gating + static thresholds
  • Kernel-level token-bucket primitives for stateless rate limiting

Phase 3 β€” ML Integration & Structural Matching 🎯 Target: Late Summer 2026

  • Finalize offline Python training pipeline on non-linear behavioral profiles
  • Implement m2cgen code-generation pipe β†’ native Go logic blocks
  • Deploy automated pattern extraction: user-space AI insight β†’ kernel-level eBPF signature constraints

Performance Verification Target Maximum Processing Latency (kernel-space match): < 10 ns Target Line-Rate Capacity: 10 Gbps (14.8M PPS) sustained on budget processor layouts (Intel Core i3 class)


High-performance network security research project β€” convergence of low-level kernel subsystems and real-time behavioral AI.

About

Asynchronous, AI-driven, kernel-space packet filtering for the Linux network stack

Topics

Resources

License

Stars

1 star

Watchers

1 watching

Forks

Contributors

Languages