rGus - Advanced Host Intrusion Detection System

rGus is an advanced Host Intrusion Detection System (HIDS) that uses machine learning to detect intrusions through system call monitoring. It features a modern CLI interface and can automatically respond to detected intrusions by locking down the system and capturing images of potential intruders.

Features

• Real-time system call monitoring
• Ensemble machine learning models for intrusion detection
• Automatic system lockdown on intrusion detection
• Intruder image capture
• Modern CLI interface with real-time monitoring
• System resource usage tracking
• Detailed logging and history
• Docker containerization support

Installation

Option 1: Direct Installation

1. Clone the repository:

git clone https://github.com/yourusername/rGus.git
cd rGus

2. Install dependencies:

pip install -r requirements.txt

3. Make the scripts executable:

chmod +x rgus.py ids_core.py cli.py

Option 2: Docker Installation

1. Clone the repository:

git clone https://github.com/yourusername/rGus.git
cd rGus

2. Build and start the Docker container:

docker-compose up -d

3. To stop the container:

docker-compose down

Usage

Direct Usage

rGus provides a command-line interface with the following commands:

Start the IDS

python cli.py start

Stop the IDS

python cli.py stop

Check Status

python cli.py status

View History

python cli.py history

Real-time Monitoring

python cli.py monitor

Docker Usage

Start the IDS

docker-compose up -d

Stop the IDS

docker-compose down

Check Status

docker exec -it rgus-ids python cli.py status

View History

docker exec -it rgus-ids python cli.py history

Real-time Monitoring

docker exec -it rgus-ids python cli.py monitor

Configuration

The system uses models from the models directory. Make sure your trained models are placed in this directory with the .joblib extension.

Logs

• System logs: logs/rgus.log
• Core IDS logs: logs/ids_core.log
• Incident logs: logs/incidents.log
• Intruder images: intruder_images/ directory

Security Considerations

• The system requires root privileges to monitor system calls and perform lockdown actions
• Make sure to properly secure the intruder images and logs
• Regularly update the machine learning models for better detection accuracy
• When using Docker, ensure proper security configurations are in place

Docker-Specific Notes

1. The container requires access to the host's webcam for intruder image capture
2. System call monitoring requires elevated privileges (SYS_ADMIN capability)
3. Volumes are mounted to persist data between container restarts
4. The container runs as a non-root user for security

License

MIT License

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.