This document explains how to use the two main components of MalwareWatch: the process anomaly detection engine (defense.py) and the monitoring dashboard (dashboard.py).
Purpose: Monitors system processes, extracts behavioral features, and detects anomalous or potentially malicious activity using an Isolation Forest model. Can suspend, kill, or log suspicious processes.
python3 defense.pySUSPEND_ON_ANOMALY: If True, suspicious processes will be suspended automatically. RETRAIN_INTERVAL_SEC: Interval (in seconds) for retraining the ML model on recent data. CONTAMINATION: Contamination level for the Isolation Forest (fraction of anomalies expected). DB_PATH: Path to SQLite database for storing process features. MODEL_PATH: Path to save/load the ML model. MIN_TRAIN_SAMPLES: Minimum samples required before retraining. MAX_DB_ROWS: Maximum rows in the database before rolling delete occurs.
Continuously monitors processes. Extracts CPU, memory, I/O, threads, file descriptors, and network usage. Predicts anomaly scores using Isolation Forest. Takes configured action: suspend, kill, or log. Retrains ML model periodically using recent data.
Provides a live visualization of the system processes, their features, and anomaly scores detected by defense.py. Running the Dashboard
python3 dashboard.pyDisplays a table of currently running processes with extracted features. Highlights anomalous processes detected by defense.py. Real-time updates of process activity and anomaly scores. Optional color-coding or alerts for suspicious processes. Usage Tips Ensure defense.py is running so the dashboard receives live data. Use the dashboard to monitor anomaly trends and decide on manual actions if needed. Can be used on the same machine or remotely if networked properly.
Both scripts require Python 3.12+. Dependencies: psutil, scikit-learn, sqlite3, threading, and any dashboard GUI libraries (tkinter, flask, or dash depending on implementation). Ensure sufficient permissions to monitor and suspend processes on the system.