Argus is a state-of-the-art security system designed to detect, analyze, and explain fileless malware attacks (e.g., PowerShell injection, LOLBins) using a hybrid approach of Real-time Monitoring and AI-powered Analysis.
- Event-driven Detection: Utilizes Sysmon to capture high-fidelity events (Process Creation, Remote Threads, DNS).
- Polling Architecture: Robust polling mechanism (
sysmon_monitor.py) ensures stability and avoids event loss. - Deep Integration: Automatically triggers memory dumps and analysis upon detection.
- Stage Classification: Uses a fine-tuned BERT model to classify attack stages (Initial Access, Execution, Persistence, etc.) with 91.24% accuracy.
- Explainable AI: Harnesses Llama-2 (LoRA fine-tuned) to generate human-readable explanations for suspicious commands.
- Memory Dumping: Automatically captures process memory using
ProcDumpwhen a suspicious process is detected. - WinDBG Analysis: Parses
.dmpfiles to extract loaded modules, IAT, and strings for deeper context.
- Live Monitor: Real-time feed of security alerts.
- Deep Analysis UI: Interactive interface to view AI explanations and forensic reports.
- System Health: Health checks for all system components.
graph TD
A[Sysmon Event Log] -->|Polls| B[Monitor Agent]
B -->|Verify Process| C{Is Alive?}
C -->|Yes| D[ProcDump]
D -->|Dump File| E[WinDBG Tool]
E -->|Analysis Report| F[API Backend]
C -->|No| F
F -->|Store| G[(SQLite DB)]
H[Streamlit Dashboard] <-->|Fetch/Poll| F
F <-->|Inference| I[AI Pipeline]
I -->|Classify| J[BERT]
I -->|Explain| K[Llama]
- Python 3.10+
- Administrator Privileges (Required for Sysmon/ProcDump)
- External Tools:
- Sysmon (Installed & Configured)
- ProcDump (In
tool/or System PATH) - Debugging Tools for Windows (
cdb.exe)
Note: Argus is built entirely on Python. You do NOT need Node.js or NPM installed.
-
Clone & Virtual Env
git clone https://github.com/your-repo/argus.git cd argus python -m venv venv .\venv\Scripts\activate # Windows # source venv/bin/activate # Linux/Mac
-
Install Dependencies
pip install -r requirements.txt
This installs all core libraries: FastAPI, Streamlit, PyTorch, Transformers, etc.
-
Verify Installation
streamlit --version # Should show Streamlit, e.g., Streamlit, version 1.31.0
To run the full system, you need to start 3 separate terminals:
Starts the brain of the system.
uvicorn api.main:app --reload --port 8000Starts the user interface.
streamlit run app.pyAccess at: http://localhost:8501
Starts the eyes of the system. Must run as Administrator.
python sysmon_monitor.pyfileless/
├── api/ # FastAPI Backend & Database Logic
│ ├── main.py
│ ├── models.py
│ └── database.py
├── evaluate/ # Model Evaluation Scripts
├── models/ # Trained AI Models (BERT/Llama)
├── tool/ # External Tools (Optional location)
├── app.py # Streamlit Dashboard
├── sysmon_monitor.py # Main Monitoring Agent
├── memory_dumper.py # ProcDump Wrapper
├── windbg_tool.py # WinDBG Wrapper
├── inference_pipeline.py# AI Inference Logic
└── requirements.txt # Dependencies
Llama:
BERT:
- PowerShell Abuse:
powershell -enc ...,powershell -nop -w hidden - LOLBins:
mshta.exe,rundll32.exe,regsvr32.exe - Injection: Code injection into
explorer.exeorsvchost.exe - C2 Beaconing: Suspicious DNS queries to known bad TLDs.
Argus is open-source software licensed under the MIT License.