PKU Computer Science · OS Lab

SysArmor

Next-Generation Intelligent Endpoint Detection and Forensics System

Hardware-System-Software Co-Design · Comprehensive Audit · Real-time Detection · Semantic Analysis

View Source Watch Demo

System Demo

Experience SysArmor in Action

Dashboard

Real-time system monitoring and threat landscape

Dashboard

Alerts

Intelligent detection of anomalies and security events

Threat Alerts

Forensics

Semantic-level attack behavior understanding

Attack Forensics

Real-time Monitoring
Intelligent Detection
Deep Forensics
High Performance

System Architecture

Modular Design with End-to-End Data Flow 

graph LR
    A[Collector] -->|Events| B[Middleware]
    B -->|Stream| C[Processor]
    C -->|Alerts| D[Indexer]
    E[Manager] -.->|Manage| A
    E -.->|Manage| B
    E -.->|Manage| C
    E -.->|Query| D
    F[ML Services] -.->|Enhance| C

    style A fill:#dbeafe,stroke:#3b82f6,stroke-width:3px
    style B fill:#d1fae5,stroke:#10b981,stroke-width:3px
    style C fill:#fef3c7,stroke:#f59e0b,stroke-width:3px
    style D fill:#fecaca,stroke:#ef4444,stroke-width:3px
    style E fill:#e9d5ff,stroke:#9f7aea,stroke-width:3px
    style F fill:#fef3c7,stroke:#f59e0b,stroke-width:3px

Platform Infrastructure

Data Middleware

Vector + Kafka for standardized data ingestion

Stream Processing

Flink for real-time event transformation

Index Storage

OpenSearch for alert indexing and retrieval

Control Plane

Manager API for unified orchestration

Web Interface

Alert visualization and operations

Monitoring

Prometheus system monitoring

High Performance

Distributed stream processing for massive data

Modular Design

Loosely coupled architecture for easy extension

Enterprise Ready

Mature open-source components, production-tested

Core Capabilities

Three Major Breakthroughs in Hardware-System-Software Co-Design

Comprehensive Audit

Hardware-System Co-Design

Achieve comprehensive and secure system log collection through hardware offloading and secure resource isolation

NoDrop: Multi-threaded secure collection
DPUaudit: Hardware-assisted audit

Real-time Detection

System-Software Co-Design

Leverage Steiner tree abstraction and threat intelligence knowledge base for accurate threat detection

NodLink: First online provenance detection
Order-of-magnitude accuracy improvement

Enhanced Analysis

Semantic Threat Understanding

Achieve semantic-level threat behavior understanding through attack lifecycle modeling and LLM integration

KnowHow: Attack behavior understanding
Natural language report generation
99.9%
Log Completeness
10x
Detection Accuracy
<5%
Performance Overhead
8+
Top-tier Papers

Roadmap

From Agentless to Agent + ML Solution

← Scroll left to see history
Current
v0.3.0 2026-02

Platform Upgrade

  • Full Windows ETW support
  • Threat management API integration
  • OpenSearch threat templates
  • Dashboard real-time query optimization
Released
v0.2.0 2026-01

Armory Architecture

  • Core/Components architecture
  • NODLINK and Rules tutorials
  • NetworkX and Flink graph builders
  • Unified evaluation framework
Released
v0.1.5 2025-12

Armory Toolkit

  • Armory detector framework
  • ETL pipeline and data models
  • CLI tools and HTTP service
  • Graph visualization and evaluation
Released
v0.1.0 2025-10

Agentless Foundation

  • Zero-intrusion via rsyslog/auditd
  • Kafka + Flink + OpenSearch pipeline
  • Falco rule engine detection
  • Web Dashboard and REST API

Design Principles

Unified Model

Shared data format and interface between Agentless and Agent

Progressive Evolution

Smooth transition from quick deployment to deep collection

Open Extension

Support for open-source components like Wazuh

Future Vision

Build a world-leading intelligent endpoint security platform through continuous innovation in hardware-system-software co-design, providing more powerful and intelligent security protection.

Research Foundation

System Security Research by PKU OS Lab

NoDrop

USENIX Security 2023

Secure and trustworthy provenance log collection with multi-threaded architecture

ProvWeb

IEEE TDSC 2023

Malicious website detection from system provenance perspective, F1 Score 93.7%~99.7%

NodLink

NDSS 2024

First online provenance detection system for efficient real-time APT attack detection

DPUaudit

HPCA 2025

DPU-assisted near-zero-cost system auditing with pull-based architecture

RT-NoDrop

RTSS 2025

Predictable and secure system auditing for real-time systems

ProvAudit

IEEE TDSC 2025

Enhancing advanced privacy inference through system provenance data

Query Provenance Analysis

S&P 2025

Efficient and robust defense against query-based black-box attacks

KnowHow

NDSS 2026

Real-time APT attack behavior understanding based on attack lifecycle modeling

Peking University OS Lab

Long-term research on OS security in ubiquitous computing, achieving breakthroughs in system provenance analysis, attack detection and defense, and AI system security.

Learn More