Show HN: Deft-Intruder – Real-time malware detection daemon for Linux (github.com)

DEFT-Intruder is an open-source, lightweight Linux daemon that performs real-time heuristic and ML-driven malware detection by continuously scanning /proc for new processes. It combines a Random Forest classifier (trained on the EMBER 2018 dataset) with rule-based heuristics to score binaries and take configurable actions—log, alert, block (SIGKILL), or quarantine. Because it inspects userland executables rather than relying on eBPF or kernel modules, it runs on virtually any Linux distribution and can be installed as a systemd service (GPLv3, GitHub repo). Technically, DEFT extracts ~256 discriminative features from ELF/PE files (entropy, section flags, imports, byte histograms, packing indicators), runs a compact Random Forest (exportable to embedded C; default: 10 shallow trees, ~50KB model), and blends ML and heuristic scores (default weighting ML 0.7 / heuristics 0.3). Claimed runtime performance is minimal—~20MB RSS, <1ms scan latency per process, <1% idle CPU—with reported detection >95% on EMBER test data and <1% false positives on common Linux binaries. Practical notes: root required to block processes, whitelist support available, and accuracy depends on training data and thresholds—so it’s best used as one layer in a defense-in-depth strategy.