Isolation Forest + eBPF events to create a Linux based endpoint detection system [P]

**Guardd** is an open-source Linux host-based intrusion detection system that combines eBPF-collected exec/network events with an unsupervised Isolation Forest model, aggregating syscall telemetry into 60-second feature windows scored against a percentile-based anomaly threshold trained on baseline behavior. The unsupervised approach means zero labeled attack data is required for deployment, which lowers the barrier for individual operators or small teams without security datasets. The core ML risk is concept drift and threshold sensitivity — Isolation Forest with a static percentile cutoff will degrade as normal system behavior evolves, and the feature set (event counts, unique process/IP/port cardinality, parent-child ratios) is relatively shallow, meaning low-and-slow attacks or living-off-the-land techniques that blend into baseline distributions may score as normal.