Inline network security platform built on eBPF/XDP. Combines ONNX-based ML, temporal beaconing, correlation heuristics, and Suricata eve.json alerts in one fusion path, drives SOAR playbooks, and writes decisions into a WORM audit chain.
- Data plane — eBPF / XDP / AF_XDP (aya, xsk-rs)
- Detection — Rust + tract-onnx for ML, custom temporal / graph engines, Suricata
eve.jsoningest - Control plane — actix-web REST + WebSocket, SQLite + SQLCipher, argon2 / JWT / CSRF, per-playbook SOAR
- Frontend — Vue 3 + Pinia + Vue-i18n (en / zh-TW / zh-CN / ja)
- Architecture — hexagonal-ish Rust workspace:
domain/·interface/·core/·adapter/·infrastructure/
NetGuardia sits inline between network segments, observes traffic, detects threats, and applies policy or automated response from one control plane.
- Live security overview with threat counts, traffic rate, system health, recent alerts, and SOAR activity.
- Per-IP traffic statistics for bytes, packets, last-seen time, direction, address family, and source/destination views.
- Network and attack maps for geographic flow visualization and attack-source distribution.
- Flow trace recording for offline training, incident review, and audit workflows.
- ML-assisted traffic detection using ONNX runtime models and a pipeline adapter.
- Multi-source fusion across ML signals, temporal beaconing, correlation heuristics, and Suricata
eve.jsonalerts. - Alert details with confidence, anomaly score, classifier score, connection metadata, protocol, source, and destination.
- Drift detection and audit events for model behavior changes.
- BYO model upload, validation, promotion, and offline mode for custom pipeline bundles.
- IPv4 and IPv6 access-control lists with blacklist and whitelist support.
- GeoIP country blocking for region-based policy.
- DNS blacklist filtering for suspicious domains.
- HTTP and SSH protocol/service access rules.
- Packet, SYN, UDP, and DNS rate limits for DDoS-oriented controls.
- Real-time drop monitor for intercepted packet events.
- SOAR playbooks with triggers, conditions, cooldowns, and response actions.
- Dry-run mode for testing playbook behavior before enabling automation.
- Execution history for automated actions such as IP blocks.
- SOAR whitelist and active auto-block tracking.
- WORM-style audit log with chain verification for administrative and detection events.
- Live log stream with level filtering, search, follow/pause, and archived log download.
- Security report with threat breakdown, SOAR summary, system health, PDF download, and email delivery.
- User, group, RBAC permission, and API key management.
- System health dashboard for CPU, memory, temperature, OS, NIC counters, engine mode, and boot time.
- Runtime settings for general mode, network interfaces, notifications, detection, threat analysis, SOAR, and system integrations.
 Security overview with live posture, trends, threats, and SOAR activity |
 Traffic statistics (per-IP bytes/packets) |
 Live geographic flow map |
 Global attack-source distribution |
 Real-time drop monitor |
 Threat detection alert queue |
 Alert details with model scores and connection metadata |
 IPv4/IPv6 allow + block lists |
 GeoIP country block |
 DNS blacklist |
 Per-class DDoS rate limits |
 HTTP / SSH service rules |
 SOAR playbook management and dry-run |
 SOAR execution history |
 SOAR whitelist and active auto-blocks |
 Security report (PDF / email) |
 Users + groups + RBAC |
 Built-in and custom permission groups |
 API keys |
 WORM-chained audit log |
 Live + archived logs |
 CPU / memory / NIC counters |
 Rotated flow recording |
 Mode / theme / HTTP / engine |
 Network interfaces, XDP, and pipeline settings |
 SMTP and Telegram notification settings |
 ML model status, inference, and BYO upload controls |
 Beaconing and correlation thresholds |
 SOAR limits, TTL, and DNS action settings |
 Suricata and GeoIP integration settings |