Open-source research prototype — on-device network anomaly detection (v0.1.0)
Vigilo learns what "normal" looks like for every device on your network from Zeek connection metadata (conn.log) — who talked to whom, when, and how much. When a device starts scanning ports, beaconing to a C2 server, or participating in a flood, Vigilo flags it without signatures, without cloud dependencies, and without sending traffic off your network. Payload contents (e.g. HTTPS bodies) are not inspected.
Status: v0.1.0 research prototype — IoT-23 lab benchmarks are documented; field validation on home/enterprise networks is ongoing.
Vigilo reads Zeek conn.log files or converts pcap captures via tshark/Zeek. Works with passive taps (switch SPAN/mirror), gateway Zeek (pfSense/OPNsense), or lab MITM capture scripts.
Traffic is grouped into 5-minute behavioral windows per device. Each window captures 15 features: connection counts, byte volumes, port distributions, protocol ratios, and timing patterns.
A ~1.3M parameter Mamba-2 state-space model predicts the next behavioral window based on the device's history. The model is trained only on benign traffic — it learns "normal."
Anomaly is measured as forecast error. If the device's actual behavior is far from what the model predicted, the surprise score is high — indicating abnormal behavior.
A dedicated beaconing detector identifies stealthy periodic C2 channels that volume-based detection might miss. Results from both detectors are combined for the final verdict.
Trained on benign honeypot captures (29 benign devices). Evaluated on every malware family in IoT-23 including Mirai, Okiru, Torii, Gagfyt, Hajime, and Kenjiro. IoT-23 is lab data — not yet validated on live home or enterprise networks.
| Metric | Value |
|---|---|
| Detection @ ~1% FPR | 75% (15/20 infected devices) |
| Benign baseline (device peak) | p95 = 1.93, max = 1.97 |
| Training data | Benign traffic only, 29 devices |
| Model size | ~1.3M params, CPU, fully local |
All loud attacks — port scans, DDoS/flooding, noisy botnet C&C. These score far above the benign ceiling:
5 of 20 infected devices were missed — all stealthy, low-volume C&C:
The forecaster uses a Mamba-2 Structured State Space model — O(1) memory per step, hardware-optimized scan, ideal for streaming time-series data on resource-constrained devices.
Native Zeek conn.log parsing with automatic pcap-to-conn.log conversion via tshark. Works with existing network taps and monitoring infrastructure.
Each 5-minute window captures connection counts, byte volumes, port entropy, protocol distribution, and timing patterns per device.
Measures inter-connection interval regularity (coefficient of variation) to detect periodic C2 beaconing — stealthy callback patterns that volume-based detection may miss.
Local web UI with per-device verdicts and scores. JSON API at /api/results for integration; refresh re-analyzes the configured log file.
One-command deployment via Docker Compose. Configurable via environment variables for log paths, checkpoints, worker counts, and bind addresses.
Recommended production path: passive capture via switch SPAN/mirror or gateway Zeek. Optional Bettercap MITM scripts exist for lab testing on networks you own (disruptive; not recommended for production). Full wiring guide: SPAN / gateway deployment docs on GitHub.
pip install -e .python scripts/generate_demo_data.pyvigilo serve# http://127.0.0.1:8088
cp .env.span.example .env# CAPTURE_IFACE=eth1 (mirror NIC)docker compose --profile span up -d
cp .env.example .envmake build && make up# Dashboard at http://127.0.0.1:8088
vigilo train --logs data/benign.conn.log \ --output-dir checkpoints/vigilovigilo detect --log suspect.conn.log \ --ckpt checkpoints/vigilo/vigilo.pt
| Variable | Default | Description |
|---|---|---|
VIGILO_LOG | data/demo/sample.conn.log | Path to the conn.log to analyze |
VIGILO_CKPT | checkpoints/demo/vigilo.pt | Trained model checkpoint |
VIGILO_HOST | 0.0.0.0 | Dashboard bind address |
VIGILO_PORT | 8088 | Dashboard port |
VIGILO_WORKERS | 2 | Gunicorn worker count |
VIGILO_TIMEOUT | 120 | Request timeout (seconds) |
Vigilo is free and open source under the Apache 2.0 license. Clone the repository, run the demo locally, and audit the code — connection metadata stays on your network.
100% on-device · no cloud, ever · your traffic never leaves your network
Read our research on the Mamba-2 architecture powering Vigilo, or learn more about IoT threats on our blog.