Kavach

• 

  this is the main dashboard

What it does Kavach SIEM acts as an autonomous defensive shield for a host system. It continuously streams real-time hardware, network, and process-level metrics from a host machine, evaluating every active thread against a multi-weighted Behavioral Threat Risk Matrix.

Live Ingestion Pipelines: Monitors system processes, sudden internal resource spikes, and network socket attachments (like unsecured port bindings).

Heuristic Risk Scoring: Dynamically calculates an asset risk score (0-100) based on process behaviors and sensitive system file access patterns.

Interactive Command Center: Provides security analysts with a live, auto-refreshing UI containing infrastructure dials and an prioritized threat isolation stream to track malicious actions instantly.

🛠️ How we built it The application is built entirely on an asynchronous Python architecture designed to minimize CPU footprint while maximizing security coverage:

The Telemetry Engine: Utilizes low-level system access APIs (psutil) to capture snapshots of processing states, active process threads, memory footprints, and open socket states.

Multithreading Core: Built with python threading and safe memory buffers (queue.Queue) to isolate the intake sensors from the data parsing engine, ensuring no security logs drop during high-load traffic events.

The Web Console: Developed an optimized frontend using Streamlit, enabling continuous state replication and UI updates every 2 seconds without requiring complex JavaScript or WebSocket layers.

Challenges we ran into Thread Contention & Race Conditions: Having multiple sensors inspecting the operational environment simultaneously caused shared state data clashes. We solved this by implementing an immutable data queue layout where individual threads push structured telemetry dictionary states linearly.

Cloud Dependency Resolution: When deploying our live environment to the cloud, we hit an immediate hurdle with missing system-level library bindings (psutil). We resolved this under extreme time constraints by mapping out a clean, decoupled dependency list (requirements.txt) so the remote cloud environment could compile the OS bindings automatically during launch.

Distinguishing Bad vs. Heavy Applications: Normal production tools often mimic malware by spiking resources. We implemented multi-weighted rules so an application is only flagged as a threat if a resource spike correlates directly with suspicious metadata characteristics (such as accessing secure ports or unauthorized naming conventions).

Accomplishments that we're proud of Successfully engineered a completely asynchronous logging pipeline from scratch that does not block the application's runtime or compromise performance.

Achieved zero external commercial framework dependencies for the logic processing core, keeping the tool fast, modular, and deployable within seconds on any developer workstation.

Transformed a dense, technical command-line stream into a clean, human-scannable dashboard appropriate for an enterprise Security Operations Center (SOC).

What we learned Asynchronous Design is King: When dealing with continuous streaming data points (like real-time CPU cycles and active port bindings), thread management and non-blocking execution models are absolutely critical.

Cloud Deployment Realities: Learned how remote cloud infrastructure isolates system calls and how vital it is to explicitly communicate environment dependencies to remote servers for automated runtime compilation.

What's next for Kavach Active Automated Remediation: Moving from passive alerting to active defense by adding functions that automatically quarantine infected processes (using proc.kill()) or block malicious IPs instantly.

Decentralized Multi-Node Scaling: Expanding the backend architecture so a central Kavach control panel can aggregate stream metrics from hundreds of distinct server nodes simultaneously across a cloud environment.

Built With

• api
• json
• numpy
• pandas
• python
• queue
• streamlit