Jelvantrix/cybersecurity-lab-Cryptography-malware-analysis-ethical-hacking-forensics

# "SENTINEL" in English, but since it's a translation task, perhaps I need to provide a Chinese equivalent. **能看见自身的系统。** *本地智能。鲜活现实。全盘清晰。* SENTINEL 是一个模块化、离线自主、零预算的网络防御操作系统，采用 Rust + TypeScript 构建。它将分散的遥测数据转变为一个连贯的、时间感知、因果关联、可解释的系统现实模型——统一在一台本地机器上，完全由防御者掌控。 ## 架构 SENTINEL 基于一个 12 层的事件驱动架构构建： ``` ┌─────────────────────────────────────────────────────────┐ │ LAYER 12: Response Orchestration │ │ LAYER 11: Export and Packaging │ │ LAYER 10: UI Layer (React/TypeScript/Tauri) │ │ LAYER 9: Plugin Layer (WASM Sandbox) │ │ LAYER 8: Scoring and Explanation │ │ LAYER 7: Rule and Policy Layer │ │ LAYER 6: Graph and Timeline Layer │ │ LAYER 5: Correlation and Enrichment Layer │ │ LAYER 4: Normalization Layer │ │ LAYER 3: Storage Layer (SQLite + DuckDB + Parquet) │ │ LAYER 2: Ingestion Layer │ │ LAYER 1: Platform Core (Rust) │ └─────────────────────────────────────────────────────────┘ ``` ## 核心原则 1. **本地主权优先** —— 100% 离线功能 2. **证据优于意见** —— 每项主张都可追溯至原始事件 3. **时间是一等维度** —— 所有状态均具有时间属性 4. **关系优于数量** —— 图结构是推理的底层基础 5. **可解释性优于黑盒** —— 每个评分都有推理链条 6. **人类控制的自动化** —— 无单边破坏性操作 7. **防御边界绝对** —— 零攻击能力 8. **模块化设计** —— 每个 crate 均可独立测试 9. **零预算可行** —— 可在通用硬件上运行，仅使用开源组件 10. **压力测试性能** —— 可在真实事件中使用 ## 项目结构 ``` sentinel-repo/ ├── crates/ │ ├── sentinel-core/ # Event bus, engine, config │ ├── sentinel-events/ # Canonical event schema (22 entity types) │ ├── sentinel-ingestion/ # 6 log importers + auto-detection │ ├── sentinel-normalization/ # Syslog, audit, EVTX, Zeek, procfs │ ├── sentinel-storage/ # SQLite 16-table schema │ ├── sentinel-search/ # Tantivy full-text search │ ├── sentinel-graph/ # Process ancestry, trust graph, DOT/JSON │ ├── sentinel-timeline/ # Replay engine, causality chains, ATT&CK phases │ ├── sentinel-correlation/ # Lateral movement, beaconing detection │ ├── sentinel-scoring/ # Risk scoring, explainability, trends │ ├── sentinel-rules/ # Sigma rules + 8 advanced detectors │ ├── sentinel-evidence/ # Immutable vault, SHA-256, audit log │ ├── sentinel-response/ # Containment, quarantine, rollback │ ├── sentinel-export/ # HTML/JSON/PDF reports, case bundles │ ├── sentinel-plugin-sdk/ # Capability-based plugin sandbox │ ├── sentinel-identity/ # Identity, auth, MFA tracking │ ├── sentinel-assets/ # Asset inventory, criticality, software │ ├── sentinel-baseline/ # Adaptive baselines, anomaly, peer groups │ ├── sentinel-adapters-linux/ # procfs, syslog, inotify, conntrack, auditd │ ├── sentinel-adapters-windows/ # ETW, registry, WMI, AMSI, prefetch │ ├── sentinel-forensics/ # MFT, VSS, browser, email, shellbag, USB │ ├── sentinel-intel/ # YARA, MITRE ATT&CK, JA3, DGA, THQL │ ├── sentinel-analysis/ # Hypothesis, blast radius, campaign linker │ ├── sentinel-hardening/ # CIS, NIST 800-53, STIG, drift tracker │ ├── sentinel-analytics/ # DuckDB, Parquet, time-series queries │ ├── sentinel-integrations/ # Zeek, Suricata, STIX/TAXII, OTLP, Splunk │ ├── sentinel-deception/ # Honeypots, canary tokens, attacker profiling │ ├── sentinel-sandbox/ # Isolated analysis, snapshot/rollback │ ├── sentinel-ai/ # Isolation forest, NLP, malware classifier │ ├── sentinel-ebpf/ # Kernel tracing, rootkit detection │ ├── sentinel-attack-sim/ # Adversary emulation, attack path analysis │ ├── sentinel-memory/ # Live memory forensics, injection detection │ ├── sentinel-dpi/ # Deep packet inspection, covert channels │ ├── sentinel-zero-trust/ # Continuous verification, micro-segmentation │ ├── sentinel-supply-chain/ # SBOM, typosquatting, build integrity │ ├── sentinel-autonomous/ # Self-healing, adaptive firewall, kill chain │ ├── sentinel-recon/ # Subdomain enum, OSINT, fingerprinting │ ├── sentinel-exploit/ # CVE patterns, exploit chains, payloads │ ├── sentinel-webapp/ # OWASP Top 10, JWT/OAuth, API testing │ ├── sentinel-network-attack/ # ARP, VLAN, DNS, wireless assessment │ ├── sentinel-privesc/ # GTFOBins, kernel exploits, Potato, UAC │ ├── sentinel-persistence/ # 20+ persistence techniques, evasion │ ├── sentinel-social/ # Phishing simulator, pretexting │ ├── sentinel-crypto-attack/ # Hash cracking, cipher analysis, TLS │ ├── sentinel-cloud-pentest/ # AWS/Azure/GCP/K8s misconfiguration │ └── sentinel-report-gen/ # CVSS, compliance mapping, narratives ├── apps/ │ └── desktop/ # Tauri v2 + React 18 desktop app (21 views) ├── rules/ # Detection & policy rules (YAML) ├── data/ # Sample data & test fixtures ├── docs/ # Architecture documentation ├── schemas/ # JSON schemas ├── scripts/ # Build & setup scripts └── tests/ # Integration & E2E tests ``` ## 技术栈 | 组件 | 技术 | |-----------|-----------| | 核心引擎 | Rust + Tokio | | 事件处理 | Tokio MPSC 通道 | | 图引擎 | Petgraph | | 搜索索引 | Tantivy | | 存储 | SQLite (rusqlite) | | 哈希算法 | SHA-256 (sha2) | | 分析引擎 | DuckDB (分析查询) | | 导出格式 | Parquet (冷存储) | | 序列化 | Serde JSON | | 桌面应用 | Tauri v2 + React 18 + TypeScript | | 打包工具 | Vite | ## 快速开始 ### 前置条件 - Rust 1.87+ (稳定版) - Cargo ### 构建 ``` cargo build ``` ### 运行测试 ``` cargo test ``` ### 使用示例数据运行 ``` cargo run -- --data-dir ./sentinel-data ``` ## 构建阶段 - **阶段 0** ✓ — 基础设施 (核心事件总线、模式、存储、图、规范化) - **阶段 1** ✓ — 本地智能 (时间线、进程族谱、网络上下文、案例) - **阶段 2** ✓ — 证据与报告 (保险库、监管链、PDF导出) - **阶段 3** ✓ — 检测与信任 (基线、异常检测、Sigma 规则) - **阶段 4** ✓ — 响应与模拟 (遏制、回滚、模拟实验室) - **阶段 5** ✓ — 扩展与生态 (多主机、插件、离线部署) ## 核心数据流 ``` Collection → Normalization → Enrichment → Storage → Graph/Timeline → Correlation → Scoring/Explanation → Presentation → Feedback ``` ## 许可证 MIT *SENTINEL — 本地优先的网络防御操作系统* *总 crate 数: 46 | 测试数: 464 | 构建阶段: 6 (全部完成) | 架构层数: 12*

标签：AMSI绕过, DuckDB分析, Parquet数据格式, React框架, Rust编程, SQLite数据库, Tauri应用, TypeScript开发, WASM沙箱, 事件驱动, 云计算, 内核监控, 可视化界面, 可解释AI, 响应编排, 因果关系, 图分析, 威胁检测, 数据富集, 数据导出, 数据归一化, 时间感知, 时间线, 本地主权, 模块化架构, 用户界面设计, 相关性分析, 离线工作, 网络安全, 规则引擎, 评分系统, 通知系统, 隐私保护, 零预算