ExfilGuardian
Architecture

Architecture

System design overview of ExfilGuardian

Overview

ExfilGuardian is a distributed anti-exfiltration detection system built entirely in Rust, targeting Windows endpoints first with Linux support planned. The architecture follows a three-tier model: a kernel-mode driver intercepts network packets, a userspace agent pre-filters and forwards them, and a cloud-side server runs the full analysis pipeline.

The system is designed for data exfiltration detection: it monitors all outbound network traffic at the kernel level and applies deep packet inspection, signature matching, behavioral analysis, and cross-signal correlation to identify covert data leaks.

Key Design Decisions

DecisionRationale
All RustMemory safety without GC, even in #![no_std] kernel mode. No mixed C/Rust FFI boundary to audit.
Windows-firstTarget enterprise endpoints where data exfiltration risk is highest. WFP provides kernel-level packet interception.
Driver + Agent splitKernel driver is minimal (intercept + buffer). All complex logic runs in userspace for stability.
SQLite WAL queueZero-loss guarantee; packets survive agent restarts and network outages.
Server-side analysisHeavy computation (DPI, ML baselines, correlation) runs on server hardware, not on the endpoint.
gRPC streamingEfficient binary protocol for continuous packet telemetry. mTLS for mutual authentication.

Explore

On this page