Architecture
Architecture
System design overview of ExfilGuardian
Overview
ExfilGuardian is a distributed anti-exfiltration detection system built entirely in Rust, targeting Windows endpoints first with Linux support planned. The architecture follows a three-tier model: a kernel-mode driver intercepts network packets, a userspace agent pre-filters and forwards them, and a cloud-side server runs the full analysis pipeline.
The system is designed for data exfiltration detection: it monitors all outbound network traffic at the kernel level and applies deep packet inspection, signature matching, behavioral analysis, and cross-signal correlation to identify covert data leaks.
Key Design Decisions
| Decision | Rationale |
|---|---|
| All Rust | Memory safety without GC, even in #![no_std] kernel mode. No mixed C/Rust FFI boundary to audit. |
| Windows-first | Target enterprise endpoints where data exfiltration risk is highest. WFP provides kernel-level packet interception. |
| Driver + Agent split | Kernel driver is minimal (intercept + buffer). All complex logic runs in userspace for stability. |
| SQLite WAL queue | Zero-loss guarantee; packets survive agent restarts and network outages. |
| Server-side analysis | Heavy computation (DPI, ML baselines, correlation) runs on server hardware, not on the endpoint. |
| gRPC streaming | Efficient binary protocol for continuous packet telemetry. mTLS for mutual authentication. |
Explore
- Detection Layers: The four parallel detection modules
- Data Flow: How packets travel from kernel to alert
- IPC: Communication protocols between components
- Project Structure: Repository layout
- Response Engine: Planned active response capabilities