Skip to content
On this page

Enhanced File System Security with Owlyshield

Owlyshield is a powerful behavioral analysis engine designed to detect fileless malware and Command and Control (C&C) beacons that can bypass traditional Endpoint Detection and Response (EDR) solutions. By focusing on file system activity, Owlyshield can uncover potential threats in real-time using a two-pronged approach consisting of a kernel module and a user-space module.

Key Components

Kernel Module

The kernel module is responsible for intercepting and collecting essential information about file system events on both Linux and Windows platforms. Using eBPF on Linux and a Minifilter on Windows, Owlyshield can effectively monitor file operations and gather metadata such as file names, paths, user and process IDs, access modes, and flags.

User-space Module

The user-space module preprocesses and analyzes the data collected by the kernel module in real-time. It utilizes various machine learning predictors, including classifiers, regressors, and novelty detection, to identify malicious processes and respond accordingly. In addition, Owlyshield generates logs that can be integrated with SIEM systems and offers a Wazuh connector for seamless data transfer.

Advanced Data Analysis

Group Identifiers (Gid)

Owlyshield uses group identifiers (Gids) to aggregate data by process subtrees, allowing for more accurate behavioral analysis and threat detection. By monitoring the activity of related processes, the system can quickly identify suspicious behavior and generate alerts for the system administrator.


On Windows, the minifilter registrates a new GID when a new process is created (see PsSetCreateProcessNotifyRoutine).

Directory Clustering

With hierarchical clustering, Owlyshield groups directories based on the file system activity of the process subtree associated with a particular Gid. This innovative feature enables a comprehensive understanding of how related processes utilize the file system, further enhancing threat detection capabilities.

Machine Learning Integration

Owlyshield incorporates state-of-the-art machine learning techniques to bolster its effectiveness in detecting and mitigating threats.

Ransomware Classifier

Using the XGBoost library, Owlyshield can create a predictive model that distinguishes between ransomware and non-ransomware input/output data, significantly enhancing its ability to detect and respond to ransomware attacks.

Novelty Detection

In partnership with Aleia, Owlyshield employs an autoencoder to perform novelty detection, which identifies unusual or unexpected behavior in real-time, further improving its ability to detect and mitigate potential security threats.

By combining advanced file system monitoring, data analysis, and machine learning techniques, Owlyshield offers a robust and comprehensive solution for detecting and mitigating fileless malware, C&C beacons, and other sophisticated security threats that may elude traditional EDR solutions.