January 2026
githubA real-time filesystem monitoring daemon that detects ransomware-like behavior through behavioral analysis and entropy measurement. Rather than relying on signatures, Irondome correlates three independent signals — mass file enumeration, encryption-like write patterns with high CPU usage, and Shannon entropy spikes in newly created files — to generate high-confidence alerts. Built on Linux’s inotify API with a multi-threaded event-driven architecture. Includes full daemonization with PID file and signal handling, structured logging with alert cooldown, and a comprehensive test suite with memory checks. Started as a piscine project, extended afterward into something I’d actually consider deploying.