Browse Code
TraceTree monitors what software actually does when it runs, not just what it claims to be. It sandboxes packages inside Docker, attaches strace to capture every syscall, and builds a directed graph of the full process cascade: every file touched, every network call made, every child process spawned. That graph gets fed into a RandomForest classifier trained on real malware samples, plus YARA rules and n-gram syscall pattern matching, to flag behavioral signatures that static scanners and install-time checks completely miss. The output is a SARIF report you can pipe directly into your security toolchain. TraceTree also includes a dedicated MCP server security module, because as AI agents proliferate, MCP servers have become a live attack surface that nobody was watching. The core insight is simple: malware can lie about what it is, but it can't hide what it does.
Features
- syscall capture via strace inside Docker sandbox
- Directed process tree / graph construction using NetworkX
- RandomForest classifier for malicious behavior detection (trained on MalwareBazaar samples)
- YARA rule matching against captured traces
- N-gram syscall pattern analysis
- Temporal execution analysis (timing and sequencing of syscalls)
- Behavioral signature library for known attack patterns
