Ulak (Turkish for Messenger) is a high-performance, AI-driven Endpoint Detection and Response (EDR) prototype. Unlike traditional log parsers, Ulak operates at the Kernel level using eBPF (Extended Berkeley Packet Filter) to intercept system calls in real-time.
Captured anomalies are analyzed by a Local LLM (Large Language Model) to generate 5W1H diagnostic reports, providing not just raw data, but actionable intelligence and automated remediation capabilities.
- eBPF Real-Time Sensing: Low-overhead kernel monitoring using C probes to detect reverse shells, unauthorized access, and network anomalies.
- Local AI Diagnostics: Privacy-first analysis using local LLMs (Ollama) to interpret complex system errors into human-readable 5W1H reports.
- Interactive SOC Dashboard: A modern, mobile-responsive web interface built with Vue 3 and Tailwind CSS for centralized monitoring.
- Interactive Mascot Notifications: Real-time desktop alerts with active "Remediate" and "Dismiss" actions that bypass root barriers.
- Automated Remediation: One-click execution of AI-suggested fixes (Process termination, service restarts) directly from the dashboard or desktop.
The ULAK AI SOC Interface: Real-time incident streaming and diagnostic analysis.
.
├── config # Rule definitions and system settings
│ ├── rules.json # Pattern matching and automated action rules
│ └── settings.yaml # AI and Network configurations
├── src
│ ├── ebpf # Kernel-space C probes and Python handlers
│ │ ├── probe.c # eBPF C code for syscall hooking
│ │ └── handler.py # Userspace bridge for eBPF data
│ ├── analyzer # AI Engine and LLM integration
│ ├── dashboard # FastAPI Backend & Vue.js Frontend
│ │ ├── app.py # Main API Gateway & Notification Manager
│ │ └── frontend # Responsive SOC Dashboard
│ └── main.py # Orchestrator for the entire system
├── setup.sh # Dependency installer and environment setup
└── requirements.txt # Python dependencies
- OS: Linux (Kernel 5.15+ recommended, tested on Fedora)
- Tools:
bcc-tools,python3.14+,Ollama - Permissions: Root access required for eBPF syscall hooking.
The integrated setup.sh script automates everything: Docker installation (if missing), eBPF dependencies, AI model pulling, and systemd service registration.
-
Clone the repository:
git clone https://github.com/erogluyusuf/ulak.git cd ulak -
Run the setup script:
chmod +x setup.sh
./setup.sh
sudo chmod +x setup.sh
sudo ./setup.sh- Management: Since ULAK runs as a native system service, you can manage it using standard Linux commands:
- Check Status:
sudo systemctl status ulak - View Logs:
sudo journalctl -u ulak -f - Uninstall:
./setup.sh --uninstall
-
- Dashboard: Open the dashboard in your browser:
http://localhost:8000
- Dashboard: Open the dashboard in your browser:
The eBPF probe hooks into critical kernel functions (e.g., tcp_connect, execve) to monitor system-level activity in real time.
When a pattern matches a rule defined in rules.json, the handler streams telemetry data to the FastAPI backend.
The collected context is sent to a local LLM, which generates a structured root-cause analysis using the 5W1H methodology (Who, What, When, Where, Why, How).
The user is notified via:
- An interactive desktop mascot, or
- The web dashboard
The user can then approve a "Remediate" action (e.g., kill -9) directly from the interface.
Distributed under the MIT License. See LICENSE for more information.
Yusuf Eroğlu
GitHub: https://github.com/erogluyusuf
Project Link: https://github.com/erogluyusuf/ulak