Modern Intrusion Detection System for Embedded Devices & IoT
EmbedIDS is a lightweight, extensible intrusion detection library designed for embedded systems and IoT devices. It features user-managed memory, custom metrics, and pluggable detection algorithms with zero runtime overhead when disabled.
#include <embedids.h>
// Allocate history buffer (user-managed memory)
static embedids_metric_datapoint_t cpu_history[50];
// Configure CPU monitoring with 80% threshold
embedids_metric_config_t cpu_config = {
.metric = {
.name = "cpu_usage",
.type = EMBEDIDS_METRIC_TYPE_PERCENTAGE,
.history = cpu_history,
.max_history_size = 50,
.enabled = true
},
.algorithms = {{
.type = EMBEDIDS_ALGORITHM_THRESHOLD,
.enabled = true,
.config.threshold = {
.max_threshold.f32 = 80.0f,
.check_max = true
}
}},
.num_algorithms = 1
};
// Initialize context and system
embedids_context_t context;
memset(&context, 0, sizeof(context));
embedids_system_config_t system = {
.metrics = &cpu_config,
.max_metrics = 1,
.num_active_metrics = 1
};
embedids_init(&context, &system);
// Monitor in real-time
embedids_metric_value_t value = {.f32 = get_cpu_usage()};
embedids_add_datapoint(&context, "cpu_usage", value, timestamp_ms);
if (embedids_analyze_metric(&context, "cpu_usage") != EMBEDIDS_OK) {
handle_intrusion_detected();
}- User-Managed Memory: No malloc/free - perfect for embedded systems
- Custom Metrics: Support for float, int, percentage, boolean, enum types
- Pluggable Algorithms: Threshold, trend analysis, statistical, and custom detection
- Multiple Algorithms per Metric: Run several detection methods simultaneously
- Real-time Analysis: Low-latency threat detection with configurable history
| Algorithm | Description | Use Case |
|---|---|---|
| Threshold | Min/max boundary checking | CPU usage, memory limits |
| Trend | Slope-based anomaly detection | Memory leaks, performance degradation |
| Statistical | Advanced statistical analysis | Complex pattern detection |
| Custom | User-defined detection functions | Domain-specific threats |
EMBEDIDS_METRIC_TYPE_PERCENTAGE- CPU usage, memory utilization (0-100%)EMBEDIDS_METRIC_TYPE_FLOAT- Sensor readings, network trafficEMBEDIDS_METRIC_TYPE_UINT32/64- Packet counts, process countsEMBEDIDS_METRIC_TYPE_BOOL- System states, security flagsEMBEDIDS_METRIC_TYPE_ENUM- Custom enumerated values
mkdir build && cd build
cmake .. -DBUILD_EXAMPLES=ON -DBUILD_TESTS=ON
make -j$(nproc)
sudo make install# Option 1: Installed package
find_package(EmbedIDS REQUIRED)
target_link_libraries(your_app EmbedIDS::embedids)
# Option 2: FetchContent (Git repository)
include(FetchContent)
FetchContent_Declare(
EmbedIDS
GIT_REPOSITORY https://github.com/samiralavi/EmbedIDS.git
GIT_BRANCH main # Fetch the main branch
)
FetchContent_MakeAvailable(EmbedIDS)
target_link_libraries(your_app embedids)BUILD_TESTS=ON/OFF- Unit tests with GoogleTest (default: ON)BUILD_EXAMPLES=ON/OFF- Example applications (default: ON)ENABLE_COVERAGE=ON/OFF- Code coverage reporting (default: OFF)
There are multiple ways to run the test suites
# Build the project first
mkdir build && cd build
cmake .. -DBUILD_TESTS=ON
make -j$(nproc)
# Run all tests
ctest
# Run tests with detailed output
ctest --verbose
# List available tests
ctest --list-tests# After building, run tests directly
./tests/embedids_tests
# Run specific test patterns (GoogleTest)
./tests/embedids_tests --gtest_filter="*Threshold*"make test # May not be available in all configurationsGenerate detailed coverage reports to see test effectiveness:
# Configure with coverage enabled
mkdir build && cd build
cmake .. -DBUILD_TESTS=ON -DENABLE_COVERAGE=ON
make -j$(nproc)
# Generate coverage report
make coverageLicensed under the Apache License, Version 2.0. See LICENSE file for details.
![@github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=64&v=4){kind=small}