guardd uses eBPF, Isolation Forest for Linux security

Unsupervised anomaly detection at the kernel level is the holy grail of endpoint security, but guardd demonstrates that model sensitivity remains a major hurdle. It leverages eBPF for low-overhead event monitoring without traditional auditing tax, while Isolation Forest provides a robust baseline capable of catching zero-day threats. However, high-variance normal behaviors currently cause false positives, meaning future success depends on refined feature engineering for bursty patterns.