- Add min_pps (default 20) to skip anomaly detection for low-traffic IPs
- Increase threshold_multiplier from 3.0 to 5.0
- Increase rate_limit_after from 1 to 3 violations
- Support min_pps in SIGHUP config reload
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- traffic_log.csv → traffic_log.db (SQLite with indexed timestamp)
- INSERT instead of CSV append, DELETE instead of file rewrite
- CLI queries use SQL (GROUP BY for traffic, LIMIT for log)
- retrain_from_log() uses read-only connection with time range query
- Config key: traffic_log_file → traffic_log_db
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Log traffic features with timestamps to CSV every 5s
- Add hour_sin/hour_cos time features (15 → 17 feature vector)
- Auto-retrain from traffic log at configurable interval (default 24h)
- Detect old 15-feature models and switch to learning mode
- SIGUSR1 now retrains from traffic log first, falls back to collect mode
- Add CLI: `ai traffic` (time-bucketed summary), `ai log` (recent entries)
- Add config keys: traffic_log_file, retention_days, retrain_window
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Chain two XDP programs via libxdp dispatcher on the same interface:
xdp_blocker (priority 10) handles CIDR/country/whitelist blocking,
xdp_ddos (priority 20) handles rate limiting, EWMA analysis, and AI
anomaly detection. Whitelist maps are shared via BPF map pinning so
whitelisted IPs bypass both blocklist checks and DDoS rate limiting.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
