Endpoint Data Collection Agent
Separates telemetry collection from detection logic, keeping the agent lightweight while forwarding events securely to the analysis engine.
Research Domain
Explainable AI, deception, secure logging, and automated response.
The domain is narrowed around SME endpoint security where users need trustworthy, readable, and actionable threat evidence without operating a full enterprise SOC.
Research Gap
SMEs need more than a cheaper EDR
Existing tools are often expensive, complex, resource-heavy, or difficult to interpret. ForLens addresses the gap with explainable insider-threat detection, endpoint-level deception, dynamic response automation, and forensic integrity.
Behavioral Detection Engine
Combines Isolation Forest, LSTM autoencoder concepts, threat intelligence, and MITRE mapping for context-rich anomaly scoring.
Cryptographic Log Integrity
Uses tamper-evident storage concepts to make incident evidence easier to validate during response and reporting.
SOAR-Style Dashboard
Supports role-aware risk scoring, admin notifications, quarantine visibility, recommended playbooks, and readable reports.
Proposal Alignment
Research objectives translated into product requirements
Lightweight Endpoint Agent
Plug-and-play telemetry collection with less than 10% endpoint overhead target.
AI Behavior Modeling
Isolation Forest, LSTM autoencoder concepts, and threat intelligence correlation for high-confidence alerts.
Tamper-Evident Logging
Cryptographic evidence integrity so incident records can be verified after an attack.
SOAR-Style Response
Role-aware risk scoring, playbooks, quarantine notifications, and readable executive reporting.
System Flow
From endpoint event to business-ready action
- Endpoint agent records process, file, registry, network, and honeypot events.
- Telemetry is normalized and enriched with threat intelligence and behavioral context.
- The engine produces severity, confidence, rationale, and MITRE technique mapping.
- The dashboard recommends or executes SOAR actions such as isolate, block, terminate, notify, and report.
- Tamper-evident logs preserve verification evidence for later review.
Architecture Views
Technical architecture and component workflows
These diagrams use extracted proposal and progress-presentation visuals to show how individual components work and how they connect into the full ForLens workflow.
Whole Solution
Integrated ForLens Pipeline
Endpoint telemetry, AI correlation, secure storage, explainability, SOAR automation, and dashboard reporting connected as one SME-ready workflow.
Cloud Deployment
ForLens Cloud Control Layer
Cloud-ready processing supports secure API communication, centralized analysis, dashboard visibility, and MSP-friendly rollout.
Endpoint Detail
Monitoring and Honeypot Modules
Shows process execution, file-system access, network connections, registry/config changes, SMB decoy, SSH decoy, decoy documents, and fake database signals.
Detection Layer
AI and Threat Intelligence Engine
Shows raw log processing, TI aggregation, OSINT/commercial feeds, MITRE ATT&CK framework, anomaly scoring, and explainable alert generation.
Evidence Layer
Tamper-Evident Logging
Shows log collection, cryptographic processing, Merkle tree hashing, secure storage, immutable anchor storage, proof verification, and selective disclosure.
Response Layer
Explainability and SOAR Automation
Shows explainability orchestration, SHAP/LIME-style interpretation, natural-language rationale, alert ingestion, MITRE mapping, risk scoring, and automated playbooks.