Free & Open Source — Windows HIDS Tool

Endpoint Security
That Fits
Your Laptop.

A self-contained SIEM + HIDS + Digital Forensics tool for Windows. Real-time threat detection, AES-256 evidence storage, automated response — zero servers required.

Windows 10/11 No Server Needed 100% Free Open Source
WYPE Dashboard — localhost:8000
Live Threat Monitor
DESKTOP-PC01 · Agent Active
MONITORING
248
Events/min
7
Alerts Today
0.32
Risk Score
CRITICAL
OBFUSCATED_CMD
powershell.exe
14:32:01
WARNING
AUTH_FAILURE ×8
winlogon.exe
14:31:44
INFO
RDP_SESSION
mstsc.exe
14:30:18
Isolate Process
Block IP
Export Evidence
95.0% Detection Rate
420 simulated attack events
95.0%
Detection Accuracy
4.7%
False Positive Rate
1.2s
Mean Alert Speed
<5%
CPU Footprint
Core Capabilities

Built for the Full Threat Surface

Every collector, detection rule, and response action designed to work together on a single Windows endpoint.

Core

5-Collector Agent

Simultaneous telemetry: Auth events, Process behavior, Network flows, File-system changes, and Browser artifacts — all running concurrently.

Detection

38-Rule UEBA Engine

Rule-based User & Entity Behaviour Analytics. Covers brute-force, masquerade processes, obfuscated PowerShell, ransomware patterns and more.

Security

AES-256 Encryption

SQLCipher AES-256-CBC at rest. Ed25519-signed commands. PBKDF2-SHA256 passwords with 150,000 iterations. Forensic-grade integrity.

Response

Auto Incident Response

In auto-mode, WYPE queues Ed25519-signed commands: suspend process, block IP (900s), disable USB — all within seconds of detection.

Backup

Cloud Log Recovery

AES-256 encrypted archives pushed to Google Drive or SMTP. Full forensic recovery after system rebuild. Essential for post-incident analysis.

Forensics

Forensic Timeline

Microsecond-precision UTC reconstruction. Cross-stream event correlation via agent identity. Admissible chain-of-custody standards.

Covered Attack Scenarios — 38 Signatures

Brute-Force Auth
CRITICAL
0.80
Office → Shell Spawn
CRITICAL
0.67
Obfuscated PowerShell
CRITICAL
0.67
Ransomware File Mod
WARNING
0.32
Privilege Escalation
WARNING
0.26
Audit Log Tampering
WARNING
0.37
Reverse Shell C2
WARNING
0.42
After-Hours Shell
ELEVATED
+0.25Δ
Architecture

Four Layers, One Cohesive System

From OS telemetry all the way to the Electron dashboard — every layer is designed to run locally, with no cloud dependency.

Frontend
React + Vite + Electron

Desktop dashboard with real-time event feed, alert triage, forensic timeline, and operator settings — REST to localhost only.

Backend
Python FastAPI + SQLite/SQLCipher

Detection engine, UEBA rule evaluation, risk scoring. AES-256 encrypted SQLite. JWT HS256 sessions with TOTP 2FA.

Agent
Python + Win32 / WMI / psutil

Multi-threaded collector. Reads Security Event Log, enumerates processes, monitors network and file system, extracts browser artifacts.

OS Surface
Windows 10/11 — Sysmon + Event IDs + WMI

37+ Security Event IDs, Sysmon process records, WMI device events. Full Windows telemetry surface instrumented.

WYPE vs Competitors
Feature WYPE Wazuh Splunk ELK
Server-free deployment
Real-time alerting
Automated response
Encrypted storage (AES-256)
Cloud log backup
Digital forensics
TOTP 2FA
Zero cost (core)
CPU footprint<5%15–30%20–40%20–50%
Deploy timeMinutesHoursDaysDays
Experimental Results

Tested on 420 Simulated Attacks

Results measured on Intel i5-10400 · 16 GB RAM · Windows 10 22H2.

Detection Metrics
True Positive Rate 95.0%
F1 Score 0.952
Precision 95.4%
False Positive Rate 4.7%
Alert Latency by Source
Authentication Events 0.3s
Network Events 1.5s
Process Events 1.8s
File-System Events 2.1s
Resource Usage
Agent CPU (normal) 0.8%
Agent CPU (under attack) 2.9%
Total CPU Peak 4.6%
RAM (quiescent) 42 MB
RAM Peak 122 MB
DB size (24h) 12–38 MB
Get Started

Download & Install WYPE

Portable, server-free, and ready in minutes. No cloud account required for core functionality.

WYPE v1.0 — Free

Includes all 5 collectors, 38-rule UEBA engine, AES-256 encrypted database, automated response, cloud backup, and forensic timeline.

Windows 10 / 11 (64-bit)
Python 3.11+ · Node.js 18+
AES-256 encrypted storage
Open source · Free forever

Quick Setup — 5 Steps

1
Clone the repo
git clone https://github.com/wype-hids/wype.git
2
Install Python deps
pip install -r requirements.txt
3
Install frontend deps
cd frontend && npm install && npm run build
4
Start agent (as Admin)
python wype_agent.py --start
5
Launch backend
python backend/main.py
Tech Stack
Python 3.11+ FastAPI React + Vite Electron SQLite SQLCipher psutil pywin32 WMI JWT TOTP
Desktop GUI Included

WYPE ships with a full Electron-based desktop dashboard — real-time alert feed, forensic timeline viewer, risk score chart, and incident response panel. All data stays local on your machine. The dashboard opens automatically on localhost:8000 after the backend starts.

The Team

Built at Dept. of ICE, Bahawalpur

Department of Information and Communication Engineering

MAQ
Project Supervisor

Prof. Dr. Muhammad Ali Qureshi

Dept. of ICE

SM

Sheharyar Muhammad

Lead Developer
MM

Mudassir Mustafa

Backend & Detection
AA

Amanat Ali

Security & Crypto

Start Protecting Your Windows Host Today

WYPE is free, portable, and ready to deploy in minutes. No server, no cloud subscription, no expertise required.