Every day, employees leave their workstations unlocked β for a meeting, a coffee break, or an emergency. In those few unattended minutes, sensitive data can be accessed, files can be copied, and credentials can be stolen.
Traditional solutions? Either too complex (IT-configured software) or too passive (just a screensaver lock). Neither detects who used the machine while you were away, what they did, or when it happened.
WorkGuard AI solves this.
It runs silently in the background, learns your unique behavioral fingerprint, and the moment someone else touches your keyboard β it knows.
| Feature | Description |
|---|---|
| β¨οΈ Keystroke Capture | Every keypress logged with millisecond-precision timing |
| 𧬠Biometric Fingerprinting | Builds unique typing profile using dwell & flight time |
| π€ ML Anomaly Detection | Isolation Forest detects behavioral deviations in real-time |
| π· Camera Surveillance | OpenCV monitors desk presence β detects owner vs stranger |
| π AES-256-GCM Encryption | All logs encrypted at rest with tamper detection |
| π Live Dashboard | Real-time Flask API + Chart.js β no refresh needed |
| π±οΈ Mouse Tracking | Clicks, scrolls, movement patterns recorded |
| πΈ Auto Screenshots | Periodic visual evidence every 30 seconds |
| π¨ Instant Alerts | Desktop notification fires on unauthorized access |
| π Session Reports | Full HTML report generated at end of each session |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β WorkGuard AI β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββ βββββββββββββββ βββββββββββββ β
β β CAPTURE β β ML ENGINE β β API β β
β β β β β β β β
β β β’ Keyboard βββββΆβ β’ BiometricsβββββΆβ β’ Flask β β
β β β’ Mouse β β β’ Isolation β β β’ 8 REST β β
β β β’ Camera β β Forest β β endpointsβ β
β β β’ Screenshotβ β β’ Z-score β β β’ SSE β β
β βββββββββββββββ βββββββββββββββ βββββββ¬ββββββ β
β β β
β βββββββββββββββ βββββββββββββββ β β
β β SECURITY β β DASHBOARD ββββββββββββ β
β β β β β β
β β β’ AES-256 β β β’ Chart.js β β
β β β’ GCM Auth β β β’ Live Feed β β
β β β’ Encrypted β β β’ Threat β β
β β Logs β β Gauge β β
β βββββββββββββββ βββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
workguard_ai/
βββ core/
β βββ recorder.py # Event capture engine
β βββ camera.py # OpenCV camera surveillance
β βββ encryptor.py # AES-256-GCM encryption
β βββ alerts.py # Alert system
βββ ml/
β βββ biometrics.py # Keystroke dynamics engine
β βββ anomaly.py # Isolation Forest detector
βββ api/
β βββ server.py # Flask REST API
βββ dashboard/
β βββ index.html # Live monitoring dashboard
βββ main.py # Main orchestrator
βββ requirements.txt
Every person types differently. WorkGuard AI captures your unique typing fingerprint:
Key Press ββββββββββββββββββββββββββββββββ Key Release
ββββββββββ Dwell Time (ms) βββββββββββΊβ
Key Release ββββββββββββββββ Next Key Press
ββββββ Flight Time (ms) βββββΊβ
Profile building:
- Captures 50+ keystrokes during calibration
- Computes mean & standard deviation of dwell/flight times
- Stores typing WPM and rhythm variance
Similarity scoring (Z-score method):
Z = |current_value - profile_mean| / profile_std
Similarity = e^(-0.5 Γ ZΒ²)
Score β₯ 0.65 β Original User β
Score < 0.65 β Unknown User β οΈ
Research basis: Carnegie Mellon University Keystroke Dynamics Dataset
Uses scikit-learn's Isolation Forest β an unsupervised ML algorithm that learns what "normal" looks like and flags deviations.
9-dimensional feature vector per session window:
| Feature | What it measures |
|---|---|
kpm |
Keystrokes per minute |
mean_dwell |
Average key hold duration |
mean_flight |
Average inter-key latency |
dwell_variance |
Typing consistency |
click_rate |
Mouse clicks per minute |
scroll_rate |
Scroll events per minute |
hour_of_day |
Unusual login times (2AM?) |
special_key_ratio |
Ctrl/Alt/Win usage (hackers use more) |
unique_windows |
Number of different apps opened |
Why Isolation Forest?
- Unsupervised β no labeled "attack" data needed
- Works with small datasets (your own sessions)
- O(n log n) β fast enough for real-time use
- Industry standard for behavioral anomaly detection
3-State Finite State Machine:
βββββββββββββββββββ user leaves ββββββββββββββββ
β OWNER_PRESENT βββββββββββββββββββββββΆβ NO_ONE β
β (Safe mode) β β (Standby) β
ββββββββββ¬βββββββββ ββββββββ¬ββββββββ
β² β stranger arrives
β owner returns βΌ
β ββββββββββββββββ
ββββββββββββββββββββββββββββββββ STRANGER β
β π΄ ALERT! β
ββββββββββββββββ
- Haar Cascade face detection (built into OpenCV)
- Smoothing buffer β requires 3 consecutive detections before state change (prevents false alerts)
- Intruder photo captured automatically on STRANGER detection
Password
β
βΌ
SHA-256 Hash βββΆ 256-bit Key
β
βΌ
βββββββββββββββββββββββββββ
β For each log chunk: β
β β’ Generate 96-bit nonceβ
β β’ AES-256-GCM encrypt β
β β’ Append auth tag β
β β’ Write to .enc file β
βββββββββββββββββββββββββββ
| Property | Value |
|---|---|
| Algorithm | AES-256-GCM |
| Key size | 256 bits |
| Nonce | 96-bit (random per chunk) |
| Auth tag | 128-bit (tamper detection) |
| Key derivation | SHA-256 |
# 1. Clone the repository
git clone https://github.com/reshma-adsul/WorkGuard-AI-.git
cd WorkGuard-AI-
# 2. Run (auto-installs all dependencies)
python main.pyFirst-time setup:
Enable AES-256 encryption? β y (recommended) or n
Screenshot interval? β 30 (default)
Launch live dashboard? β y
Enable camera? β y
Register your face? β y (look at camera)
Then:
- Type normally for 2+ minutes
- Click "π― Calibrate" in dashboard
- Your behavioral profile is saved!
- Use
START_SILENT.batbefore leaving your desk next time
Dashboard: http://127.0.0.1:5000
| Endpoint | Method | Description |
|---|---|---|
/api/status |
GET | Session info, calibration state |
/api/live |
GET | Last N events from buffer |
/api/live/stream |
GET | SSE stream (real-time push) |
/api/stats |
GET | Aggregated session statistics |
/api/biometric/score |
GET | Real-time biometric similarity |
/api/anomaly/score |
GET | Isolation Forest prediction |
/api/calibrate |
POST | Build user behavioral profile |
/api/camera/status |
GET | Camera surveillance state |
/api/sessions |
GET | List all past sessions |
| Layer | Technology | Why |
|---|---|---|
| Event Capture | pynput | OS-level hooks β works across all apps |
| Screenshots | PIL ImageGrab | Lightweight, no dependencies |
| Window Tracking | win32gui, psutil | Native Windows API |
| Computer Vision | OpenCV | Industry standard, no internet needed |
| ML β Biometrics | NumPy, statistics | Lightweight statistical modeling |
| ML β Anomaly | scikit-learn | IsolationForest, production-ready |
| Encryption | cryptography | AES-256-GCM, NIST approved |
| Backend | Flask, flask-cors | Lightweight REST API |
| Frontend | Vanilla JS, Chart.js | Zero build process, fast |
| Alerts | plyer, smtplib | Cross-platform desktop + email |
pynput>=1.7.6
Pillow>=10.0.0
pywin32>=306
psutil>=5.9.0
flask>=3.0.0
flask-cors>=4.0.0
cryptography>=41.0.0
scikit-learn>=1.3.0
numpy>=1.24.0
opencv-python>=4.8.0
plyer>=2.1.0
This tool is intended only for:
- Monitoring your own device
- Enterprise endpoint security with employee consent
- Academic research in behavioral biometrics
Unauthorized monitoring is illegal. Do not use on devices you do not own.
Reshma Adsul
MIT License β free to use, modify, and distribute with attribution.