If you’ve never worked in cybersecurity before, the word "DevSecOps" sounds intimidating. It sounds like you need to be in a dark room wearing a hoodie, typing furiously to stop hackers.
But in reality? Good security isn't about typing fast. It’s about building smart alarms.
For my latest engineering project, I built an Anomaly Detection Engine from scratch. Here is a beginner-friendly breakdown of how I used simple math to teach a server to defend itself.
The Problem: Hard-Coded Rules Fail
Imagine you run a popular online store. You tell your bouncer (your firewall): "If anyone tries to enter the store more than 10 times a second, kick them out! They must be a hacker doing a brute-force attack."
That works great on a normal Tuesday. But what happens on Black Friday? Suddenly, hundreds of real customers are rushing the doors. Your bouncer kicks them all out, and your business crashes. Hard-coded limits don't adapt to reality.
The Solution: The "Resting Heartbeat"
Instead of a strict rule, my security engine calculates a Rolling Baseline. Think of this as the server's resting heartbeat.
Every single minute, a background script looks at the traffic and says, "Okay, right now, we are averaging about 1 request per second." If traffic slowly builds up over the afternoon (like a Black Friday sale), the baseline adjusts to accept it as the new normal.
The Trigger: The Z-Score (The Conveyor Belt)
To catch actual attacks, the engine uses a 60-second "Sliding Window"—like a conveyor belt of incoming traffic.
It tracks every IP address on that belt and compares them to our baseline heartbeat using a mathematical formula called a Z-Score. A Z-Score tells us exactly how "weird" a spike in traffic is.
In my engine, the alarm triggers if an IP hits a Z-Score of 3.0. In the world of statistics, anything past a 3.0 means there is a 99.7% chance that this spike is a massive anomaly, not just an enthusiastic user.
(During testing, I accidentally triggered a Z-Score of 40.17! The engine didn't hesitate.)
The Trapdoor: Auto-Banning and Slack Alerts
When the math catches an attacker, the engine doesn't wait for a human to respond. It takes immediate action:
The Block: It talks directly to the server's core firewall (iptables) and drops all network traffic from that specific IP address instantly.
The Alert: It sends a formatted alert directly to my phone via Slack, showing me the attacker's IP and how hard they tried to hit the server.
The Recovery: It starts a 10-minute timer. When the timer expires, it automatically unbans the IP. This ensures that if a real user's device just glitched out, they aren't permanently banned forever.
Conclusion
Building this taught me that modern security isn't just about building taller walls; it’s about building smarter sensors. By combining simple statistics with automated firewalls, you can build a server that heals itself while you sleep!
Top comments (0)