As part of my HNG DevSecOps task, I built a real-time anomaly detection engine to protect a Nextcloud instance from unusual traffic spikes and potential DDoS attacks.
The goal was simple: monitor incoming traffic in real time, detect suspicious behavior automatically, and respond immediately before the server becomes overwhelmed.
Instead of relying only on static thresholds, I wanted the system to learn normal traffic behavior and react intelligently when something abnormal happens.
This project combines Python, Linux networking, statistical analysis, and system-level security automation.
The “Brain” — Sliding Window Detection
The first major part of the system is the sliding window.
I used Python’s deque from the collections module because it is fast and efficient for handling real-time request logs.
The idea is to maintain a moving 60-second window of traffic activity.
Every new request gets added to the queue with its timestamp, and old requests outside the 60-second range are automatically removed.
This allows the system to always know the current request rate without scanning old logs repeatedly.
Example Logic:
from collections import deque
import time
request_window = deque()
def track_request():
current_time = time.time()
request_window.append(current_time)
while request_window and current_time - request_window[0] > 60:
request_window.popleft()
return len(request_window)
This creates the “brain” of the detection engine by constantly calculating live traffic speed.
And a lot more...
This project taught me how modern security systems combine software engineering with system administration.
I learned that defense is not just about preventionit is about detection, response, and automation.
Building this anomaly detection engine showed me how DevSecOps bridges development and infrastructure security.
Most importantly, it proved that even simple tools like Python and Linux can be used to build strong real-time protection systems when combined with the right design.
Top comments (0)