DEV Community: Adjerese Precious The latest articles on DEV Community by Adjerese Precious (@adjprecious). https://dev.to/adjprecious https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3903098%2Fa28b94db-469c-4fca-a28b-94df0f6cb429.png DEV Community: Adjerese Precious https://dev.to/adjprecious en How I Built a Real-Time HTTP Traffic Anomaly Detector for a Cloud Storage Platform Adjerese Precious Tue, 28 Apr 2026 21:30:55 +0000 https://dev.to/adjprecious/how-i-built-a-real-time-http-traffic-anomaly-detector-for-a-cloud-storage-platform-50oh https://dev.to/adjprecious/how-i-built-a-real-time-http-traffic-anomaly-detector-for-a-cloud-storage-platform-50oh <h2> <strong>Introduction</strong> </h2> <p>Imagine you're running a cloud storage platform that serves thousands of users around the clock. One day, a wave of suspicious traffic hits your server — thousands of requests per second from a single IP address, trying to overwhelm your system. How do you detect it? How do you stop it automatically before real users are affected?<br> That's exactly what I built for this project — a real-time anomaly detection engine that watches all incoming HTTP traffic, learns what normal looks like, and automatically blocks anything that deviates from that normal. No human intervention needed.<br> In this post I'll walk you through exactly how I built it, piece by piece, in plain English. No security experience required.</p> <h2> <strong>What the Project Does</strong> </h2> <p>The system sits alongside a Nextcloud cloud storage server and does five things continuously:</p> <ol> <li>Watches every HTTP request coming into the server in real time</li> <li>Learns what normal traffic looks like using statistics</li> <li>Detects when traffic from a single IP or globally looks suspicious</li> <li>Blocks suspicious IPs automatically using Linux firewall rules</li> <li>Alerts your team on Slack within 10 seconds</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi7j4zz2amsu7g5hagdjg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi7j4zz2amsu7g5hagdjg.png" alt=" "></a></p> <h2> <strong>The Technology Stack</strong> </h2> <ol> <li>Python 3.11 — the detector daemon</li> <li>Nginx — reverse proxy that logs all traffic as JSON</li> <li>Nextcloud — the cloud storage application being protected</li> <li>Docker + Docker Compose — runs everything together</li> <li>iptables — Linux kernel firewall that blocks IPs</li> <li>Slack — receives instant alerts</li> <li>Flask — serves the live metrics dashboard</li> </ol> <h2> <strong>Part 1 — Reading the Logs in Real Time</strong> </h2> <p>The first challenge is reading Nginx access logs as they are written — not after the fact, but live, line by line.<br> Nginx is configured to write every request as a JSON object:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"source_ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.2.3.4"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-04-28T10:08:10+00:00"</span><span class="p">,</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="mi">200</span><span class="p">,</span><span class="w"> </span><span class="nl">"response_size"</span><span class="p">:</span><span class="w"> </span><span class="mi">1234</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The detector uses a technique called log tailing — similar to the Linux tail -f command. Here's how it works in simple terms:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Open the log file </span><span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">"</span><span class="s">/var/log/nginx/hng-access.log</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="c1"># Jump to the end — ignore old entries </span> <span class="n">f</span><span class="p">.</span><span class="nf">seek</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">os</span><span class="p">.</span><span class="n">SEEK_END</span><span class="p">)</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">line</span> <span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="nf">readline</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">line</span><span class="p">:</span> <span class="c1"># Nothing new yet wait briefly </span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">0.1</span><span class="p">)</span> <span class="k">continue</span> <span class="c1"># Parse the JSON and process it </span> <span class="n">entry</span> <span class="o">=</span> <span class="nf">parse_log_line</span><span class="p">(</span><span class="n">line</span><span class="p">)</span> <span class="n">detector</span><span class="p">.</span><span class="nf">process</span><span class="p">(</span><span class="n">entry</span><span class="p">)</span> </code></pre> </div> <p>Every new line that Nginx writes gets picked up within 100 milliseconds. That's fast enough to detect attacks as they happen.</p> <h2> <strong>Part 2 — The Sliding Window (How We Count Requests)</strong> </h2> <p>To detect whether an IP is sending too many requests we need to count how many requests it sent in the last 60 seconds not the last minute (which resets every 60 seconds), but a true rolling 60-second window.<br> We use Python's collections.deque for this think of it as a list that automatically stays the right size.<br> Here's the concept:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Time → 10s 11s 12s 13s 14s 15s 16s 17s ... IP X: . . . req req req req req ... Window at t=17s: [13, 14, 15, 16, 17] → 5 requests in 60s → 0.08 req/s Window at t=70s: [14, 15, 16, 17] → old entries evicted from left </code></pre> </div> <p>Eviction logic. This is the key part:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">deque</span> <span class="c1"># Store timestamps of every request from this IP </span><span class="n">ip_window</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">()</span> <span class="k">def</span> <span class="nf">process_request</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">timestamp</span><span class="p">):</span> <span class="n">cutoff</span> <span class="o">=</span> <span class="n">timestamp</span> <span class="o">-</span> <span class="mi">60</span> <span class="c1"># 60 _second window_ </span> <span class="c1"># Remove old timestamps from the LEFT </span> <span class="k">while</span> <span class="n">ip_window</span> <span class="ow">and</span> <span class="n">ip_window</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">cutoff</span><span class="p">:</span> <span class="n">ip_window</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> <span class="c1"># O(1) operation </span> <span class="c1"># Add new timestamp to the RIGHT </span> <span class="n">ip_window</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">timestamp</span><span class="p">)</span> <span class="c1"># Current rate = count / window size </span> <span class="n">rate</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">ip_window</span><span class="p">)</span> <span class="o">/</span> <span class="mi">60</span> <span class="c1"># requests per second </span> <span class="k">return</span> <span class="n">rate</span> </code></pre> </div> <p>Why a deque? Because popping from the left is O(1) instant. A regular Python list would be O(n) slow for large windows.<br> We maintain two windows simultaneously:</p> <ol> <li>Per-IP window — one deque per IP address</li> <li>Global window — one deque for all requests combined</li> </ol> <h2> <strong>Part 3 — The Rolling Baseline (Learning What Normal Looks Like)</strong> </h2> <p>Here's the clever part the system doesn't use a hardcoded threshold like "block anyone over 100 req/s." Instead it learns what normal traffic looks like and flags anything that deviates significantly.<br> Every second we record how many requests arrived:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Second 1: 3 requests Second 2: 2 requests Second 3: 5 requests Second 4: 1 request ... Second 1800: 4 requests (30 minutes of data) </code></pre> </div> <p>Every 60 seconds we compute the mean and standard deviation of the last 30 minutes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">math</span> <span class="k">def</span> <span class="nf">compute_baseline</span><span class="p">(</span><span class="n">counts</span><span class="p">):</span> <span class="n">n</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">counts</span><span class="p">)</span> <span class="n">mean</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="n">counts</span><span class="p">)</span> <span class="o">/</span> <span class="n">n</span> <span class="n">variance</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">((</span><span class="n">x</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">**</span> <span class="mi">2</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">counts</span><span class="p">)</span> <span class="o">/</span> <span class="n">n</span> <span class="n">stddev</span> <span class="o">=</span> <span class="n">math</span><span class="p">.</span><span class="nf">sqrt</span><span class="p">(</span><span class="n">variance</span><span class="p">)</span> <span class="k">return</span> <span class="n">mean</span><span class="p">,</span> <span class="n">stddev</span> </code></pre> </div> <p>For example if normal traffic is 5 req/s with occasional spikes to 10:</p> <ul> <li>Mean = 5.0 req/s</li> <li>Stddev = 2.0</li> </ul> <p>This baseline automatically updates as traffic patterns change. Quiet at night, busy in the morning the baseline adapts to both.<br> We also keep per-hour slots so the quiet 3am baseline doesn't affect the busy 9am detection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Each hour gets its own baseline </span><span class="n">hour_slots</span> <span class="o">=</span> <span class="p">{</span> <span class="mi">0</span><span class="p">:</span> <span class="p">[</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="p">...],</span> <span class="c1"># midnight traffic </span> <span class="mi">9</span><span class="p">:</span> <span class="p">[</span><span class="mi">8</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="p">...],</span> <span class="c1"># morning traffic </span> <span class="mi">14</span><span class="p">:</span> <span class="p">[</span><span class="mi">15</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">14</span><span class="p">,</span> <span class="mi">16</span><span class="p">,</span> <span class="p">...],</span> <span class="c1"># afternoon traffic </span><span class="p">}</span> </code></pre> </div> <p>When detecting anomalies we use the current hour's baseline if it has enough data, otherwise fall back to the 30-minute rolling window.</p> <h2> <strong>Part 4 — Anomaly Detection (Making the Decision)</strong> </h2> <p>With the sliding window rate and the baseline computed, detection is simple math.<br> We use a z-score — a measure of how many standard deviations above normal the current rate is:<br> z = (current_rate - baseline_mean) / baseline_stddev<br> Examples:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Normal traffic: z = (5 - 5) / 2 = 0.0 → safe Slightly high: z = (9 - 5) / 2 = 2.0 → watching Attack traffic: z = (50 - 5) / 2 = 22.5 → ANOMALY! </code></pre> </div> <p>We fire an alert when either condition is true — whichever fires first:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Condition 1 — statistical anomaly </span><span class="k">if</span> <span class="n">zscore</span> <span class="o">&gt;</span> <span class="mf">3.0</span><span class="p">:</span> <span class="nf">fire_alert</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">z-score </span><span class="si">{</span><span class="n">zscore</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s"> exceeds threshold</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Condition 2 — absolute rate spike (catches early attacks) </span><span class="k">elif</span> <span class="n">rate</span> <span class="o">&gt;</span> <span class="mf">5.0</span> <span class="o">*</span> <span class="n">baseline_mean</span><span class="p">:</span> <span class="nf">fire_alert</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">rate is </span><span class="si">{</span><span class="n">rate</span><span class="o">/</span><span class="n">baseline_mean</span><span class="si">:</span><span class="p">.</span><span class="mi">1</span><span class="n">f</span><span class="si">}</span><span class="s">x the baseline</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>We also detect error surges — if an IP is generating lots of 4xx/5xx errors (like scanning for vulnerabilities) we tighten the thresholds automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">error_rate</span> <span class="o">&gt;=</span> <span class="mi">3</span> <span class="o">*</span> <span class="n">baseline_error_rate</span><span class="p">:</span> <span class="c1"># This IP is behaving badly — be more sensitive </span> <span class="n">zscore_threshold</span> <span class="o">=</span> <span class="mf">2.0</span> <span class="c1"># tighter than normal 3.0 </span> <span class="n">rate_threshold</span> <span class="o">=</span> <span class="mf">3.0</span> <span class="c1"># tighter than normal 5.0 </span></code></pre> </div> <h2> <strong>Part 5 — Blocking with iptables</strong> </h2> <p>When an IP is flagged we block it using iptables the Linux kernel's built-in firewall. This happens at the network level, before the request even reaches Nginx or Nextcloud.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">subprocess</span> <span class="k">def</span> <span class="nf">block_ip</span><span class="p">(</span><span class="n">ip</span><span class="p">):</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">([</span> <span class="sh">"</span><span class="s">iptables</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-I</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">INPUT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-s</span><span class="sh">"</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="sh">"</span><span class="s">-j</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DROP</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--comment</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">hng-detector-ban</span><span class="sh">"</span> <span class="p">])</span> </code></pre> </div> <p>This inserts a rule at the top of the INPUT chain that says:<br> <em>Any packet from IP 5.6.7.8 → DROP (silently discard)</em></p> <p>The banned IP receives no response — their connection just times out. They can't reach the server at all.<br> Auto-unban with backoff — we don't ban forever immediately. The system uses a progressive backoff schedule:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqh42zadaw0yuzqpsd9h7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqh42zadaw0yuzqpsd9h7.png" alt=" "></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">ban_durations</span> <span class="o">=</span> <span class="p">[</span><span class="mi">600</span><span class="p">,</span> <span class="mi">1800</span><span class="p">,</span> <span class="mi">7200</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">]</span> <span class="n">_</span><span class="c1"># seconds_ </span> <span class="k">def</span> <span class="nf">get_ban_duration</span><span class="p">(</span><span class="n">strike</span><span class="p">):</span> <span class="n">index</span> <span class="o">=</span> <span class="nf">min</span><span class="p">(</span><span class="n">strike</span> <span class="o">-</span> <span class="mi">1</span><span class="p">,</span> <span class="nf">len</span><span class="p">(</span><span class="n">ban_durations</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="k">return</span> <span class="n">ban_durations</span><span class="p">[</span><span class="n">index</span><span class="p">]</span> </code></pre> </div> <p>A background thread checks every 30 seconds if any bans have expired and removes them automatically.</p> <h2> <strong>Part 6 — Slack Alerts</strong> </h2> <p>Every detection event sends a Slack message via webhook:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="k">def</span> <span class="nf">send_slack_alert</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">condition</span><span class="p">,</span> <span class="n">rate</span><span class="p">,</span> <span class="n">baseline</span><span class="p">,</span> <span class="n">duration</span><span class="p">):</span> <span class="n">message</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"""</span><span class="s"> 🚨 *IP BANNED* - *IP:* `</span><span class="si">{</span><span class="n">ip</span><span class="si">}</span><span class="s">` - *Reason:* </span><span class="si">{</span><span class="n">condition</span><span class="si">}</span><span class="s"> - *Current rate:* </span><span class="si">{</span><span class="n">rate</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s"> req/s - *Baseline:* </span><span class="si">{</span><span class="n">baseline</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s"> req/s - *Ban duration:* </span><span class="si">{</span><span class="n">duration</span><span class="si">}</span><span class="s"> </span><span class="sh">"""</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">webhook_url</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="n">message</span><span class="p">})</span> </code></pre> </div> <p>Alerts are sent asynchronously they never slow down the detection engine.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe68skafwji17hruufxlh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe68skafwji17hruufxlh.png" alt=" "></a></p> <h2> <strong>Part 7 — The Live Dashboard</strong> </h2> <p>A Flask web server runs on port 8888 and serves a dashboard that updates every 3 seconds showing:</p> <ul> <li>Global requests per second</li> <li>Baseline mean and standard deviation</li> <li>Currently banned IPs</li> <li>Top 10 source IPs by request rate</li> <li>CPU and memory usage</li> <li>System uptime</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff6xtjifetnop16an76y7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff6xtjifetnop16an76y7.png" alt=" "></a></p> <h2> <strong>Results</strong> </h2> <p>After deploying to AWS EC2 the system successfully:</p> <ul> <li>Detected a flood of 1000 requests from IP 5.6.7.8</li> <li>Fired a Slack alert within 3 seconds</li> <li>Added an iptables DROP rule within 10 seconds</li> <li>Auto-unbanned after 10 minutes</li> <li>Sent an unban Slack notification automatically</li> <li>Baseline adapted from 1.0 req/s idle to 40 req/s under load</li> </ul> <h2> <strong>Key Lessons</strong> </h2> <ol> <li>Deques are perfect for sliding windows:- O(1) eviction from the left makes them ideal for real-time rate tracking.</li> <li>Z-scores beat hardcoded thresholds:- a z-score of 3.0 works whether your baseline is 1 req/s or 1000 req/s.</li> <li>Per-hour baselines matter:- quiet nights shouldn't make morning traffic look like an attack.</li> <li>Block at the kernel level:- iptables blocks before the application sees the request, saving server resources during an attack.</li> <li>Always whitelist your own IPs:- accidentally banning your Docker gateway or monitoring system is embarrassing.</li> </ol> <h2> <strong>Source Code</strong> </h2> <p>Full source code is available at:<br> </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/AdjPrecious" rel="noopener noreferrer"> AdjPrecious </a> / <a href="https://github.com/AdjPrecious/hng_stage_three_devops" rel="noopener noreferrer"> hng_stage_three_devops </a> </h2> <h3> </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">HNG Anomaly Detection Engine</h1> </div> <blockquote> <p>Real-time HTTP traffic anomaly detector for cloud.ng (Nextcloud) — built for HNG DevSecOps challenge.</p> </blockquote> <p><strong>Language:</strong> Python 3.11<br> <strong>Why Python?</strong> The asyncio/threading model is ideal for I/O-bound log tailing; the standard library covers deques, statistics, and subprocess; and Flask gives us a dashboard in ~100 lines. Python's readability also makes the detection logic easy to audit and comment.</p> <div class="markdown-heading"> <h2 class="heading-element">Live Links <em>(fill in after deployment)</em> </h2> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>URL</th> </tr> </thead> <tbody> <tr> <td>Nextcloud</td> <td><code>http://YOUR_SERVER_IP</code></td> </tr> <tr> <td>Metrics Dashboard</td> <td><code>http://YOUR_DASHBOARD_DOMAIN:8888</code></td> </tr> <tr> <td>GitHub Repo</td> <td><code>https://github.com/YOUR_USERNAME/hng-anomaly-detector</code></td> </tr> <tr> <td>Blog Post</td> <td><code>https://YOUR_BLOG_URL</code></td> </tr> </tbody> </table></div> <div class="markdown-heading"> <h2 class="heading-element">Architecture</h2> </div> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"><pre class="notranslate"><code>Internet │ ▼ [Nginx :80] ──── JSON logs ──▶ HNG-nginx-logs (Docker volume) │ │ ▼ ▼ (read-only mount) [Nextcloud] [Detector Daemon] ├── LogMonitor (tail log) ├── AnomalyDetector (sliding windows) ├── BaselineEngine (rolling stats) ├── Blocker (iptables) ├── Notifier (Slack) └── Dashboard (Flask :8888) </code></pre></div> <div class="markdown-heading"> <h2 class="heading-element">How the Sliding Window Works</h2> </div> <p>Two <strong><code>collections.deque</code></strong> structures are maintained simultaneously:</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"><pre class="notranslate"><code>_global_window: deque[float] # timestamps of ALL requests _ip_windows: dict[ip → deque] # per-IP timestamp deques </code></pre></div> <p>…</p> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/AdjPrecious/hng_stage_three_devops" rel="noopener noreferrer">View on GitHub</a></div> </div> monitoring security showdev tutorial