DEV Community: Joshua Yacob Papica The latest articles on DEV Community by Joshua Yacob Papica (@joshuapapica). https://dev.to/joshuapapica https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3784786%2F224d452a-8cc2-4770-950e-0b950c0c54ec.png DEV Community: Joshua Yacob Papica https://dev.to/joshuapapica en First few steps to 6 Figures: A Beginner’s Guide to Building a Real-Time Mini IDS Using Python Joshua Yacob Papica Sun, 22 Feb 2026 12:42:29 +0000 https://dev.to/up_min_sparcs/first-few-steps-to-6-figures-a-beginners-guide-to-building-a-real-time-mini-ids-using-python-5736 https://dev.to/up_min_sparcs/first-few-steps-to-6-figures-a-beginners-guide-to-building-a-real-time-mini-ids-using-python-5736 <p>This article was co-authored by <a class="mentioned-user" href="https://dev.to/reydocs">@reydocs</a>.</p> <h2> Introduction </h2> <p>If you have ever taken a look at network traffic logs, you’ll notice constant connection attempts from users. While some come from legitimate ones, others are clearly suspicious due to repeated failures.</p> <p>This is where Intrusion detection systems, or IDS, come in. An IDS monitors network activity and identifies suspicious behavior such as repeated failed login attempts or unusual access patterns, allowing organizations to take action as soon as unusual activity appears.</p> <p>In this article, you will learn how to create your own hybrid IDS consisting of different IDS types while only using Python. By the end, you’ll even see how to visualize your results with an interactive dashboard.</p> <h2> Table of Contents </h2> <ul> <li>Types of IDS</li> <li>Project Overview</li> <li>Tools and Technologies Used</li> <li>Setting Up Your Environment</li> <li>Packet Capture Engine</li> <li>Traffic Analysis Engine</li> <li>Detection Engine</li> <li>Alert System</li> <li>Simulating the IDS</li> <li>Combining It All Together</li> <li>Visualizing the data using Streamlit</li> <li>To sum it up</li> <li>Potential Improvements</li> <li>Final Thoughts</li> </ul> <h2> TYPES OF IDS </h2> <p>Before we go into creating our own IDS, we must first understand the different types of IDS and what they do.</p> <ol> <li>Network IDS(NIDS)</li> </ol> <p>NIDS is a security tool that is used to monitor your network traffic for suspicious activity by performing Traffic Monitoring, Analysis, and Alerts.</p> <ol> <li>Host IDS(HIDS)</li> </ol> <p>HIDS monitors system logs for signs of suspicious activity to detect unusual behaviours associated with either human users or applications.</p> <ol> <li>Signature IDS</li> </ol> <p>Signature-based IDS is a system either on the network or host and identifies threats by comparing the system activity to a database of known attack patterns or signatures to detect unusual behavior.</p> <ol> <li>Anomaly IDS</li> </ol> <p>Anomaly-based IDS identifies unusual behavior by learning patterns of normal activity and flagging deviations from that baseline.</p> <h2> PROJECT OVERVIEW </h2> <p>This Mini IDS tutorial was built to demonstrate how intrusion detection works at a fundamental level and to create a simplified system that monitors authentication activity, detects unusual behavior, and generates alerts.</p> <h2> TOOLS AND TECHNOLOGIES USED </h2> <p>This project relies entirely on Python and its ecosystem of libraries, including:</p> <ul> <li> <strong>Scapy</strong> - Captures and inspects network packets in real time. </li> <li> <strong>Scikit-learn</strong> - Provides the Isolation Forest Algorithm for detecting anomalies in network traffic </li> <li> <strong>python-nmap</strong> - Scans and maps network hosts and open ports to identify potential threats. </li> <li> <strong>NumPy</strong> - Performs numerical operations and processes </li> <li> <strong>Logging</strong> - Python’s built-in-module for generating alerts and recording suspicious activity </li> <li> <strong>Queue &amp; Threading</strong> - Enables efficient handling of multiple packets simultaneously </li> <li> <strong>Pandas</strong> - Reads CSV files and organizes traffic for data analysis </li> <li> <strong>Streamlit</strong> - Builds an interactive dashboard to visualize network activity and detected threats.</li> </ul> <p>Having introduced the technologies that power our IDS, let’s take a look at how they fit together in the system’s overall architecture, from packet capture to visualization.</p> <p>Our mini IDS captures network packets and records them as logs. Then, they are analyzed by the detection engine using signature rules and anomaly detection to identify suspicious activity. When a threat is found, the alert system generates warnings, which are then displayed on a Streamlit dashboard for visualization</p> <h2> SETTING UP YOUR ENVIRONMENT </h2> <p>Before building the core modules, make sure you have an IDE that supports Python 3.10 or later. It’s recommended to use a virtual environment (venv) to keep your project dependencies isolated. You can create one with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">python</span> <span class="o">-</span><span class="n">m</span> <span class="n">venv</span> <span class="n">venv</span> </code></pre> </div> <p>Then activate it by typing the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">source</span> <span class="n">venv</span><span class="o">/</span><span class="nb">bin</span><span class="o">/</span><span class="n">activate</span> <span class="c1"># for macOS/Linux </span> <span class="n">venv</span>\<span class="n">Scripts</span>\<span class="n">activate</span><span class="p">.</span><span class="n">bat</span> <span class="c1"># for Windows(Command Prompt) </span> <span class="n">venv</span>\<span class="n">Scripts</span>\<span class="n">Activate</span><span class="p">.</span><span class="n">ps1</span> <span class="c1"># For Windows (PowerShell) </span></code></pre> </div> <p>Then Install the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">pip</span> <span class="n">install</span> <span class="n">scapy</span> <span class="n">pip</span> <span class="n">install</span> <span class="n">python</span><span class="o">-</span><span class="n">nmap</span> <span class="n">pip</span> <span class="n">install</span> <span class="n">numpy</span> <span class="n">pip</span> <span class="n">install</span> <span class="n">scikit</span><span class="o">-</span><span class="n">learn</span> <span class="n">pip</span> <span class="n">install</span> <span class="n">pandas</span> </code></pre> </div> <h2> SETTING UP STREAMLIT </h2> <p>Since we will be using Streamlit to visualize the data given by our mini IDS, you should also learn how to install your Streamlit.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">pip</span> <span class="n">install</span> <span class="n">streamlit</span> </code></pre> </div> <p>After installing, you can verify its installation by running this command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">streamlit</span> <span class="n">hello</span> </code></pre> </div> <p>After installing and setting up everything, we can now proceed to building the core components.</p> <h2> LET’S BEGIN! </h2> <p>Since our IDS is a hybrid system of signature and anomaly-based IDS, it will comprise of four main components:</p> <ol> <li>A packet capture system </li> <li>A traffic analysis module </li> <li>A detection engine </li> <li>An alert system</li> </ol> <p><strong>Important Note:</strong> Network interface names differ depending on the operating system. Before running the IDS, ensure that the interface parameter in the code matches your system’s active network interface. Refer to the README in the repository for guidance.</p> <h2> THE PACKET CAPTURE ENGINE </h2> <p>We’ll start with the packet capture engine and for this, we will use Scapy. Scapy is a networking library that allows users to perform network-related tasks using Python.</p> <p>We’ll define our PacketEngine class that will serve as the basis for our IDS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">scapy.all</span> <span class="kn">import</span> <span class="n">sniff</span><span class="p">,</span> <span class="n">IP</span><span class="p">,</span> <span class="n">TCP</span> <span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">defaultdict</span> <span class="kn">import</span> <span class="n">threading</span> <span class="kn">import</span> <span class="n">queue</span> <span class="c1">#PACKET CAPTURE ENGINE </span><span class="k">class</span> <span class="nc">packetCapture</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="c1">#initializes the class </span> <span class="c1">#stores captured packets </span> <span class="n">self</span><span class="p">.</span><span class="n">packet_queue</span><span class="o">=</span> <span class="n">queue</span><span class="p">.</span><span class="nc">Queue</span><span class="p">()</span> <span class="c1">#controls when the packet capture should stop </span> <span class="n">self</span><span class="p">.</span><span class="n">stop_capture</span><span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="nc">Event</span><span class="p">()</span> <span class="c1">#acts as a handler for each captured packets </span> <span class="c1">#checks if packets have IP or TCP layers </span> <span class="k">def</span> <span class="nf">packet_callback</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">packet</span><span class="p">):</span> <span class="k">if</span> <span class="n">IP</span> <span class="ow">in</span> <span class="n">packet</span> <span class="ow">and</span> <span class="n">TCP</span> <span class="ow">in</span> <span class="n">packet</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">packet_queue</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="n">packet</span><span class="p">)</span> <span class="k">def</span> <span class="nf">start_capture</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">interface</span><span class="o">=</span><span class="sh">"</span><span class="s">eth0</span><span class="sh">"</span><span class="p">):</span> <span class="k">def</span> <span class="nf">capture_thread</span><span class="p">():</span> <span class="nf">sniff</span><span class="p">(</span><span class="n">iface</span><span class="o">=</span><span class="n">interface</span><span class="p">,</span> <span class="n">prn</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">packet_callback</span><span class="p">,</span> <span class="n">store</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="n">stop_filter</span><span class="o">=</span><span class="k">lambda</span> <span class="n">_</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">stop_capture</span><span class="p">.</span><span class="nf">is_set</span><span class="p">())</span> <span class="n">self</span><span class="p">.</span><span class="n">capture_thread</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="nc">Thread</span><span class="p">(</span><span class="n">target</span><span class="o">=</span><span class="n">capture_thread</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">capture_thread</span><span class="p">.</span><span class="nf">start</span><span class="p">()</span> <span class="k">def</span> <span class="nf">stop</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">stop_capture</span><span class="p">.</span><span class="nf">set</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">capture_thread</span><span class="p">.</span><span class="nf">join</span><span class="p">()</span> </code></pre> </div> <p>Let’s walk through the code to understand what each line of code does and its functions.</p> <p>The <code>__init__</code> method initializes the class by creating a <code>queue.Queue</code> where the captured packets are stored and a <code>threading.Event</code> to control whether the capturing of packets should be stopped. The <code>packet_callback</code> serves as a handler for the captured packets and also checks if the captured packets have both IP or TCP layers, and if they do, they are added to the queue for further processing.</p> <p>The <code>start_capture</code> method starts capturing packets on a specified interface, with <code>eth0</code> as the default interface since it captures packets from your Ethernet interface. </p> <p>The function runs a separate thread to execute Scapy’s <code>sniff</code> function to continuously capture packets on the interface. The <code>stop_filter</code> parameter ensures that capturing stops when <code>stop_capture</code> is triggered. </p> <p>The <code>stop</code> method stops the capture by triggering the <code>stop_capture</code> event and waits for the thread to finish, ensuring smooth termination. This design allows for real-time packet monitoring and capturing without blocking the main thread.</p> <h2> THE TRAFFIC ANALYSIS ENGINE </h2> <p>We will now build the Traffic Analysis Engine. This module will process the captured packets and extract important features.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#TRAFFIC ANALYSIS MODULE </span><span class="kn">from</span> <span class="n">scapy.all</span> <span class="kn">import</span> <span class="n">sniff</span><span class="p">,</span> <span class="n">IP</span><span class="p">,</span> <span class="n">TCP</span> <span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">defaultdict</span> <span class="kn">import</span> <span class="n">threading</span> <span class="kn">import</span> <span class="n">queue</span> <span class="k">class</span> <span class="nc">trafficAnalyzer</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">connections</span> <span class="o">=</span> <span class="nf">defaultdict</span><span class="p">(</span><span class="nb">list</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">flow_stats</span> <span class="o">=</span> <span class="nf">defaultdict</span><span class="p">(</span><span class="k">lambda</span><span class="p">:{</span> <span class="sh">'</span><span class="s">packet_count</span><span class="sh">'</span> <span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="sh">'</span><span class="s">byte_count</span><span class="sh">'</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="sh">'</span><span class="s">start_time</span><span class="sh">'</span><span class="p">:</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">'</span><span class="s">last_time</span><span class="sh">'</span><span class="p">:</span> <span class="bp">None</span> <span class="p">})</span> <span class="k">def</span> <span class="nf">analyze_packet</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">packet</span><span class="p">):</span> <span class="k">if</span> <span class="n">IP</span> <span class="ow">in</span> <span class="n">packet</span> <span class="ow">and</span> <span class="n">TCP</span> <span class="ow">in</span> <span class="n">packet</span><span class="p">:</span> <span class="n">ip_src</span> <span class="o">=</span> <span class="n">packet</span><span class="p">[</span><span class="n">IP</span><span class="p">].</span><span class="n">src</span> <span class="n">ip_dst</span> <span class="o">=</span> <span class="n">packet</span><span class="p">[</span><span class="n">IP</span><span class="p">].</span><span class="n">dst</span> <span class="n">port_src</span> <span class="o">=</span> <span class="n">packet</span><span class="p">[</span><span class="n">TCP</span><span class="p">].</span><span class="n">sport</span> <span class="n">port_dst</span> <span class="o">=</span> <span class="n">packet</span><span class="p">[</span><span class="n">TCP</span><span class="p">].</span><span class="n">dport</span> <span class="n">flow_key</span> <span class="o">=</span> <span class="p">(</span><span class="n">ip_src</span><span class="p">,</span> <span class="n">ip_dst</span><span class="p">,</span> <span class="n">port_src</span><span class="p">,</span> <span class="n">port_dst</span><span class="p">)</span> <span class="n">stats</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">flow_stats</span><span class="p">[</span><span class="n">flow_key</span><span class="p">]</span> <span class="n">stats</span><span class="p">[</span><span class="sh">'</span><span class="s">packet_count</span><span class="sh">'</span><span class="p">]</span> <span class="o">+=</span> <span class="mi">1</span> <span class="n">stats</span><span class="p">[</span><span class="sh">'</span><span class="s">byte_count</span><span class="sh">'</span><span class="p">]</span> <span class="o">+=</span> <span class="nf">len</span><span class="p">(</span><span class="n">packet</span><span class="p">)</span> <span class="n">current_time</span> <span class="o">=</span> <span class="n">packet</span><span class="p">.</span><span class="n">time</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">stats</span><span class="p">[</span><span class="sh">'</span><span class="s">start_time</span><span class="sh">'</span><span class="p">]:</span> <span class="n">stats</span><span class="p">[</span><span class="sh">'</span><span class="s">start_time</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="n">current_time</span> <span class="n">stats</span><span class="p">[</span><span class="sh">'</span><span class="s">last_time</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="n">current_time</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="nf">extract_features</span><span class="p">(</span><span class="n">packet</span><span class="p">,</span> <span class="n">stats</span><span class="p">)</span> <span class="k">def</span> <span class="nf">extract_features</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">packet</span><span class="p">,</span> <span class="n">stats</span><span class="p">):</span> <span class="c1"># Using max() to ensure duration is never strictly 0, avoiding ZeroDivisionError </span> <span class="n">duration</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">stats</span><span class="p">[</span><span class="sh">'</span><span class="s">last_time</span><span class="sh">'</span><span class="p">]</span> <span class="o">-</span> <span class="n">stats</span><span class="p">[</span><span class="sh">'</span><span class="s">start_time</span><span class="sh">'</span><span class="p">],</span> <span class="mf">0.0001</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">packet_size</span><span class="sh">'</span><span class="p">:</span> <span class="nf">len</span><span class="p">(</span><span class="n">packet</span><span class="p">),</span> <span class="sh">'</span><span class="s">flow_duration</span><span class="sh">'</span><span class="p">:</span> <span class="n">duration</span><span class="p">,</span> <span class="sh">'</span><span class="s">packet_rate</span><span class="sh">'</span><span class="p">:</span> <span class="n">stats</span><span class="p">[</span><span class="sh">'</span><span class="s">packet_count</span><span class="sh">'</span><span class="p">]</span> <span class="o">/</span> <span class="n">duration</span><span class="p">,</span> <span class="sh">'</span><span class="s">byte_rate</span><span class="sh">'</span><span class="p">:</span> <span class="n">stats</span><span class="p">[</span><span class="sh">'</span><span class="s">byte_count</span><span class="sh">'</span><span class="p">]</span> <span class="o">/</span> <span class="n">duration</span><span class="p">,</span> <span class="sh">'</span><span class="s">tcp_flags</span><span class="sh">'</span><span class="p">:</span> <span class="n">packet</span><span class="p">[</span><span class="n">TCP</span><span class="p">].</span><span class="n">flags</span><span class="p">,</span> <span class="sh">'</span><span class="s">window_size</span><span class="sh">'</span><span class="p">:</span> <span class="n">packet</span><span class="p">[</span><span class="n">TCP</span><span class="p">].</span><span class="n">window</span> <span class="p">}</span> </code></pre> </div> <p>In this module, we defined the <code>trafficAnalyzer</code> class to analyze the network traffic. We can track connection flows here and calculate statistics for the packets in real-time. We used the <code>defaultdict</code> data structure in Python for managing connections and data flow statistics by organizing them into different unique flows. </p> <p>The <code>__init__</code> method initializes two things: the <code>connections</code> and <code>flow_stats</code>. The <code>connections</code> attribute stores the list of related packets, while <code>flow_stats</code> stores the statistics for each flow, including <code>packet_count</code>, <code>byte_count</code>, <code>start_time</code>, and <code>last_time</code>. </p> <p>The <code>analyze_packet</code> method analyzes and processes each packet. If the packets contain IP or TCP layers, it extracts the source IP and destination IP ports, creating a <code>flow_key</code> to identify the flow. It updates the statistics by incrementing the packet count, adding the packet size to the byte count, and adjusting the start time and last time of the flow. </p> <p>The <code>extract_features</code> method computes the details of the captured packets. These include the packet size, flow duration, packet rate, byte rate, TCP flags, and the TCP window size. These features are useful in identifying patterns and malicious behaviors in the network traffic.</p> <h2> THE DETECTION ENGINE </h2> <p>Now, we will build the Detection Engine that will implement the signature and anomaly based detection mechanisms.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">sklearn.ensemble</span> <span class="kn">import</span> <span class="n">IsolationForest</span> <span class="kn">from</span> <span class="n">sklearn.exceptions</span> <span class="kn">import</span> <span class="n">NotFittedError</span> <span class="c1"># Added this import </span><span class="kn">import</span> <span class="n">numpy</span> <span class="k">as</span> <span class="n">np</span> <span class="k">class</span> <span class="nc">detectionEngine</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="c1"># Corrected the typo here as well </span> <span class="n">self</span><span class="p">.</span><span class="n">anomaly_detector</span> <span class="o">=</span> <span class="nc">IsolationForest</span><span class="p">(</span> <span class="n">contamination</span><span class="o">=</span><span class="mf">0.1</span><span class="p">,</span> <span class="n">random_state</span><span class="o">=</span><span class="mi">42</span> <span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">signature_rules</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">load_signature_rules</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">training_data</span><span class="o">=</span> <span class="p">[]</span> <span class="k">def</span> <span class="nf">load_signature_rules</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">syn_flood</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">condition</span><span class="sh">'</span><span class="p">:</span> <span class="k">lambda</span> <span class="n">features</span><span class="p">:</span> <span class="p">(</span> <span class="n">features</span><span class="p">[</span><span class="sh">'</span><span class="s">tcp_flags</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="mi">2</span> <span class="ow">and</span> <span class="c1"># SYN flag </span> <span class="n">features</span><span class="p">[</span><span class="sh">'</span><span class="s">packet_rate</span><span class="sh">'</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mi">100</span> <span class="p">)</span> <span class="p">},</span> <span class="sh">'</span><span class="s">port_scan</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">condition</span><span class="sh">'</span><span class="p">:</span> <span class="k">lambda</span> <span class="n">features</span><span class="p">:</span> <span class="p">(</span> <span class="n">features</span><span class="p">[</span><span class="sh">'</span><span class="s">packet_size</span><span class="sh">'</span><span class="p">]</span> <span class="o">&lt;</span> <span class="mi">100</span> <span class="ow">and</span> <span class="n">features</span><span class="p">[</span><span class="sh">'</span><span class="s">packet_rate</span><span class="sh">'</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mi">50</span> <span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">train_anomaly_detector</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">normal_traffic_data</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">anomaly_detector</span><span class="p">.</span><span class="nf">fit</span><span class="p">(</span><span class="n">normal_traffic_data</span><span class="p">)</span> <span class="k">def</span> <span class="nf">detect_threats</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">features</span><span class="p">):</span> <span class="n">threats</span> <span class="o">=</span> <span class="p">[]</span> <span class="c1"># Signature detection always runs </span> <span class="k">for</span> <span class="n">rule_name</span><span class="p">,</span> <span class="n">rule</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">signature_rules</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="k">if</span> <span class="n">rule</span><span class="p">[</span><span class="sh">'</span><span class="s">condition</span><span class="sh">'</span><span class="p">](</span><span class="n">features</span><span class="p">):</span> <span class="n">threats</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span><span class="sh">'</span><span class="s">type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">signature</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">rule</span><span class="sh">'</span><span class="p">:</span> <span class="n">rule_name</span><span class="p">,</span> <span class="sh">'</span><span class="s">confidence</span><span class="sh">'</span><span class="p">:</span> <span class="mf">1.0</span><span class="p">})</span> <span class="n">feature_vector</span> <span class="o">=</span> <span class="n">np</span><span class="p">.</span><span class="nf">array</span><span class="p">([[</span> <span class="n">features</span><span class="p">[</span><span class="sh">'</span><span class="s">packet_size</span><span class="sh">'</span><span class="p">],</span> <span class="n">features</span><span class="p">[</span><span class="sh">'</span><span class="s">packet_rate</span><span class="sh">'</span><span class="p">],</span> <span class="n">features</span><span class="p">[</span><span class="sh">'</span><span class="s">byte_rate</span><span class="sh">'</span><span class="p">]</span> <span class="p">]])</span> <span class="c1"># This block prevents the NotFittedError from crashing the app </span> <span class="k">try</span><span class="p">:</span> <span class="kn">from</span> <span class="n">sklearn.exceptions</span> <span class="kn">import</span> <span class="n">NotFittedError</span> <span class="n">anomaly_score</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">anomaly_detector</span><span class="p">.</span><span class="nf">score_samples</span><span class="p">(</span><span class="n">feature_vector</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="k">if</span> <span class="n">anomaly_score</span> <span class="o">&lt;</span> <span class="o">-</span><span class="mf">0.5</span><span class="p">:</span> <span class="n">threats</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">'</span><span class="s">type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">anomaly</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">score</span><span class="sh">'</span><span class="p">:</span> <span class="n">anomaly_score</span><span class="p">,</span> <span class="sh">'</span><span class="s">confidence</span><span class="sh">'</span><span class="p">:</span> <span class="nf">min</span><span class="p">(</span><span class="mf">1.0</span><span class="p">,</span> <span class="nf">abs</span><span class="p">(</span><span class="n">anomaly_score</span><span class="p">))</span> <span class="p">})</span> <span class="nf">except </span><span class="p">(</span><span class="n">NotFittedError</span><span class="p">,</span> <span class="nb">AttributeError</span><span class="p">):</span> <span class="k">pass</span> <span class="c1"># Skip anomaly check if model isn't ready </span> <span class="k">return</span> <span class="n">threats</span> </code></pre> </div> <p>This module defines a hybrid system, utilizing signature and anomaly-based detection methods. We used the <code>IsolationForest</code> model to detect anomalies and also used its pre-defined rules and functions to detect and identify anomalous patterns.</p> <p>In this code block, the <code>train_anomaly_detector</code> method is used to train the <code>IsolationForest</code> model using a dataset of normal traffic measures. This ensures that the model knows what the “normal” traffic looks like beforehand to differentiate different traffic patterns.</p> <p>The <code>detect_threats</code> method evaluates the network traffic features for potential threats using two approaches:</p> <ol> <li> <strong>Signature-based Detection:</strong> It iteratively goes through the pre-defined rules and applies each rule to the traffic. If the traffic matches a rule, the system flags it as a signature-based threat and records it with high confidence. </li> <li> <strong>Anomaly-based Detection:</strong> It processes the feature vector (<code>packet_size</code>, <code>packet_rate</code>, and <code>byte_rate</code>) through the <code>IsolationForest</code> model and calculates an anomaly score. If the score indicates a threat, the engine triggers it as an anomaly and produces an anomaly score that reflects the threat’s severity.</li> </ol> <p>Finally, we return the aggregate list of identified threats with their respective annotations or tags (either <code>signature</code> or <code>anomaly</code>), the score that triggered the anomaly, and its confidence score showing the severity and whether it is a threat.</p> <h2> THE ALERT SYSTEM </h2> <p>This module will be responsible for processing and organizing the logs in a more structured manner.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">logging</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">pandas</span> <span class="k">as</span> <span class="n">pd</span> <span class="kn">import</span> <span class="n">os</span> <span class="k">class</span> <span class="nc">alertSystem</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">log_file</span><span class="o">=</span><span class="sh">"</span><span class="s">ids_alerts.log</span><span class="sh">"</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">(</span><span class="sh">"</span><span class="s">IDS_Alerts</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">logger</span><span class="p">.</span><span class="nf">setLevel</span><span class="p">(</span><span class="n">logging</span><span class="p">.</span><span class="n">INFO</span><span class="p">)</span> <span class="n">handler</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nc">FileHandler</span><span class="p">(</span><span class="n">log_file</span><span class="p">)</span> <span class="n">formatter</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nc">Formatter</span><span class="p">(</span> <span class="sh">'</span><span class="s">%(asctime)s - %(levelname)s - %(message)s</span><span class="sh">'</span> <span class="p">)</span> <span class="n">handler</span><span class="p">.</span><span class="nf">setFormatter</span><span class="p">(</span><span class="n">formatter</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">logger</span><span class="p">.</span><span class="nf">addHandler</span><span class="p">(</span><span class="n">handler</span><span class="p">)</span> <span class="k">def</span> <span class="nf">generate_alert</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">threat</span><span class="p">,</span> <span class="n">packet_info</span><span class="p">):</span> <span class="n">alert</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">timestamp</span><span class="sh">'</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="sh">'</span><span class="s">threat_type</span><span class="sh">'</span><span class="p">:</span> <span class="n">threat</span><span class="p">[</span><span class="sh">'</span><span class="s">type</span><span class="sh">'</span><span class="p">],</span> <span class="sh">'</span><span class="s">source_ip</span><span class="sh">'</span><span class="p">:</span> <span class="n">packet_info</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">source_ip</span><span class="sh">'</span><span class="p">),</span> <span class="sh">'</span><span class="s">destination_ip</span><span class="sh">'</span><span class="p">:</span> <span class="n">packet_info</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">destination_ip</span><span class="sh">'</span><span class="p">),</span> <span class="sh">'</span><span class="s">confidence</span><span class="sh">'</span><span class="p">:</span> <span class="n">threat</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">confidence</span><span class="sh">'</span><span class="p">,</span> <span class="mf">0.0</span><span class="p">),</span> <span class="sh">'</span><span class="s">details</span><span class="sh">'</span><span class="p">:</span> <span class="n">threat</span> <span class="p">}</span> <span class="n">self</span><span class="p">.</span><span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">alert</span><span class="p">))</span> <span class="k">if</span> <span class="n">threat</span><span class="p">[</span><span class="sh">'</span><span class="s">confidence</span><span class="sh">'</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mf">0.8</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">logger</span><span class="p">.</span><span class="nf">critical</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">High confidence threat detected: </span><span class="si">{</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">alert</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="n">alert_df</span> <span class="o">=</span> <span class="n">pd</span><span class="p">.</span><span class="nc">DataFrame</span><span class="p">([</span><span class="n">alert</span><span class="p">])</span> <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">exists</span><span class="p">(</span><span class="sh">"</span><span class="s">alerts.csv</span><span class="sh">"</span><span class="p">):</span> <span class="n">alert_df</span><span class="p">.</span><span class="nf">to_csv</span><span class="p">(</span><span class="sh">"</span><span class="s">alerts.csv</span><span class="sh">"</span><span class="p">,</span> <span class="n">mode</span><span class="o">=</span><span class="sh">'</span><span class="s">a</span><span class="sh">'</span><span class="p">,</span> <span class="n">header</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">alert_df</span><span class="p">.</span><span class="nf">to_csv</span><span class="p">(</span><span class="sh">"</span><span class="s">alerts.csv</span><span class="sh">"</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> </code></pre> </div> <p>The <code>__init__</code> method initializes a logger named <code>IDS_Alerts</code> with <code>INFO</code> logging to catch alert information. It writes logs to a specific file <code>ids_alerts.log</code>. The <code>FileHandler</code> directs the captured logs to the file, and the <code>Formatter</code> formats them. </p> <p>The <code>generate_alert</code> method is responsible for creating structured entries. Each alert shows key information such as the timestamp of detection, the type of threat, the source and destination IPs involved, its confidence level, and additional threat-specific information. These alerts are logged as <code>WARNING</code> level messages in JSON format.</p> <p>If the confidence level is high (higher than 0.8), the alert is escalated and logged as a <code>CRITICAL</code> level message. This method is extensible, allowing for additional notification mechanisms, such as sending the alerts via email, etc.</p> <h2> SIMULATING THE IDS </h2> <p>Now that you have built the IDS, we will now try to run a simulation for it. We will need a file to train our Isolation Forest model to determine the normal and abnormal patterns in the packets and another file to generate the log attempts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">numpy</span> <span class="k">as</span> <span class="n">np</span> <span class="kn">from</span> <span class="n">detectionEngine</span> <span class="kn">import</span> <span class="n">detectionEngine</span> <span class="kn">from</span> <span class="n">alertSystem</span> <span class="kn">import</span> <span class="n">alertSystem</span> <span class="c1"># Initialize engine </span><span class="n">engine</span> <span class="o">=</span> <span class="nf">detectionEngine</span><span class="p">()</span> <span class="n">alerts</span> <span class="o">=</span> <span class="nf">alertSystem</span><span class="p">(</span><span class="n">log_file</span><span class="o">=</span><span class="sh">"</span><span class="s">test_alerts.log</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Train the anomaly detector with mock normal traffic </span><span class="n">normal_traffic</span> <span class="o">=</span> <span class="n">np</span><span class="p">.</span><span class="nf">array</span><span class="p">([</span> <span class="p">[</span><span class="mi">60</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">600</span><span class="p">],</span> <span class="c1"># packet_size, packet_rate, byte_rate </span> <span class="p">[</span><span class="mi">70</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">840</span><span class="p">],</span> <span class="p">[</span><span class="mi">65</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">520</span><span class="p">]</span> <span class="p">])</span> <span class="n">engine</span><span class="p">.</span><span class="nf">train_anomaly_detector</span><span class="p">(</span><span class="n">normal_traffic</span><span class="p">)</span> <span class="c1"># Example features that will trigger signature-based alert </span><span class="n">features</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">packet_size</span><span class="sh">'</span><span class="p">:</span> <span class="mi">60</span><span class="p">,</span> <span class="sh">'</span><span class="s">packet_rate</span><span class="sh">'</span><span class="p">:</span> <span class="mi">120</span><span class="p">,</span> <span class="c1"># &gt; 100 triggers SYN flood rule </span> <span class="sh">'</span><span class="s">byte_rate</span><span class="sh">'</span><span class="p">:</span> <span class="mi">720</span><span class="p">,</span> <span class="sh">'</span><span class="s">tcp_flags</span><span class="sh">'</span><span class="p">:</span> <span class="mi">2</span> <span class="c1"># SYN flag </span><span class="p">}</span> <span class="c1"># Detect threats </span><span class="n">threats</span> <span class="o">=</span> <span class="n">engine</span><span class="p">.</span><span class="nf">detect_threats</span><span class="p">(</span><span class="n">features</span><span class="p">)</span> <span class="c1"># Generate alerts </span><span class="k">for</span> <span class="n">threat</span> <span class="ow">in</span> <span class="n">threats</span><span class="p">:</span> <span class="n">packet_info</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">source_ip</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">192.168.1.5</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">destination_ip</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">192.168.1.3</span><span class="sh">'</span> <span class="p">}</span> <span class="n">alerts</span><span class="p">.</span><span class="nf">generate_alert</span><span class="p">(</span><span class="n">threat</span><span class="p">,</span> <span class="n">packet_info</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Alerts generated. Check test_alerts.log</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>In this code, we created a <code>test_alerts</code> script to train our model to determine which traffic is normal or abnormal. It creates a "normal" baseline and feeds a "malicious scenario" into the engine. This allows us to verify whether the detection logic works without having to risk your machine to a real cyber attack.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">pandas</span> <span class="k">as</span> <span class="n">pd</span> <span class="kn">import</span> <span class="n">random</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timedelta</span> <span class="c1"># Config </span><span class="n">num_entries</span> <span class="o">=</span> <span class="mi">1000</span> <span class="n">users</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">alice</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">bob</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">charlie</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">dave</span><span class="sh">'</span><span class="p">]</span> <span class="n">ip_pool</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">192.168.1.</span><span class="sh">'</span> <span class="o">+</span> <span class="nf">str</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">20</span><span class="p">)]</span> <span class="o">+</span> <span class="p">[</span><span class="sh">'</span><span class="s">10.0.0.</span><span class="sh">'</span> <span class="o">+</span> <span class="nf">str</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">20</span><span class="p">)]</span> <span class="n">status_options</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">success</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">fail</span><span class="sh">'</span><span class="p">]</span> <span class="c1"># Generate logs </span><span class="n">logs</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">start_time</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">days</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="n">num_entries</span><span class="p">):</span> <span class="n">timestamp</span> <span class="o">=</span> <span class="n">start_time</span> <span class="o">+</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">seconds</span><span class="o">=</span><span class="n">random</span><span class="p">.</span><span class="nf">randint</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">86400</span><span class="p">))</span> <span class="n">user</span> <span class="o">=</span> <span class="n">random</span><span class="p">.</span><span class="nf">choice</span><span class="p">(</span><span class="n">users</span><span class="p">)</span> <span class="n">ip</span> <span class="o">=</span> <span class="n">random</span><span class="p">.</span><span class="nf">choice</span><span class="p">(</span><span class="n">ip_pool</span><span class="p">)</span> <span class="n">status</span> <span class="o">=</span> <span class="n">random</span><span class="p">.</span><span class="nf">choices</span><span class="p">(</span><span class="n">status_options</span><span class="p">,</span> <span class="n">weights</span><span class="o">=</span><span class="p">[</span><span class="mf">0.8</span><span class="p">,</span><span class="mf">0.2</span><span class="p">])[</span><span class="mi">0</span><span class="p">]</span> <span class="n">logs</span><span class="p">.</span><span class="nf">append</span><span class="p">([</span><span class="n">timestamp</span><span class="p">,</span> <span class="n">user</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="n">status</span><span class="p">])</span> <span class="c1"># Create CSV </span><span class="n">df_logs</span> <span class="o">=</span> <span class="n">pd</span><span class="p">.</span><span class="nc">DataFrame</span><span class="p">(</span><span class="n">logs</span><span class="p">,</span> <span class="n">columns</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">timestamp</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">ip_address</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">])</span> <span class="n">df_logs</span><span class="p">.</span><span class="nf">to_csv</span><span class="p">(</span><span class="sh">'</span><span class="s">simulated_auth_logs.csv</span><span class="sh">'</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">simulated_auth_logs.csv created!</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>In this code, we created a <code>LogAttempts</code> script to generate “mock” data for the system. It creates a history of “fake” user logins and generates 1000 random login attempts using a list of fake users and random IP addresses. This ensures that the dashboard will not look empty, and it needs to be run at least once before running the <code>miniIntrusionDetectionSystem</code> and <code>dashboard.py</code>.</p> <h2> COMBINING IT ALL TOGETHER </h2> <p>Now that we have our 4 modules, we can now start putting them all together to create a functional IDS solution.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">alertSystem</span> <span class="kn">import</span> <span class="n">alertSystem</span> <span class="kn">from</span> <span class="n">detectionEngine</span> <span class="kn">import</span> <span class="n">detectionEngine</span> <span class="kn">from</span> <span class="n">packetCapture</span> <span class="kn">import</span> <span class="n">packetCapture</span> <span class="kn">from</span> <span class="n">trafficAnalyzer</span> <span class="kn">import</span> <span class="n">trafficAnalyzer</span> <span class="kn">import</span> <span class="n">queue</span> <span class="kn">from</span> <span class="n">scapy.all</span> <span class="kn">import</span> <span class="n">IP</span><span class="p">,</span> <span class="n">TCP</span> <span class="kn">import</span> <span class="n">pandas</span> <span class="k">as</span> <span class="n">pd</span> <span class="kn">import</span> <span class="n">numpy</span> <span class="k">as</span> <span class="n">np</span> <span class="c1"># needed for feature arrays </span> <span class="k">class</span> <span class="nc">intrusionDetectionSystem</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">interface</span><span class="o">=</span><span class="sh">"</span><span class="s">Wi-Fi</span><span class="sh">"</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">packet_capture</span> <span class="o">=</span> <span class="nf">packetCapture</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">traffic_analyzer</span><span class="o">=</span> <span class="nf">trafficAnalyzer</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">detection_engine</span> <span class="o">=</span> <span class="nf">detectionEngine</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">alert_system</span> <span class="o">=</span> <span class="nf">alertSystem</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">interface</span> <span class="o">=</span> <span class="n">interface</span> <span class="c1"># -------------------------- </span> <span class="c1"># Train anomaly detector from CSV </span> <span class="c1"># -------------------------- </span> <span class="k">try</span><span class="p">:</span> <span class="n">df</span> <span class="o">=</span> <span class="n">pd</span><span class="p">.</span><span class="nf">read_csv</span><span class="p">(</span><span class="sh">"</span><span class="s">simulated_auth_logs.csv</span><span class="sh">"</span><span class="p">)</span> <span class="n">df</span><span class="p">[</span><span class="sh">'</span><span class="s">packet_size</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="n">df</span><span class="p">[</span><span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">].</span><span class="nf">apply</span><span class="p">(</span><span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="mi">1</span> <span class="k">if</span> <span class="n">x</span> <span class="o">==</span> <span class="sh">'</span><span class="s">fail</span><span class="sh">'</span> <span class="k">else</span> <span class="mi">0</span><span class="p">)</span> <span class="n">packet_counts</span> <span class="o">=</span> <span class="n">df</span><span class="p">.</span><span class="nf">groupby</span><span class="p">(</span><span class="sh">'</span><span class="s">ip_address</span><span class="sh">'</span><span class="p">).</span><span class="nf">cumcount</span><span class="p">()</span> <span class="o">+</span> <span class="mi">1</span> <span class="n">df</span><span class="p">[</span><span class="sh">'</span><span class="s">packet_rate</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="n">packet_counts</span> <span class="n">df</span><span class="p">[</span><span class="sh">'</span><span class="s">byte_rate</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="n">packet_counts</span> <span class="c1"># simple placeholder </span> <span class="n">training_data</span> <span class="o">=</span> <span class="n">df</span><span class="p">[[</span><span class="sh">'</span><span class="s">packet_size</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">packet_rate</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">byte_rate</span><span class="sh">'</span><span class="p">]].</span><span class="n">values</span> <span class="n">self</span><span class="p">.</span><span class="n">detection_engine</span><span class="p">.</span><span class="nf">train_anomaly_detector</span><span class="p">(</span><span class="n">training_data</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Anomaly detector trained from simulated_auth_logs.csv</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">FileNotFoundError</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">simulated_auth_logs.csv not found. Anomaly detection will not work.</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">start</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Starting IDS on Interface </span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">interface</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">packet_capture</span><span class="p">.</span><span class="nf">start_capture</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">interface</span><span class="p">)</span> <span class="n">training_samples</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">is_trained</span> <span class="o">=</span> <span class="bp">False</span> <span class="c1"># Flag to prevent premature detection </span> <span class="kn">import</span> <span class="n">time</span> <span class="n">start_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Phase 1: Collecting baseline traffic (5 seconds)...</span><span class="sh">"</span><span class="p">)</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">packet</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">packet_capture</span><span class="p">.</span><span class="n">packet_queue</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">timeout</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="n">features</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">traffic_analyzer</span><span class="p">.</span><span class="nf">analyze_packet</span><span class="p">(</span><span class="n">packet</span><span class="p">)</span> <span class="k">if</span> <span class="n">features</span><span class="p">:</span> <span class="c1"># Check if we are still in the training phase </span> <span class="k">if</span> <span class="ow">not</span> <span class="n">is_trained</span><span class="p">:</span> <span class="n">training_samples</span><span class="p">.</span><span class="nf">append</span><span class="p">([</span> <span class="n">features</span><span class="p">[</span><span class="sh">'</span><span class="s">packet_size</span><span class="sh">'</span><span class="p">],</span> <span class="n">features</span><span class="p">[</span><span class="sh">'</span><span class="s">packet_rate</span><span class="sh">'</span><span class="p">],</span> <span class="n">features</span><span class="p">[</span><span class="sh">'</span><span class="s">byte_rate</span><span class="sh">'</span><span class="p">]</span> <span class="p">])</span> <span class="c1"># Once we have 5 seconds of data, train the model </span> <span class="k">if</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">start_time</span> <span class="o">&gt;</span> <span class="mi">5</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Training model on </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">training_samples</span><span class="p">)</span><span class="si">}</span><span class="s"> packets...</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">detection_engine</span><span class="p">.</span><span class="nf">train_anomaly_detector</span><span class="p">(</span><span class="n">training_samples</span><span class="p">)</span> <span class="n">is_trained</span> <span class="o">=</span> <span class="bp">True</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Phase 2: IDS is now ACTIVE.</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Only run detection if the model is ready </span> <span class="k">else</span><span class="p">:</span> <span class="n">threats</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">detection_engine</span><span class="p">.</span><span class="nf">detect_threats</span><span class="p">(</span><span class="n">features</span><span class="p">)</span> <span class="k">for</span> <span class="n">threat</span> <span class="ow">in</span> <span class="n">threats</span><span class="p">:</span> <span class="n">packet_info</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">source_ip</span><span class="sh">'</span><span class="p">:</span> <span class="n">packet</span><span class="p">[</span><span class="n">IP</span><span class="p">].</span><span class="n">src</span><span class="p">,</span> <span class="sh">'</span><span class="s">destination_ip</span><span class="sh">'</span><span class="p">:</span> <span class="n">packet</span><span class="p">[</span><span class="n">IP</span><span class="p">].</span><span class="n">dst</span><span class="p">,</span> <span class="sh">'</span><span class="s">source_port</span><span class="sh">'</span><span class="p">:</span> <span class="n">packet</span><span class="p">[</span><span class="n">TCP</span><span class="p">].</span><span class="n">sport</span><span class="p">,</span> <span class="sh">'</span><span class="s">destination_port</span><span class="sh">'</span><span class="p">:</span> <span class="n">packet</span><span class="p">[</span><span class="n">TCP</span><span class="p">].</span><span class="n">dport</span> <span class="p">}</span> <span class="n">self</span><span class="p">.</span><span class="n">alert_system</span><span class="p">.</span><span class="nf">generate_alert</span><span class="p">(</span><span class="n">threat</span><span class="p">,</span> <span class="n">packet_info</span><span class="p">)</span> <span class="k">except</span> <span class="n">queue</span><span class="p">.</span><span class="n">Empty</span><span class="p">:</span> <span class="k">continue</span> <span class="k">except</span> <span class="nb">KeyboardInterrupt</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Stopping IDS.....</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">packet_capture</span><span class="p">.</span><span class="nf">stop</span><span class="p">()</span> <span class="k">break</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">ids</span> <span class="o">=</span> <span class="nf">intrusionDetectionSystem</span><span class="p">()</span> <span class="n">ids</span><span class="p">.</span><span class="nf">start</span><span class="p">()</span> </code></pre> </div> <p>Here, the <code>intrusionDetectionSystem</code> sets up its core parts: <code>packetCapture</code> for capturing packets on the network interface, <code>trafficAnalyzer</code> for extracting packet features and analyzing them, <code>detectionEngine</code> for identifying threats using both signature and anomaly-based detection methods, and <code>alertSystem</code> for logging and escalating threat alerts. The <code>interface</code> parameter specifies which network interface to monitor, defaulting to the system default (in this case, <code>"Wi-Fi"</code> for Windows and <code>"en0"</code> for Mac). </p> <p>The <code>start</code> function executes the IDS, beginning monitoring on the specified interface and entering a continuous loop to process incoming packets. For each captured packet, the system uses the <code>trafficAnalyzer</code> to extract features and analyze them for potential threats with the <code>detectionEngine</code>. If threats are detected, detailed alerts are generated through the <code>alertSystem</code>.</p> <h2> VISUALIZING THE DATA USING STREAMLIT </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7534xdoaj7tjz5rhkn0b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7534xdoaj7tjz5rhkn0b.png" alt="Sample Streamlit Dashboard" width="800" height="446"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmn7uice5vs1uawng4yi8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmn7uice5vs1uawng4yi8.png" alt="Sample Streamlit Dashboard" width="800" height="448"></a></p> <p>Optionally, if you want to visualize the logs being detected by your system, you can use Streamlit to do so. We’ll have a quick run through on how to create a simple dashboard for your IDS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">streamlit</span> <span class="k">as</span> <span class="n">st</span> <span class="kn">import</span> <span class="n">pandas</span> <span class="k">as</span> <span class="n">pd</span> <span class="n">st</span><span class="p">.</span><span class="nf">title</span><span class="p">(</span><span class="sh">"</span><span class="s">Python Mini IDS Dashboard</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Load CSVs </span><span class="n">logs</span> <span class="o">=</span> <span class="n">pd</span><span class="p">.</span><span class="nf">read_csv</span><span class="p">(</span><span class="sh">"</span><span class="s">simulated_auth_logs.csv</span><span class="sh">"</span><span class="p">,</span> <span class="n">parse_dates</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">timestamp</span><span class="sh">'</span><span class="p">])</span> <span class="n">alerts</span> <span class="o">=</span> <span class="n">pd</span><span class="p">.</span><span class="nf">read_csv</span><span class="p">(</span><span class="sh">"</span><span class="s">alerts.csv</span><span class="sh">"</span><span class="p">,</span> <span class="n">parse_dates</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">timestamp</span><span class="sh">'</span><span class="p">])</span> <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">exists</span><span class="p">(</span><span class="sh">"</span><span class="s">alerts.csv</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span> <span class="n">pd</span><span class="p">.</span><span class="nc">DataFrame</span><span class="p">()</span> <span class="c1"># Display Logs </span><span class="n">st</span><span class="p">.</span><span class="nf">subheader</span><span class="p">(</span><span class="sh">"</span><span class="s">Login Logs</span><span class="sh">"</span><span class="p">)</span> <span class="n">st</span><span class="p">.</span><span class="nf">dataframe</span><span class="p">(</span><span class="n">logs</span><span class="p">)</span> <span class="c1"># Display Alerts </span><span class="n">st</span><span class="p">.</span><span class="nf">subheader</span><span class="p">(</span><span class="sh">"</span><span class="s">Alerts</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">alerts</span><span class="p">.</span><span class="n">empty</span><span class="p">:</span> <span class="n">st</span><span class="p">.</span><span class="nf">dataframe</span><span class="p">(</span><span class="n">alerts</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">st</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="sh">"</span><span class="s">No alerts detected yet.</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Visualize Failed Logins </span><span class="n">st</span><span class="p">.</span><span class="nf">subheader</span><span class="p">(</span><span class="sh">"</span><span class="s">Failed Logins by User</span><span class="sh">"</span><span class="p">)</span> <span class="n">failed_logins</span> <span class="o">=</span> <span class="n">logs</span><span class="p">[</span><span class="n">logs</span><span class="p">[</span><span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">fail</span><span class="sh">'</span><span class="p">].</span><span class="nf">groupby</span><span class="p">(</span><span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">).</span><span class="nf">size</span><span class="p">()</span> <span class="n">st</span><span class="p">.</span><span class="nf">bar_chart</span><span class="p">(</span><span class="n">failed_logins</span><span class="p">)</span> <span class="c1"># Top IPs with Failed Logins </span><span class="n">st</span><span class="p">.</span><span class="nf">subheader</span><span class="p">(</span><span class="sh">"</span><span class="s">Top 10 IPs by Failed Logins</span><span class="sh">"</span><span class="p">)</span> <span class="n">top_ips</span> <span class="o">=</span> <span class="n">logs</span><span class="p">[</span><span class="n">logs</span><span class="p">[</span><span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">fail</span><span class="sh">'</span><span class="p">].</span><span class="nf">groupby</span><span class="p">(</span><span class="sh">'</span><span class="s">ip_address</span><span class="sh">'</span><span class="p">).</span><span class="nf">size</span><span class="p">().</span><span class="nf">sort_values</span><span class="p">(</span><span class="n">ascending</span><span class="o">=</span><span class="bp">False</span><span class="p">).</span><span class="nf">head</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span> <span class="n">st</span><span class="p">.</span><span class="nf">bar_chart</span><span class="p">(</span><span class="n">top_ips</span><span class="p">)</span> </code></pre> </div> <p>In this code, the dashboard connects to the IDS by reading two different files: <code>simulated_auth_logs.csv</code>, which contains the general login history (who logged in, from where, and whether they succeeded or not), and <code>alerts.csv</code>, which loads alerts detected by the <code>detectionEngine</code>.</p> <p>The tables use <code>st.dataframe()</code> to display the raw logs in a scrollable table. If <code>alerts.csv</code> contains detected threats, they are displayed in the table; otherwise, the table shows a "No alerts detected yet" status message.</p> <p>The dashboard also uses two graphs to help you spot patterns. You can view failed user logins to identify if a specific account is being targeted and highlight which IP addresses are causing the most trouble, making it easier to identify a potential attacker’s address.</p> <p>Streamlit is great for visualizing data. If you want to further enhance your understanding about building your own dashboard, you can <a href="https://medium.com/@verinamk/streamlit-for-beginners-build-your-first-dashboard-58b764a62a2d" rel="noopener noreferrer">read this article</a>.</p> <h2> TO SUM IT UP </h2> <p>Creating this mini IDS gives you a hands-on look at how systems can monitor network activity and flag unusual events. You’ve seen how Python and a few key libraries can be combined to build something practical from scratch. While this provides a solid foundation, there is always room to enhance the system further.</p> <h3> POTENTIAL IMPROVEMENTS </h3> <p>While our mini IDS effectively identifies suspicious activity in simulated traffic, there are a few areas where it could be enhanced. For example, adding more refined detection rules could help catch subtle or complex attack patterns. Integrating real-time threat intelligence would allow the system to respond to emerging threats faster. Improving packet processing efficiency could also make the IDS more responsive under high network load.</p> <h3> FINAL THOUGHTS </h3> <p>Congratulations! By completing this project, you’ve taken your first real step into the world of cybersecurity. Keep building, keep experimenting, and remember, every line of code you write brings you closer to that 6‑digit career you’re aiming for.</p> <p>Github repository:</p> <p><a href="https://github.com/ReyDocs/SPARCS_miniIDS" rel="noopener noreferrer">SPARCS_miniIDS GitHub</a></p> <p>Reference:</p> <p><a href="https://www.freecodecamp.org/news/build-a-real-time-intrusion-detection-system-with-python/" rel="noopener noreferrer">https://www.freecodecamp.org/news/build-a-real-time-intrusion-detection-system-with-python/</a> </p> beginners tutorial python cybersecurity