Aahanaaa13/soc-incident-response

# NEXUS-SOC — Cybersecurity Incident Response Platform A hybrid SOC automation platform combining Random Forest classification with MITRE ATT&CK-mapped rule engine for multi-class network intrusion detection. ## Performance - **F1 Score: 0.96** (5-fold stratified cross-validation) - **Dataset:** CICIDS2017 (7,036 balanced events) - **Classes:** 8 (BENIGN + 7 attack categories) - **Model:** Random Forest (100 estimators, class_weight=balanced) ## Attack Categories Detected | Class | MITRE ID | Technique | F1 | |---|---|---|---| | DDoS | T1498 | Network Denial of Service | 0.98 | | DoS | T1499 | Endpoint Denial of Service | 0.96 | | PortScan | T1046 | Network Service Scanning | 1.00 | | BruteForce | T1110 | Brute Force Authentication | 0.94 | | Bot | T1071 | C2 Application Layer Protocol | 0.98 | | WebAttack | T1190 | Exploit Public-Facing Application | 0.95 | | Infiltration | T1078 | Valid Accounts | 0.74 | ## Architecture CICIDS2017 CSV → cicids_loader.py → Random Forest classifier → MITRE ATT&CK rule engine → Severity ranking → Response playbooks → Flask dashboard ## Tech Stack Python, Flask, Scikit-learn, Pandas, Scapy, CICIDS2017 ## How to Run ### Install dependencies pip install -r requirements.txt ### Run evaluation (get metrics) python evaluate.py ### Start dashboard python app.py Open: http://localhost:5000 ### Live capture mode (run as Administrator) python app.py Visit: http://localhost:5000/start-capture Then: http://localhost:5000/live ## Dataset Download CICIDS2017 from https://www.unb.ca/cic/datasets/ids-2017.html Place all CSV files in `/data/` folder.