nuthan923/REALTIME-IDS

# Real-Time Intrusion Detection System (IDS) using Snort & ML ## 🚀 Project Overview This project implements a **Real-Time Intrusion Detection System** designed for **Edge Devices** (specifically Raspberry Pi 5). It combines the rule-based detection power of **Snort** with the predictive capabilities of **Machine Learning** (Random Forest) to identify and classify network attacks in real-time. The system monitors traffic from simulated IoT devices, processes alerts through an ML inference engine, and provides a live dashboard for security monitoring. ## ✨ Key Features - **Real-Time Traffic Analysis**: Deep packet inspection using Snort. - **ML-Powered Inference**: Random Forest model trained on the UNSW-NB15 dataset for high-accuracy anomaly detection. - **Interactive Dashboard**: Live visualization of network health using Chart.js, including: - **Live Counters**: Real-time tracking of total, malicious, and normal alerts. - **Attack Timeline**: Statistical trends of network events. - **Threat Classification**: Visual breakdown of attack types (DoS, Scan, Brute Force). - **Top Attackers**: Bar chart identifying the most active malicious IP addresses. - **Geographic Visualization**: 2D Leaflet map and 3D Globe.gl visualizations of simulated attack vectors. - **Live Alert Feed**: Scrolling console-style feed of recent network activity. - **IoT Simulation Environment**: Includes virtual smart bulbs, cameras, and thermostats to simulate a realistic edge environment. - **Attack Simulator**: Integrated scripts to simulate Port Scanning, DoS (SYN Flood), and Brute Force attacks. - **Edge Optimized**: Fully containerized using Docker, designed to run efficiently on Raspberry Pi 5. ## 🏗️ Architecture 1. **Traffic Generation**: IoT devices (Bulb, Camera, Thermostat) generate normal network traffic. 2. **Intrusion Detection**: Snort monitors the network interface and generates alerts based on signature-based rules. 3. **ML Inference Engine**: A Flask-based API receives Snort alerts, extracts features, and uses a trained ML model to classify the traffic. 4. **Monitoring Dashboard**: A web-based UI displays real-time statistics and detailed alert information. ## 📂 Project Structure ├── api/ # ML Inference API (Flask) ├── attacker/ # Attack simulation scripts (nmap, hping3, hydra) ├── dashboard/ # Web dashboard (Flask + HTML/JS) ├── docker/ # Dockerfiles and Docker Compose configuration ├── iot/ # IoT device simulation scripts ├── ml/ # Machine learning models and training scripts │ ├── models/ # Pre-trained models (.pkl) │ └── training/ # Training datasets and scripts ├── snort/ # Snort configuration and rules │ ├── conf/ # Snort configuration (snort.conf) │ └── rules/ # Custom IDS rules (local.rules) └── scripts/ # Utility and data generation scripts ## 🛠️ Installation & Deployment ### Prerequisites ### Step 1: Clone the Repository git clone cd REALTIME-IDS ### Step 2: Build and Start the System Navigate to the root directory and use Docker Compose to build and start all services: docker-compose -f docker/docker-compose.simulation.yml up --build ### Step 3: Access the Dashboard Once the containers are running, open your web browser and navigate to: http://:8080 ## 🧠 Machine Learning Model The system uses a **Random Forest Classifier** trained on the **UNSW-NB15** dataset. - **Features used**: `dur`, `proto`, `service`, `spkts`, `dpkts`, `sbytes`, `dbytes`, `sttl`, `dttl`. - **Performance**: High precision and recall for common attack types. - **Attack Classification**: - **Normal**: Routine traffic. - **DoS**: Denial of Service (High packet volume). - **Scan**: Port scanning and network mapping. - **Brute Force**: Repeated unauthorized access attempts. ## 🛡️ Simulating Attacks To test the detection capabilities, you can run the attack simulator: 1. Enter the attacker container: docker exec -it attacker bash 2. Run the simulation script: ./attacker/attacker.sh This will launch various attacks against the simulated IoT devices, which should appear on the dashboard in real-time. ## 📜 License This project is licensed under the MIT License - see the LICENSE file for details.