AI-powered security threat investigation system that automatically detects anomalies, investigates them intelligently, and generates actionable incident reports in plain English.
Detects suspicious authentication behavior (impossible travel, credential stuffing, off-hours access) → Investigates using Claude LLM → Generates comprehensive incident reports with MITRE ATT&CK mapping → Real-time dashboard updates.
- 🤖 LLM-Powered Investigation - Uses Groq's Llama 3.3 to investigate anomalies and generate human-readable reports
- 🎯 Anomaly Detection - Isolation Forest ML detection for behavioral anomalies (geolocation, timing, failed attempts)
- ⚡ Real-Time Updates - WebSocket-powered dashboard with sub-100ms incident delivery
- 🛡️ Security Context - Maps detected threats to MITRE ATT&CK techniques for threat intelligence
- 📊 Live Dashboard - React UI showing incidents with severity levels, confidence scores, and detailed analysis
- 🐳 Production Ready - Docker Compose setup, deployed backend, PostgreSQL persistence
- 📈 Extensible - Pluggable detection layer, easy to add new anomaly types and investigation rules
Authentication Event
↓
Detection Engine (Isolation Forest)
↓
Anomaly Flagged? (Severity + Confidence)
↓
ARIA Investigation Agent
├─ Step 1: Triage (classify severity)
├─ Step 2: Context Analysis (pull surrounding logs, user baseline)
└─ Step 3: Report Generation (LLM investigation + MITRE mapping)
↓
Incident Report (JSON + Plain English)
↓
WebSocket Broadcast → Real-Time Dashboard
↓
Security Team Takes Action
- Framework: FastAPI (Python async web framework)
- Database: PostgreSQL (Neon cloud)
- LLM: Groq API (Llama 3.3 model)
- ML: scikit-learn (Isolation Forest)
- Real-time: WebSockets
- Deployment: Docker, Render
- UI Framework: React
- WebSocket Client: Native WebSocket API
- HTTP Client: Axios
- Styling: CSS-in-JS
- Containerization: Docker & Docker Compose
- Version Control: Git/GitHub
- Cloud Database: Neon (PostgreSQL)
- Hosting: Render (backend)
- Python 3.11+
- Node.js 18+
- Docker & Docker Compose
- Groq API key (free tier: console.groq.com)
- Neon PostgreSQL connection string (free tier: neon.tech)
# Clone the repo
git clone https://github.com/Ayon99/ARIA
cd ARIA
# Set up environment variables
cp .env.example .env
# Edit .env with your Groq API key and Neon connection string
# Start all services with Docker Compose
docker-compose up
# Open dashboard
# Backend API: http://localhost:8000/docs
# Frontend: http://localhost:3000# Backend
python -m venv venv
source venv/bin/activate # Windows: venv\Scripts\activate
pip install -r requirements.txt
uvicorn main:app --reload
# Frontend (in separate terminal)
cd dashboard
npm install
npm startaria/
├── main.py # FastAPI app, endpoints, WebSocket handler
├── simulator/
│ └── log_generator.py # Generate synthetic attack events for testing
├── agent/
│ └── investigator.py # LLM investigation pipeline (triage → report)
├── database/
│ └── db.py # PostgreSQL operations, schema management
├── detector/ # (Phase 2) Isolation Forest integration
│ ├── ml_model.py
│ ├── ml_features.py
│ └── detector.py
├── dashboard/ # React frontend
│ ├── src/
│ │ ├── App.js # Main dashboard component
│ │ └── index.js
│ ├── package.json
│ └── Dockerfile
├── docker-compose.yml # Multi-service orchestration
├── Dockerfile # Backend container
├── requirements.txt # Python dependencies
└── README.md
Health check endpoint.
Interactive API documentation (Swagger UI).
List all stored incidents from database.
curl http://localhost:8000/incidentsTrigger investigation for a specific attack type.
Attack types:
impossible_travel- Login from impossible geographic locationcredential_stuffing- Multiple failed login attemptsoff_hours_access- Login outside normal hours
curl http://localhost:8000/investigate/impossible_travelReal-time incident stream. Automatically broadcasts new incidents to connected clients.
const ws = new WebSocket('ws://localhost:8000/ws');
ws.onmessage = (event) => {
const incident = JSON.parse(event.data);
console.log('New incident:', incident);
};- Event Detected: User logs in from Moscow at 3 AM (typical location: Mumbai, 9-5)
- Detection: Flagged as "Impossible Travel" (Isolation Forest + rule-based)
- Investigation: ARIA retrieves context, calls Claude LLM
- Report Generated:
SEVERITY: CRITICAL CONFIDENCE: 0.9 ATTACK PATTERN: Impossible travel detected MITRE TECHNIQUE: T1078 (Valid Accounts) SUMMARY: A critical security incident has been detected. User typically logs in from Mumbai, but this login originated from Moscow. This discrepancy raises concerns about potential account compromise. RECOMMENDED ACTIONS: 1. Immediately initiate password reset 2. Review recent account activity 3. Notify user and request confirmation - Dashboard Update: Incident appears in real-time on React dashboard
- Action: Security team clicks "Suspend Session" or manually investigates
# Groq API (LLM)
GROQ_API_KEY=your_groq_api_key_here
# Database
DATABASE_URL=postgresql://user:password@host:5432/aria
# Optional
DEBUG=false
LOG_LEVEL=INFOEdit simulator/log_generator.py to customize attack scenarios.
Edit agent/investigator.py to adjust LLM prompt behavior.
- Detection Latency: <100ms per event
- Investigation Time: 2-3 seconds (LLM API call)
- Database Query: <50ms for incident retrieval
- WebSocket Broadcast: <100ms to connected clients
- Throughput: 1,000+ events/minute on single instance
- Push code to GitHub
- Go to render.com → New Web Service
- Connect GitHub repo
- Configure:
- Build:
pip install -r requirements.txt - Start:
uvicorn main:app --host 0.0.0.0 --port 8000 - Environment variables:
DATABASE_URL,GROQ_API_KEY
- Build:
- Deploy
Dashboard can run locally while backend is on Render. Update REACT_APP_API_URL environment variable in frontend.
- Phase 2: Integrate Isolation Forest detection to auto-flag anomalies (no more simulation)
- Phase 2: RAG + pgvector for smarter MITRE ATT&CK lookups
- Phase 3: Real log ingestion (Supabase, Auth0, Firebase integration)
- ** **: Multi-tenancy support for multiple organizations
- ** **: Slack/email alerts for critical incidents
- ** **: Custom rule engine for organization-specific detection
- Phase 4: Stripe billing integration for SaaS pricing
- Free tier with generous limits
- Fast inference (Llama 3.3)
- Lower latency than other providers
- Structured output support via JSON mode
- Single database for events + embeddings (future RAG)
- Open source, no vendor lock-in
- Neon provides free tier with generous limits
- Mature, battle-tested for production use
- Sub-100ms incident delivery
- Real-time dashboard updates without polling
- Efficient for concurrent connections
- Native browser support
- Simulated Data: Currently uses generated attack scenarios. Phase 2 integrates real detection.
- Single Tenant: No multi-organization support yet.
- No Persistence: WebSocket connections don't survive server restart.
- LLM Hallucinations: Groq occasionally generates inaccurate technical details; validate critical findings.
This is an active portfolio project. Contributions welcome:
- Fork the repo
- Create feature branch (
git checkout -b feature/your-feature) - Commit changes (
git commit -m 'Add feature') - Push to branch (
git push origin feature/your-feature) - Open Pull Request
MIT License - see LICENSE file for details.
Ayon Ghosh
Machine Learning Engineer & Backend Developer
Building security systems one incident at a time.
- GitHub: @Ayon99
- LinkedIn: ayon-ghosh-ml
- Email: ayon2006ghosh@gmail.com
- Groq for free LLM API tier
- Neon for free PostgreSQL hosting
- Render for free backend deployment
- Isolation Forest from scikit-learn
- MITRE ATT&CK for threat intelligence framework
Questions? Open an issue on GitHub or reach out via email.
Want to collaborate? DM on LinkedIn or open a discussion.