Skip to content

DCT-Berinyuy/CyberSecMonitor

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AI-Powered Cybersecurity Monitoring System (SIEM-Lite)

Course: CSC 2221 — Object-Oriented Programming in C++ (Spring 2026)
Institution: ICT University
Date: 12 May 2026


A comprehensive, real-time intrusion detection, prevention, and log analytics platform built entirely in C++17 using Object-Oriented Programming (OOP) principles. Modelling the pipeline of professional-grade tools like Snort and Suricata, this project implements a rule-based expert engine, a statistical anomaly-based preprocessor, a CLI-based SIEM dashboard, and a tamper-resistant hash-chained binary audit log.


SIEM-Lite Live Dashboard & HTTP Access Log Simulation (SQLi & DDoS)

SIEM-Lite Dashboard HTTP Simulation

1. System Architecture

The application is structured into five cohesive functional layers. The control flow streams parsed logs through the analysis engine, triggers alerts, and executes automated response actions:

graph TD
    LP[LogParser] -->|LogEntry| LA[LogAnalyzer]
    LA -->|Feeds entry| TF[ThreatFactory]
    TF -->|Evaluates Rules| RS[RuleSet]
    TF -->|Checks static state in| T[Threat Subclasses]
    TF -->|Instantiates| T
    LA -->|Checks/Detects| T
    T -->|Triggers Alert| AS[AlertSystem]
    AS -->|Notifies| RE[ResponseEngine]
    AS -->|Notifies| IL[IncidentLogger]
    AS -->|Notifies| SD[SIEMDashboard]
    RE -->|Calls utility| RG[ReportGenerator]
    IL -->|Chains & Verifies| HC[HashChain]
    RE -->|Appends Block/Limit| BL[blocklist.cfg]
Loading

2. Core Features

  • Multi-Format Log Ingestion: Streams syslog Linux authentication logs and Apache/Nginx HTTP access logs, validating formats, field counts, and handling malformed lines gracefully.
  • Polymorphic Threat Hierarchy: Includes 5 distinct threat classes representing different attack vectors (Brute Force, Port Scan, SQL Injection, DDoS, and Privilege Escalation).
  • Statistical Anomaly Detection: Tracks requests per second using Welford's online algorithm to dynamically update baseline mean and standard deviation, raising alerts when volume exceeds $3\sigma$.
  • Automated Active Response: Appends malicious IPs to blocklists/limitlists and drops lockouts on critical occurrences.
  • Tamper-Resistant Cryptographic Logging: Secures audit records in a binary file using a FNV-1a 64-bit blockchain-style recursive hash chain.
  • ANSI Console SIEM Dashboard: Interactive real-time summary displaying event throughput, threat type distribution (ASCII bar chart), IP blocklist tables, and critical incident feeds.
  • Role-Based Access Control (RBAC): Separates views and administrative operations between Analysts and Administrators.

3. Project File Structure

cybersec-monitor/
├── include/
│   ├── alert/
│   │   ├── Alert.h
│   │   ├── AlertSystem.h
│   │   ├── ResponseEngine.h
│   │   └── Subscriber.h
│   ├── engine/
│   │   ├── LogAnalyzer.h
│   │   ├── LogEntry.h
│   │   ├── LogParser.h
│   │   ├── RuleSet.h
│   │   └── ThreatFactory.h
│   ├── report/
│   │   └── ReportGenerator.h
│   ├── siem/
│   │   ├── HashChain.h
│   │   ├── IncidentLogger.h
│   │   └── SIEMDashboard.h
│   ├── threats/
│   │   ├── BruteForce.h
│   │   ├── DDoSFlood.h
│   │   ├── PortScan.h
│   │   ├── PrivEscAttempt.h
│   │   ├── SQLiAttempt.h
│   │   └── Threat.h
│   ├── users/
│   │   ├── Administrator.h
│   │   ├── Analyst.h
│   │   └── User.h
│   ├── config.h
│   └── SIEMSystem.h
├── src/
│   ├── alert/
│   │   ├── AlertSystem.cpp
│   │   └── ResponseEngine.cpp
│   ├── engine/
│   │   ├── LogAnalyzer.cpp
│   │   ├── LogParser.cpp
│   │   ├── RuleSet.cpp
│   │   └── ThreatFactory.cpp
│   ├── report/
│   │   └── ReportGenerator.cpp
│   ├── siem/
│   │   ├── HashChain.cpp
│   │   ├── IncidentLogger.cpp
│   │   └── SIEMDashboard.cpp
│   ├── tests/
│   │   └── test_main.cpp
│   ├── threats/
│   │   ├── BruteForce.cpp
│   │   ├── DDoSFlood.cpp
│   │   ├── PortScan.cpp
│   │   ├── PrivEscAttempt.cpp
│   │   └── SQLiAttempt.cpp
│   ├── users/
│   │   ├── Administrator.cpp
│   │   ├── Analyst.cpp
│   │   └── User.cpp
│   ├── main.cpp
│   └── SIEMSystem.cpp
├── data/
│   ├── rules.cfg
│   ├── sample_auth.log
│   └── sample_http.log
├── docs/
│   ├── cybersec_uml_class_diagram.svg
│   ├── cybersec_detection_flowchart.svg
│   ├── SIEM-LITE.png
│   ├── sample_auth_log.png
│   └── sample_http_log.png
├── Makefile
├── .gitignore
└── README.md

Key Project Components (Local Links)

  • Configuration: config.h
  • Threat Hierarchy Base: Threat.h
  • Rule-Based RuleSet: RuleSet.h
  • Threat Classifier: ThreatFactory.h
  • Parser Engine: LogParser.h
  • Tamper Hash Tool: HashChain.h
  • Interactive CLI Launcher: main.cpp

4. OOP Principles Demonstration

The system serves as a demonstration of C++ Object-Oriented Programming (OOP) design patterns and principles:

OOP Principle Description & Code Application Relevant Class/Files
Encapsulation Private variables with strictly validated public accessors. Fields of parsed entries are shielded. LogEntry
Inheritance A deep polymorphic tree from an abstract base class enforcing interfaces. Threat $\rightarrow$ BruteForce, PortScan, etc.
Polymorphism Dynamic dispatch at runtime via virtual functions. Processing loops handle pointers uniformly. LogAnalyzer iterating over std::vector<Threat*>
Abstraction Obscuring complex implementation details behind simple APIs. HashChain exposing append() & verify()
Composition Aggregating subsystems in a textbook "has-a" relationship to orchestrate functions. SIEMSystem composing analyzer, dashboard, response engine

5. Threat Detection Algorithms & AI Integration

5.1 Rule-Based Expert Engine (Heuristics)

At startup, configurations are ingested from rules.cfg into the RuleSet.

  • Static Window Tracking: The Threat subclasses handle their own state tracking. For example, BruteForce utilizes a static std::unordered_map<std::string, std::deque<time_t>> to maintain history of login attempts per IP.
  • Pattern Matching: SQLiAttempt performs stateless payload analysis using C++ regular expressions (std::regex) to catch command injection patterns.
  • Stateless Dispatch: The ThreatFactory evaluates matching criteria without holding internal state, returning dynamically allocated instances of the proper subclasses upon threat confirmation.

5.2 Statistical Anomaly Detection (Welford's Algorithm)

To detect volumetric DDoS attempts, DDoSFlood computes a running z-score of the request rate from an IP. It maintains numerically stable running statistical parameters utilizing Welford's online update algorithm:

$$\mu_n = \mu_{n-1} + \frac{x_n - \mu_{n-1}}{n}$$

$$M_{2,n} = M_{2,n-1} + (x_n - \mu_{n-1})(x_n - \mu_n)$$

$$\sigma_n^2 = \frac{M_{2,n}}{n}$$

If the current rate $x_i$ yields:

$$z = \frac{x_i - \mu}{\sigma} > 3.0$$

and exceeds standard limits, it triggers a critical DDoS alert.


6. Access Control & Default Credentials

The CLI implements role-based access control checking credentials defined in the config.h namespace:

Role Username Password Privileges
Administrator admin admin123 Load files, edit rule parameters, view dashboard, query log integrity.
Analyst analyst analyst123 Load files, view dashboard, query logs, generate incident reports (Read-only).

7. Build and Run Instructions

Prerequisites

  • Linux / macOS: GCC (supporting C++17) or Clang, GNU Make.
  • Windows: MinGW-w64 with GNU Make or WSL (Windows Subsystem for Linux).

Build Commands

  1. Compile Application & Test Suite:
    make all
  2. Execute Unit Test Suite:
    make test
  3. Launch SIEM Interactive Dashboard:
    make run
  4. Remove Object Files and Compiled Binaries:
    make clean

8. Program in Action & Diagrams

UML Class Diagram

UML Class Diagram

Control & Threat Detection Flowchart

Detection Flowchart

Linux Authentication Log Simulation

Auth Simulation


9. Usage & Verification Walks

Simulating Ingestion & Detection

  1. Run make run.
  2. Login with credentials (e.g., admin / admin123).
  3. Select option 1. Run Simulation Logs.
  4. Ingestion starts streaming data/sample_auth.log and data/sample_http.log.
  5. The live ANSI SIEM Dashboard displays active threats, total processed events, and blocked IPs.

Integrity Tampering Verification

  1. Run simulation logs to generate the binary log file data/audit.bin.
  2. Log in as an Administrator and choose 3. Validate Audit Log Integrity. It will show [SUCCESS] Chain verification passed. Hash sequence matches exactly.
  3. Manually edit or tamper with data/audit.bin (e.g. by modifying a character).
  4. Run validation again. The system catches the mismatch, outputting a clear [TAMPER_ALERT] specifying the index where the cryptographic chain was broken.

10. References

  • Stroustrup, B. (2013). The C++ Programming Language (4th ed.). Addison-Wesley.
  • Gamma, E., Helm, R., Johnson, R., & Vlissides, J. (1994). Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley.
  • Snort Project. (2024). Snort Users Manual 2.9.x. Cisco Systems. https://www.snort.org/documents
  • Welford, B. P. (1962). Note on a method for calculating corrected sums of squares and products. Technometrics, 4(3), 419–420.
  • OWASP Foundation. (2021). OWASP Top Ten. https://owasp.org/www-project-top-ten/
  • National Institute of Standards and Technology. (2012). Guide to Intrusion Detection and Prevention Systems (IDPS). NIST Special Publication 800-94.

About

AI-Powered Cybersecurity Monitoring System — a comprehensive, real-time intrusion detection, prevention, and log analytics platform built entirely in C++ using Object-Oriented Programming principles.

Topics

Resources

Stars

Watchers

Forks

Packages

 
 
 

Contributors