Course: CSC 2221 — Object-Oriented Programming in C++ (Spring 2026)
Institution: ICT University
Date: 12 May 2026
A comprehensive, real-time intrusion detection, prevention, and log analytics platform built entirely in C++17 using Object-Oriented Programming (OOP) principles. Modelling the pipeline of professional-grade tools like Snort and Suricata, this project implements a rule-based expert engine, a statistical anomaly-based preprocessor, a CLI-based SIEM dashboard, and a tamper-resistant hash-chained binary audit log.
The application is structured into five cohesive functional layers. The control flow streams parsed logs through the analysis engine, triggers alerts, and executes automated response actions:
graph TD
LP[LogParser] -->|LogEntry| LA[LogAnalyzer]
LA -->|Feeds entry| TF[ThreatFactory]
TF -->|Evaluates Rules| RS[RuleSet]
TF -->|Checks static state in| T[Threat Subclasses]
TF -->|Instantiates| T
LA -->|Checks/Detects| T
T -->|Triggers Alert| AS[AlertSystem]
AS -->|Notifies| RE[ResponseEngine]
AS -->|Notifies| IL[IncidentLogger]
AS -->|Notifies| SD[SIEMDashboard]
RE -->|Calls utility| RG[ReportGenerator]
IL -->|Chains & Verifies| HC[HashChain]
RE -->|Appends Block/Limit| BL[blocklist.cfg]
- Multi-Format Log Ingestion: Streams syslog Linux authentication logs and Apache/Nginx HTTP access logs, validating formats, field counts, and handling malformed lines gracefully.
- Polymorphic Threat Hierarchy: Includes 5 distinct threat classes representing different attack vectors (Brute Force, Port Scan, SQL Injection, DDoS, and Privilege Escalation).
-
Statistical Anomaly Detection: Tracks requests per second using Welford's online algorithm to dynamically update baseline mean and standard deviation, raising alerts when volume exceeds
$3\sigma$ . - Automated Active Response: Appends malicious IPs to blocklists/limitlists and drops lockouts on critical occurrences.
- Tamper-Resistant Cryptographic Logging: Secures audit records in a binary file using a FNV-1a 64-bit blockchain-style recursive hash chain.
- ANSI Console SIEM Dashboard: Interactive real-time summary displaying event throughput, threat type distribution (ASCII bar chart), IP blocklist tables, and critical incident feeds.
- Role-Based Access Control (RBAC): Separates views and administrative operations between Analysts and Administrators.
cybersec-monitor/
├── include/
│ ├── alert/
│ │ ├── Alert.h
│ │ ├── AlertSystem.h
│ │ ├── ResponseEngine.h
│ │ └── Subscriber.h
│ ├── engine/
│ │ ├── LogAnalyzer.h
│ │ ├── LogEntry.h
│ │ ├── LogParser.h
│ │ ├── RuleSet.h
│ │ └── ThreatFactory.h
│ ├── report/
│ │ └── ReportGenerator.h
│ ├── siem/
│ │ ├── HashChain.h
│ │ ├── IncidentLogger.h
│ │ └── SIEMDashboard.h
│ ├── threats/
│ │ ├── BruteForce.h
│ │ ├── DDoSFlood.h
│ │ ├── PortScan.h
│ │ ├── PrivEscAttempt.h
│ │ ├── SQLiAttempt.h
│ │ └── Threat.h
│ ├── users/
│ │ ├── Administrator.h
│ │ ├── Analyst.h
│ │ └── User.h
│ ├── config.h
│ └── SIEMSystem.h
├── src/
│ ├── alert/
│ │ ├── AlertSystem.cpp
│ │ └── ResponseEngine.cpp
│ ├── engine/
│ │ ├── LogAnalyzer.cpp
│ │ ├── LogParser.cpp
│ │ ├── RuleSet.cpp
│ │ └── ThreatFactory.cpp
│ ├── report/
│ │ └── ReportGenerator.cpp
│ ├── siem/
│ │ ├── HashChain.cpp
│ │ ├── IncidentLogger.cpp
│ │ └── SIEMDashboard.cpp
│ ├── tests/
│ │ └── test_main.cpp
│ ├── threats/
│ │ ├── BruteForce.cpp
│ │ ├── DDoSFlood.cpp
│ │ ├── PortScan.cpp
│ │ ├── PrivEscAttempt.cpp
│ │ └── SQLiAttempt.cpp
│ ├── users/
│ │ ├── Administrator.cpp
│ │ ├── Analyst.cpp
│ │ └── User.cpp
│ ├── main.cpp
│ └── SIEMSystem.cpp
├── data/
│ ├── rules.cfg
│ ├── sample_auth.log
│ └── sample_http.log
├── docs/
│ ├── cybersec_uml_class_diagram.svg
│ ├── cybersec_detection_flowchart.svg
│ ├── SIEM-LITE.png
│ ├── sample_auth_log.png
│ └── sample_http_log.png
├── Makefile
├── .gitignore
└── README.md
- Configuration: config.h
- Threat Hierarchy Base: Threat.h
- Rule-Based RuleSet: RuleSet.h
- Threat Classifier: ThreatFactory.h
- Parser Engine: LogParser.h
- Tamper Hash Tool: HashChain.h
- Interactive CLI Launcher: main.cpp
The system serves as a demonstration of C++ Object-Oriented Programming (OOP) design patterns and principles:
| OOP Principle | Description & Code Application | Relevant Class/Files |
|---|---|---|
| Encapsulation | Private variables with strictly validated public accessors. Fields of parsed entries are shielded. | LogEntry |
| Inheritance | A deep polymorphic tree from an abstract base class enforcing interfaces. | Threat |
| Polymorphism | Dynamic dispatch at runtime via virtual functions. Processing loops handle pointers uniformly. | LogAnalyzer iterating over std::vector<Threat*>
|
| Abstraction | Obscuring complex implementation details behind simple APIs. | HashChain exposing append() & verify()
|
| Composition | Aggregating subsystems in a textbook "has-a" relationship to orchestrate functions. | SIEMSystem composing analyzer, dashboard, response engine |
At startup, configurations are ingested from rules.cfg into the RuleSet.
- Static Window Tracking: The Threat subclasses handle their own state tracking. For example, BruteForce utilizes a static
std::unordered_map<std::string, std::deque<time_t>>to maintain history of login attempts per IP. - Pattern Matching: SQLiAttempt performs stateless payload analysis using C++ regular expressions (
std::regex) to catch command injection patterns. - Stateless Dispatch: The ThreatFactory evaluates matching criteria without holding internal state, returning dynamically allocated instances of the proper subclasses upon threat confirmation.
To detect volumetric DDoS attempts, DDoSFlood computes a running z-score of the request rate from an IP. It maintains numerically stable running statistical parameters utilizing Welford's online update algorithm:
If the current rate
and exceeds standard limits, it triggers a critical DDoS alert.
The CLI implements role-based access control checking credentials defined in the config.h namespace:
| Role | Username | Password | Privileges |
|---|---|---|---|
| Administrator | admin |
admin123 |
Load files, edit rule parameters, view dashboard, query log integrity. |
| Analyst | analyst |
analyst123 |
Load files, view dashboard, query logs, generate incident reports (Read-only). |
- Linux / macOS: GCC (supporting C++17) or Clang, GNU Make.
- Windows: MinGW-w64 with GNU Make or WSL (Windows Subsystem for Linux).
- Compile Application & Test Suite:
make all
- Execute Unit Test Suite:
make test - Launch SIEM Interactive Dashboard:
make run
- Remove Object Files and Compiled Binaries:
make clean
- Run
make run. - Login with credentials (e.g.,
admin/admin123). - Select option 1. Run Simulation Logs.
- Ingestion starts streaming
data/sample_auth.loganddata/sample_http.log. - The live ANSI SIEM Dashboard displays active threats, total processed events, and blocked IPs.
- Run simulation logs to generate the binary log file
data/audit.bin. - Log in as an Administrator and choose 3. Validate Audit Log Integrity. It will show
[SUCCESS] Chain verification passed. Hash sequence matches exactly. - Manually edit or tamper with
data/audit.bin(e.g. by modifying a character). - Run validation again. The system catches the mismatch, outputting a clear
[TAMPER_ALERT]specifying the index where the cryptographic chain was broken.
- Stroustrup, B. (2013). The C++ Programming Language (4th ed.). Addison-Wesley.
- Gamma, E., Helm, R., Johnson, R., & Vlissides, J. (1994). Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley.
- Snort Project. (2024). Snort Users Manual 2.9.x. Cisco Systems. https://www.snort.org/documents
- Welford, B. P. (1962). Note on a method for calculating corrected sums of squares and products. Technometrics, 4(3), 419–420.
- OWASP Foundation. (2021). OWASP Top Ten. https://owasp.org/www-project-top-ten/
- National Institute of Standards and Technology. (2012). Guide to Intrusion Detection and Prevention Systems (IDPS). NIST Special Publication 800-94.


