A comprehensive real-time API security monitoring system powered by machine learning. Uses CNN and BiLSTM neural networks for threat detection and anomaly analysis.
This system provides:
- Real-time Threat Detection: Analyzes API requests using CNN models for immediate threat classification
- Temporal Pattern Detection: Uses BiLSTM models to identify attack patterns across multiple requests
- Security Dashboard: Modern web interface for monitoring and alert management
- Detailed Analytics: Time-series analysis and threat trend visualization
- Security Logs: Comprehensive logging of all analyzed requests with filtering and export
- Alert Management: Active threat alerts with recommendations and acknowledgement tracking
- Next.js 15 with React for the user interface
- Recharts for data visualization
- shadcn/ui components for consistent design
- Real-time updates via API polling
- FastAPI for high-performance API endpoints
- CNN Model: Analyzes individual request features for threat probability
- BiLSTM Model: Identifies temporal attack patterns in request sequences
- Feature Extraction: 52 CICIDS2017 network features from API traffic
- PostgreSQL: Persistent storage for logs and alerts (optional)
- 52 CICIDS2017 Features: Flow-based, timing, protocol, and flag-based features
- CNN Model: Request-level threat classification (0-1 probability)
- BiLSTM Model: Temporal anomaly detection across request sequences
- Combined Scoring: 60% CNN + 40% BiLSTM for final threat assessment
- Node.js 18+
- Python 3.8+
- (Optional) PostgreSQL for persistent storage
# Install Node.js dependencies
npm install
# Create Python virtual environment
python3 -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install Python dependencies
pip install -r scripts/requirements.txt
# Initialize project (creates demo models)
python3 scripts/init.pyCreate a .env.local file in the project root:
# Backend URL (for development)
FASTAPI_URL=http://localhost:8000
# Optional: PostgreSQL connection for production
# DATABASE_URL=postgresql://user:password@localhost:5432/api_security_dbTerminal 1 - Start Backend Server:
python3 scripts/run_backend.pyThe backend will start on http://localhost:8000
- API documentation:
http://localhost:8000/docs - Health check:
http://localhost:8000/api/health
Terminal 2 - Start Frontend:
npm run devThe dashboard will be available at http://localhost:3000
├── app/
│ ├── page.tsx # Main dashboard
│ ├── analytics/page.tsx # Analytics dashboard
│ ├── logs/page.tsx # Security logs viewer
│ ├── alerts/page.tsx # Active alerts management
│ └── api/proxy/[...route]/ # API proxy to FastAPI
├── components/
│ ├── navigation.tsx # Navigation bar
│ └── dashboard/ # Dashboard components
│ ├── statistics-card.tsx
│ ├── threat-chart.tsx
│ └── alerts-list.tsx
├── scripts/
│ ├── api_backend.py # FastAPI application
│ ├── models.py # Pydantic models
│ ├── feature_extractor.py # Feature extraction
│ ├── create_models.py # Model generation
│ ├── run_backend.py # Backend server launcher
│ ├── init.py # Project initialization
│ ├── requirements.txt # Python dependencies
│ └── 01_create_schema.sql # Database schema
├── public/models/ # Pre-trained models
│ ├── cnn_api_security_model.pkl
│ ├── bilstm_api_security_model.pkl
│ ├── scaler.pkl
│ └── model_metadata.json
└── README.md
- Key Metrics: Total requests, threats detected, average threat score
- Threat Distribution: Visual breakdown by threat level
- Model Comparison: CNN vs BiLSTM score visualization
- Recent Alerts: Latest security incidents with details
- Threat Trends: 24-hour time-series of threat scores
- Detection Rate: Threats detected per hour
- Model Performance: Detailed metrics for both models
- Historical Data: Hourly statistics for trend analysis
- Comprehensive Logging: All analyzed requests recorded
- Filtering: By threat level, source IP, and API path
- Export: Download logs as CSV for external analysis
- Pagination: Efficient browsing of large log sets
- Active Alerts: Only unacknowledged threats displayed
- Threat Details: Full request and analysis information
- Recommendations: Suggested actions for each threat
- Acknowledgement: Mark threats as reviewed
POST /api/analyze- Analyze a single requestPOST /api/analyze-batch- Batch analyze multiple requests
GET /api/logs- Fetch security logs with filteringGET /api/stats- Real-time statistics and trendsGET /api/alerts- Get unacknowledged alerts
POST /api/alerts/{id}/acknowledge- Mark alert as acknowledgedGET /api/health- Health check endpoint
Threats are classified by combined score:
- CRITICAL (0.8-1.0): Immediate action required, block the request
- HIGH (0.6-0.8): Investigate and monitor closely
- MEDIUM (0.4-0.6): Monitor for pattern confirmation
- LOW (0-0.4): Normal traffic, allow
The system extracts 52 CICIDS2017 features from API requests:
- Packet Length (12 features): Forward/backward packet statistics
- Header Length (12 features): Forward/backward header information
- Packet Count (6 features): Flow statistics and rates
- TCP Flags (8 features): FIN, SYN, RST, PSH counts
- Timing (9 features): Flow duration and inter-arrival times
- Response (3 features): Status code, response time, content length
The demo models simulate threat detection with:
- CNN Model: Analyzes individual request characteristics
- BiLSTM Model: Detects temporal patterns across request sequences
- Combined Scoring: Weighted ensemble for robust detection
Note: Demo models are for demonstration. For production, train models with real network traffic data.
- Train your own CNN/BiLSTM models
- Save with pickle:
pickle.dump(model, open('path/to/model.pkl', 'wb')) - Place in
public/models/directory - Restart the backend server
To add new features to the extractor:
- Edit
scripts/feature_extractor.py - Update feature count (currently 52)
- Update
models.pyandapi_backend.py - Retrain models with new feature set
To use PostgreSQL instead of in-memory storage:
- Set
DATABASE_URLin.env.local - Run migrations:
psql -d your_db -f scripts/01_create_schema.sql - Update connection strings in
api_backend.py
# Check if port 8000 is in use
lsof -i :8000
# Install missing dependencies
pip install -r scripts/requirements.txt
# Check Python version
python3 --version # Should be 3.8+- Verify backend is running:
curl http://localhost:8000/api/health - Check
FASTAPI_URLin.env.local - Ensure CORS is properly configured
# Regenerate models
python3 scripts/create_models.py- Batch Analysis: Use
/api/analyze-batchfor multiple requests - Filtering: Apply filters on logs to reduce data transfer
- Pagination: Load logs in pages (default 20 per page)
- Caching: Frontend caches stats and updates every 10 seconds
- All traffic between frontend and backend should use HTTPS in production
- Implement authentication for the dashboard
- Store sensitive data (API credentials, models) securely
- Regularly update dependencies
- Monitor logs for suspicious activity in the monitoring system itself
- WebSocket support for real-time alerts
- Custom model training pipeline
- Integration with SIEM systems
- Multi-tenancy support
- Advanced anomaly detection algorithms
- Custom alert rules and workflows
MIT License - See LICENSE file for details
For issues and questions:
- Check the troubleshooting section above
- Review the API documentation at
http://localhost:8000/docs - Check FastAPI logs for detailed error messages
- Review browser console for frontend errors
Contributions are welcome! Please ensure:
- Code follows the existing style
- Features include appropriate tests
- Documentation is updated
- Commit messages are descriptive