A minimal, runnable prototype that detects brute-force login attacks from log events using machine learning anomaly detection.
ASTRA uses an IsolationForest model trained on synthetic "normal" network traffic to detect brute-force attacks in real-time. When suspicious activity is detected, it generates human-readable reports and takes simulated defensive actions.
- Real-time anomaly detection using IsolationForest (scikit-learn)
- Flask HTTP server with REST API for event ingestion
- Sliding 60-second window aggregation per source IP
- Automatic report generation (JSON + plain text)
- Configurable thresholds and actions
- Traffic simulator with normal and brute-force modes
python -m venv venvWindows (PowerShell/CMD):
venv\Scripts\activatemacOS/Linux:
source venv/bin/activatepip install -r requirements.txtpython model_training.pyThis generates:
models/anomaly_detector.joblib— trained IsolationForest modelmodels/scaler.joblib— StandardScaler for feature normalizationmodels/feature_columns.joblib— feature column order
Windows:
set ASTRA_PORT=5000
python astra_server.pymacOS/Linux:
export ASTRA_PORT=5000
python astra_server.pyServer starts on http://0.0.0.0:5000
Normal traffic (should generate few/no alerts):
python send_bruteforce.py --server http://localhost:5000 --mode normal --rate 2 --duration 60Brute-force attack (should trigger BLOCK_IP action):
python send_bruteforce.py --server http://localhost:5000 --mode bruteforce --rate 3 --duration 60Accepts single event or array of events:
{
"ts": "2025-10-28T18:00:00Z",
"src_ip": "192.168.1.10",
"dst_ip": "10.0.0.5",
"dst_port": 22,
"protocol": "TCP",
"bytes": 1024,
"event_type": "login_failed"
}Returns list of recent report metadata.
Returns current in-memory state: blocked IPs, recent anomalies.
- Aggregation: Events are aggregated per source IP over a 60-second sliding window
- Feature Extraction: Computes:
failed_login_count— number of failed login attemptsconn_count— total connection countunique_dest_ports— number of unique destination portsavg_bytes— average bytes per connection
- Anomaly Scoring: Features are scaled and passed to IsolationForest model
- Classification: Flagged as BRUTE_FORCE if:
failed_login_count >= 5ANDanomaly_score >= 0.5(default threshold)
- Action Decision:
- Confidence ≥ 0.9 → BLOCK_IP
- Confidence ≥ 0.6 → QUARANTINE_HOST
- Otherwise → FLAG_FOR_REVIEW
Reports are written to the reports/ directory:
report_<timestamp>_<rand>.json— structured reportreport_<timestamp>_<rand>.txt— human-readable summary
You can also query via API:
curl http://localhost:5000/api/reportsEdit astra_server.py to adjust:
ANOMALY_THRESHOLD(default: 0.5) — minimum anomaly scoreFAILED_LOGIN_THRESHOLD(default: 5) — minimum failed login countCONFIDENCE_BLOCK(default: 0.9) — confidence for IP blockingCONFIDENCE_QUARANTINE(default: 0.6) — confidence for quarantine
Change port via environment variable:
set ASTRA_PORT=8080 # Windows
export ASTRA_PORT=8080 # macOS/LinuxEnsure port is open in Windows Firewall or iptables.
Delete models/ directory and retrain:
python model_training.pyEnsure you run model_training.py before starting the server.
- Check server is running:
curl http://localhost:5000/api/state - Verify correct hostname/port in
--serverargument - Check firewall rules
astra/
├── astra_server.py # Flask server (main application)
├── model_training.py # Model training script
├── send_bruteforce.py # Traffic simulator
├── requirements.txt # Python dependencies
├── README.md # This file
├── models/ # Generated model artifacts
│ ├── anomaly_detector.joblib
│ ├── scaler.joblib
│ └── feature_columns.joblib
└── reports/ # Generated detection reports
├── report_*.json
└── report_*.txt
- Python 3.10+
- No external cloud services required
- Single-machine deployment
MIT