A real-time network intrusion detection system using Machine Learning for automated threat detection with a retro terminal-style dashboard.
- 🔍 Real-time Packet Capture - Live network traffic monitoring with PyShark
- 🤖 ML-Based Detection - Random Forest classifier trained on CICIDS2018 dataset
- 🎨 Retro Terminal UI - Cyberpunk-style Streamlit dashboard
- 📊 Flow Analysis - Network flow aggregation and statistical feature extraction
- 🧠 AI Explanations - Optional Ollama integration for threat analysis
- 🐳 Docker Ready - One-command containerized deployment
- ☁️ Cloud Compatible - Deploy to AWS, GCP, or Azure free tiers
# Open PowerShell as Administrator
python run_ids.pyAccess dashboard at: http://localhost:8501
# Windows
.\deploy_local.ps1
# Linux
sudo bash deploy_local.sh📖 Full deployment guide: See QUICKSTART.md
- Python: 3.11+ (with packages: streamlit, pyshark, scikit-learn, pandas, joblib)
- System: Windows 10/11 or Linux
- Permissions: Administrator/root (for packet capture)
- Optional: Docker Desktop (for containerized deployment)
AI_IDS Project/
├── 🐍 Application
│ ├── run_ids.py # Main orchestrator
│ ├── app.py # Streamlit dashboard
│ └── packet_sniffer/
│ └── sniffer_01.py # Packet capture & ML inference
│
├── 🤖 Machine Learning
│ ├── rf_cicids_binary.joblib # Trained Random Forest model
│ ├── model_metrics01.json # Model performance metrics
│ └── rf_training.ipynb # Training notebook
│
├── 🐳 Deployment
│ ├── Dockerfile # Container configuration
│ ├── docker-compose.yml # Service orchestration
│ ├── deploy_local.ps1 # Windows deployment
│ ├── deploy_local.sh # Linux deployment
│ └── requirements.txt # Python dependencies
│
└── 📚 Documentation
├── README.md # This file
├── QUICKSTART.md # 5-minute deployment guide
├── README_DEPLOYMENT.md # Comprehensive deployment docs
└── REMOTE_ACCESS.md # Remote access & tunneling
The system detects the following attack types:
- ✅ Benign Traffic - Normal network activity
- 🔥 DoS Attacks - Denial of Service
- 🔐 FTP Bruteforce - FTP authentication attacks
- 🔑 SSH Bruteforce - SSH authentication attacks
Model Performance:
- Accuracy: 99.99%
- F1 Score: 0.9999
- ROC-AUC: 1.0000
Create a .env file from the template:
cp .env.example .envAvailable Settings:
| Variable | Default | Description |
|---|---|---|
NETWORK_INTERFACE |
Wi-Fi |
Network interface to monitor |
STREAMLIT_PORT |
8501 |
Dashboard port |
OLLAMA_ENABLED |
true |
Enable AI explanations |
FLOW_TIMEOUT |
2.0 |
Flow timeout (seconds) |
Run directly on your machine without Docker:
python run_ids.pyContainerized deployment for isolation and portability:
# Build and run
docker-compose up -d
# View logs
docker logs -f ai-ids-system
# Stop
docker-compose downDeploy to cloud platforms (free tiers available):
AWS EC2:
# Launch t2.micro instance (12 months free)
# Install Docker, upload project
sudo bash deploy_local.shGoogle Cloud / Azure: See README_DEPLOYMENT.md
Share your dashboard publicly for demos:
# Using Cloudflare Tunnel (free, unlimited)
cloudflared tunnel --url http://localhost:8501
# Get public URL: https://random-name.trycloudflare.comSee REMOTE_ACCESS.md for detailed setup.
- Real-time severity overview (Low/Medium/High/Critical)
- New logs since last refresh
- Historical log analysis
- Detailed packet statistics
- Traffic direction analysis
- TCP flag analysis
- Raw flow records
- Ollama-powered threat explanations
- SOC analyst assistant
- Remediation recommendations
# Install dependencies
pip install -r requirements.txt
# Run packet sniffer
python packet_sniffer/sniffer_01.py
# Run dashboard (in another terminal)
streamlit run app.pySee rf_training.ipynb for:
- Dataset preprocessing
- Feature engineering
- Model training
- Performance evaluation
| Document | Description |
|---|---|
| QUICKSTART.md | Get started in 5 minutes |
| README_DEPLOYMENT.md | Complete deployment guide |
| REMOTE_ACCESS.md | Remote access setup |
| DEPLOYMENT_STATUS.md | Current system status |
⚠️ Important: This system requires privileged access for packet capture.
Best Practices:
- Run on trusted networks only
- Use administrator/root privileges responsibly
- Implement authentication for public access
- Use HTTPS for remote access (automatic with tunneling)
- Monitor resource usage
For Production:
- Add Streamlit authentication
- Implement firewall rules
- Use SSL certificates
- Regular security updates
# Generate traffic
ping google.com
curl http://example.com
# Check dashboard for new flowsDashboard should show classifications for captured traffic:
- Most traffic: Benign
- Port scans: DoS (if detected)
- Bruteforce attempts: FTP-BruteForce or SSH-Bruteforce
# Check if Streamlit is running
netstat -ano | findstr :8501
# Verify Python packages
pip list | findstr streamlit- Check permissions: Run as Administrator/root
- Verify interface: Ensure
NETWORK_INTERFACEmatches your actual interface - Generate traffic: Browse websites, ping servers
# Verify Docker is running
docker ps
# Check container logs
docker logs ai-ids-system
# Rebuild if needed
docker-compose down
docker-compose build --no-cache
docker-compose up -dSee README_DEPLOYMENT.md for more troubleshooting.
Minimum:
- CPU: 1 core
- RAM: 512 MB
- Disk: 5 GB free space
- Network: Active interface
Recommended:
- CPU: 2+ cores
- RAM: 2 GB
- Disk: 10 GB free space
- Network: Gigabit connection
Algorithm: Random Forest Classifier
Dataset: CICIDS2018 (Canadian Institute for Cybersecurity)
Features: 9 statistical flow features
Classes: 4 (Benign, DoS, FTP-BruteForce, SSH-Bruteforce)
Performance Metrics:
- Training Accuracy: 99.99%
- Weighted F1 Score: 0.9999
- ROC-AUC (OvR): 1.0000
Note: High accuracy may indicate dataset simplicity. Results reported transparently.
This project is for educational and demonstration purposes only.
Dataset: CICIDS2018 © Canadian Institute for Cybersecurity
- Documentation: Check the guides in this repository
- Issues: Review troubleshooting sections
- Questions: Refer to detailed deployment documentation
- Start Deployment: QUICKSTART.md
- Full Deployment Guide: README_DEPLOYMENT.md
- Remote Access Setup: REMOTE_ACCESS.md
- System Status Check: DEPLOYMENT_STATUS.md
- Real-time packet capture
- ML-based threat detection
- Retro terminal dashboard
- Flow-based analysis
- Docker containerization
- Cross-platform support
- Cloud deployment ready
- Remote access capable
- Comprehensive documentation
- Production-ready
🚀 Ready to deploy? Start with QUICKSTART.md!
Built with ❤️ for cybersecurity education and research.