Made By Monish Paramasivam
An advanced, portfolio-grade AI-powered Intrusion Detection System (IDS) built with Python and Machine Learning. IntelliGuard uses an Isolation Forest algorithm to detect anomalous network and login behavior in real time, with a clean CLI dashboard, structured logging, and severity-based alerting.
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ AI-POWERED INTRUSION DETECTION SYSTEM v1.0.0 โ
โ Made By: Monish Paramasivam
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐จ [HIGH ALERT] 2025-06-01 03:22:11
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
IP Address : 45.112.88.201
Event Type : BRUTE_FORCE
Request Rate : 38.4 req/min
Failed Logins : 24
Login Attempts : 47
Anomaly Score : -0.6214
DETECTION REASONS:
โบ High failed login count (24 failures) โ possible brute-force attack
โบ Excessive login attempts (47) from single session
โบ Activity at unusual hour (03:00) โ off-hours access pattern
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
| Feature | Details |
|---|---|
| ML Model | Isolation Forest (unsupervised anomaly detection) |
| Attack Types | Brute Force, Rapid Requests/DoS, Directory Scan, Mixed |
| Severity Levels | LOW / MEDIUM / HIGH based on anomaly score |
| Logging | CSV-based structured event log with timestamps |
| Explainability | Human-readable reason for every alert |
| Score Visualization | Text-based sparkline chart of anomaly scores |
| Config-Driven | All thresholds in config.json โ no hardcoding |
| Modular Code | Clean separation: ML, simulator, logger, CLI |
IntelliGuard/
โ
โโโ main.py โ CLI dashboard (entry point)
โโโ config.json โ Thresholds, model settings, simulation params
โโโ requirements.txt
โโโ README.md
โ
โโโ core/
โ โโโ ml_engine.py โ Isolation Forest model: train, predict, explain
โ โโโ simulator.py โ Traffic event generators (normal + attack types)
โ โโโ detector.py โ Detection pipeline: orchestrates everything
โ โโโ logger.py โ Structured CSV logging + alert formatting
โ
โโโ data/
โ โโโ dataset_generator.py โ Synthetic dataset generator
โ โโโ network_events.csv โ Generated dataset (auto-created on first run)
โ
โโโ models/
โ โโโ isolation_forest.pkl โ Trained model (auto-created)
โ โโโ scaler.pkl โ Feature scaler (auto-created)
โ
โโโ logs/
โโโ intelliguard.log โ Event log CSV (auto-created)
git clone https://github.com/monish4030/IntelliGuard.git
cd IntelliGuardpython -m venv venv
source venv/bin/activate # Linux/Mac
venv\Scripts\activate # Windowspip install -r requirements.txtpython main.pyOn first launch, the system will automatically:
- Generate a synthetic training dataset
- Train the Isolation Forest model
- Save the model to
models/
Isolation Forest is an unsupervised anomaly detection algorithm ideal for cybersecurity because it doesn't require labeled attack data to train.
Core Intuition:
Anomalies are rare and different. They are much easier to isolate than normal data points.
How it isolates:
- Randomly select a feature (e.g.,
request_rate) - Randomly pick a split value between the feature's min and max
- Keep splitting until the point is isolated in its own leaf
- Repeat across 200 trees
Anomaly Score:
- A point that gets isolated quickly (few splits) = anomaly โ score near -1.0
- A point requiring many splits = normal โ score near +1.0
Features used for training:
| Feature | Description |
|---|---|
request_rate |
Requests per minute from this IP |
failed_logins |
Number of failed login attempts |
session_duration |
How long the session lasted (seconds) |
unique_endpoints |
Number of different pages/endpoints accessed |
bytes_transferred |
Total data transferred in session |
login_attempts |
Total login attempts (success + failure) |
hour_of_day |
Time of activity (0โ23) |
Severity Classification:
| Score Range | Severity |
|---|---|
| score > -0.10 | NORMAL |
| -0.30 < score โค -0.10 | LOW |
| -0.50 < score โค -0.30 | MEDIUM |
| score โค -0.50 | HIGH |
1. Simulate Normal Traffic โ Generate and detect normal events
2. Simulate Attack (Brute Force) โ Repeated failed logins
3. Simulate Attack (Rapid Requests) โ High-frequency request flood
4. Simulate Attack (Directory Scan) โ Endpoint scanning behavior
5. Simulate Mixed Attack โ Combination of all attack types
6. View Event Logs โ Tabular view of recent events
7. Run Detection on Full Dataset โ Batch mode + model metrics
8. Train / Retrain Model โ Force retrain from fresh data
9. Show Anomaly Score Chart โ ASCII visualization of scores
10. Clear Logs โ Reset log file
11. About IntelliGuard โ Project info and ML explanation
0. Exit
All system thresholds are configurable:
{
"model": {
"contamination": 0.05,
"n_estimators": 200
},
"thresholds": {
"brute_force_attempts": 5,
"rapid_request_rate": 20,
"anomaly_score_high": -0.5,
"anomaly_score_medium": -0.3
}
}| Upgrade | Description |
|---|---|
| Web Dashboard | Flask/FastAPI + React frontend for real-time visualization |
| Live Packet Capture | Use scapy or pyshark to analyze real network packets |
| Database Storage | Replace CSV logs with SQLite or PostgreSQL |
| Email/Slack Alerts | Push HIGH severity alerts via SMTP or webhooks |
| LSTM / Autoencoder | Deep learning models for temporal sequence anomalies |
| GeoIP Lookup | Enrich IP data with geolocation (MaxMind GeoLite2) |
| Docker Deployment | Containerize for easy deployment on any host |
| SIEM Integration | Export logs in CEF/SYSLOG format for SIEM tools |
scikit-learn >= 1.3.0 # Isolation Forest
pandas >= 2.0.0 # Data manipulation
numpy >= 1.24.0 # Numerical operations
joblib >= 1.3.0 # Model persistence
Made By Monish Paramasivam
Built as a portfolio-grade cybersecurity project demonstrating:
- Machine Learning applied to security (anomaly detection)
- Clean modular Python architecture
- Realistic threat simulation and detection
- Production-style logging and alerting