Project Overview
This project presents a modular, dockerized pipeline for real-time network anomaly detection leveraging live packet capture, intrusion detection systems, and machine learning. The system is designed for Security Operations Centers (SOCs), research environments, and organizations requiring advanced network monitoring capabilities.
Key Capabilities
Pipeline Architecture
1. Live Capture
tcpdump / tshark / scapy
5-minute .pcap rotation
2. IDS Enrichment
Zeek / Suricata / Snort
HTTP, DNS, SSL, Alerts
3. Feature Extraction
Connection durations
Byte counts, protocols
4. ML Detection
Isolation Forest
Autoencoders, LSTM
5. Alerting
Real-time notifications
SOC integration
How It Works
- 1. Live Packet Capture: Network packets are captured in real time using tools like tcpdump, tshark, or scapy. Captured traffic is periodically saved into .pcap files (e.g., every 5 minutes) through an automated script or cron job.
- 2. Traffic Enrichment with IDS: Each .pcap file is processed by powerful IDS tools such as Zeek, Suricata, or Snort. These tools extract detailed logs (e.g., HTTP, DNS, SSL, alerts), providing enriched insights into network behavior and potential threats.
- 3. Machine Learning-Based Anomaly Detection: Extracted logs and features—such as connection durations, byte counts, protocols, signatures, and network flow statistics—are fed into unsupervised anomaly detection algorithms (e.g., Isolation Forest, Autoencoders, LSTM-based models) implemented with frameworks such as scikit-learn, TensorFlow, or PyTorch.
- 4. Automated and Near Real-Time Analysis: The system continuously analyzes enriched network data, flags suspicious activity, and can notify users or security systems, enabling timely response to emerging anomalies.
- 5. Dockerized Deployment: The entire pipeline is containerized with Docker to simplify deployment, scalability, and environment consistency. This enables you to easily run the system across different machines or cloud environments without complex setup.
Technology Stack
Packet Capture
IDS Tools
ML Frameworks
Algorithms
Infrastructure
Anomaly Detection Algorithms
Ensemble method that isolates anomalies instead of profiling normal points. Efficient for high-dimensional network flow data with linear time complexity.
Neural networks that learn compressed representations. Anomalies exhibit high reconstruction error, ideal for complex pattern detection in traffic.
Recurrent neural networks capturing temporal dependencies in network traffic. Effective for detecting behavioral anomalies over time sequences.
Feature Engineering
- • Connection duration and packet counts
- • Byte ratios and protocol distributions
- • Flow statistics (inter-arrival times, burst patterns)
- • DNS/HTTP metadata from Zeek logs
- • Alert signatures from Suricata/Snort
Dockerized Deployment
The entire pipeline is containerized using Docker, ensuring consistent execution across development, testing, and production environments. This architecture enables:
- ✓ One-command deployment across any Linux host or cloud instance
- ✓ Isolated dependencies with no conflicts
- ✓ Scalable microservices architecture
- ✓ Easy integration with orchestration tools (Kubernetes, Docker Swarm)
# Clone the repository
git clone https://github.com/MukeshKumarSingh1/Real-Time-Network-Anomaly-Detection.git
cd Real-Time-Network-Anomaly-Detection
# Build and run with Docker Compose
docker-compose up -d
The Docker Compose configuration orchestrates all pipeline components, including packet capture services, IDS processors, ML inference engines, and alerting modules.
Use Cases & Applications
📚 This is an overview of the Real-Time Network Anomaly Detection project.
Access the Full Repository