An AI-powered Network Intrusion Detection System (IDS) with live packet capture, real-time anomaly detection and dashboarding.
- Overview
- Features
- Motivation
- Architecture
- Getting Started
- Usage
- Datasets & Model
- Project Structure
- Customization & Future Work
- Contributing
- License & Acknowledgements
Sentinel-AI-Network-IDS is a system designed to monitor network traffic, automatically detect anomalies (potential intrusions) using deep learning, and present a user-friendly GUI/dashboard interface for real-time and historical analysis.
Key components include:
- Live packet capture (via e.g. PCAP tools)
- Feature extraction & scaling
- Pre-trained deep-learning model for anomaly detection
- A desktop/web dashboard for scanning, visualising results, storing past scan data
- Optionally historic scans / csv logs for later forensic analysis
- Manual “Scan” button to capture live packets and analyse traffic in real time.
- Anomaly counting and classification of flows (normal vs malicious) using a trained model.
- Dashboard view: shows current scan summary, recent scans log, exportable CSVs.
- Store past scans for later analysis (trend detection, forensic lookup).
- Minimal preprocessing overhead: designed for near-real time usage.
- Modular architecture: separate data capture, model inference, UI layer (makes extension easier).
With increasing network threats and the demand for intelligent IDS solutions, this project targets the intersection of network security and AI. As part of internship/academic work, I sought to:
- Move beyond rule-based IDS to AI-based detection.
- Capture live network traffic rather than purely static datasets.
- Provide a usable interface for non-experts (e.g., network admins) to trigger scans and view results.
- Build a real-world proof-of-concept connecting data capture → model → UI.
Here’s a simplified architecture flow:
[Live Packet Capture] → [Feature Extraction & Preprocessing] → [Deep-Learning Model Inference] → [Results Logged] → [Dashboard / GUI Display]
- Capture Layer: live packets or network flow logs, streaming to CSV.
- Preprocessing Layer: feature engineering, scaling using saved scaler (e.g.,
scaler.pkl). - Model Layer: deep-learning network trained on historic network-anomaly dataset (e.g., CIC IDS 2017).
- UI/Dashboard Layer: desktop/web interface (e.g., built with PyQt / Flask) showing scan controls, past results, export.
- Data Store: CSV logs of live scans (e.g.,
live_packets.csv,predicted_live_packets.csv,predictions.csv) plus models directory for versioning.
- Python 3.8+ (recommended)
- Anaconda/virtual environment (you mentioned you use Anaconda)
- Libraries: numpy, pandas, scikit-learn, tensorflow/keras (or PyTorch if used), pyshark/tcpdump (or whichever capture library), PyQt5 (or relevant GUI toolkit)
- Network capture permissions (e.g., sudo or equivalent)
- Optionally live network access (for real-time capture)
-
Clone the repository:
git clone https://github.com/Atharva45264/Sentinel-AI-Network-IDS.git cd Sentinel-AI-Network-IDS -
Create and activate a conda environment (or virtualenv): conda create -n sentinel-ids python=3.8 conda activate sentinel-ids
-
Install dependecies pip install -r requirements.txt
-
Ensure network capturing tool is available (e.g., tcpdump, pyshark) and you have permissions.
-
Ensure the pretrained model (e.g., network_anomaly_model.h5) and scaler (scaler.pkl) are in the correct folder.
-
Run the GUI or app entrypoint: python app.py
-
In the GUI, click Scan → wait for traffic capture → results will display anomalies count and details.
-
Examine the CSV logs in the dashboard/ folder for further analysis (e.g., predicted_live_packets.csv).
Training data: Likely using the CICIDS2017 dataset (or similar). The model files (network_anomaly_model.h5, network_anomaly_model.keras) are provided in the models/ folder. Scaler object (scaler.pkl) stored for consistent preprocessing of live data. The datasets/ folder contains any used snapshots of historic data for training/validation. Model performance (accuracy, precision/recall, confusion matrix) can be found in training logs (not currently included) — future work could add a metrics/ folder.
Extend UI: Add historical trending graphs, anomaly-type categories, alerting (email/SMS) when threshold exceeded. ModelUpgrade: Move to streaming processing (Kafka, Spark), use more advanced deep-learning (LSTM/Transformer) for sequence detection. Live Data Integration: Real network switch tapping, real-time flow ingestion, window-based detection. Dashboard Enhancements: Role-based access, remote deployment in cloud, web-based interface rather than desktop. Explainability: Integrate SHAP/LIME for model decisions to make the system interpretable for network admins.
Contributions are welcome! If you’d like to contribute: Fork the repository Create a new branch (git checkout -b feature/YourFeature) Make your changes and commit with clear message Submit a pull request describing your enhancements Ensure code is documented, includes tests where applicable