Skip to content

bogdanticu88/Centipede

BranchesTags

Repository files navigation

CENTIPEDE

2aqtU

Go Version License Build Status Tests Go Report Card

Docker Kubernetes Azure Status

Code Quality Security Stability Maintenance

GitHub Stars GitHub Issues GitHub Discussions GitHub Contributors

Multi-cloud API anomaly detection and tenant protection system

FeaturesQuick StartDocumentationRoadmap

Multi-cloud API anomaly detection and tenant protection system.

Overview

CENTIPEDE detects compromised API clients in multi-tenant platforms before they cascade damage across other tenants. It uses cumulative scoring to detect anomalies and enforces graduated responses: rate limiting for warnings, blocking for critical anomalies, and instant kill-switch capability.

Core Problem

When one tenant in a multi-tenant API platform gets compromised, it can cascade damage across all other tenants. CENTIPEDE detects this before it spreads.

Core Solution

Real-time anomaly detection on API traffic with threshold-based graduated response:

  • Rate limiting for warning-level anomalies (score 2-3)
  • Complete blocking for critical anomalies (score 4+)
  • Manual kill-switch for emergency intervention

Features

Detection Scoring System

Each request/tenant is analyzed against baseline and triggers cumulative scores:

  • Volume Spike — Requests/sec exceeds 2x baseline = +1 score
  • Endpoint Anomaly — Accessing unusual/new endpoints = +1 score
  • Payload Size Surge — Avg request body exceeds 3x baseline = +1 score
  • Time-of-Day Deviation — Request pattern outside normal hours = +1 score
  • Error Rate Jump — 4xx/5xx responses exceed 10x baseline = +1 score
  • Honeypot Hit — Request to decoy endpoint = +3 score

Actions

  • Score 2-3: Apply rate limiting to the tenant
  • Score 4+: Block tenant completely
  • Manual override: Instant kill-switch with IAM revocation and incident creation

Multi-Cloud Support

  • Phase 1 (MVP): Azure API Management (APIM) + Azure Monitor
  • Phase 2: AWS API Gateway + CloudWatch Logs
  • Phase 3: GCP Cloud API Gateway + Cloud Logging

Installation

git clone https://github.com/bogdanticu88/centipede.git
cd centipede
go build -o centipede ./cmd/centipede

Usage

Initialize (Learn Baselines)

./centipede init \
  --config config.yaml \
  --log-source <path-or-uri> \
  --window 7d \
  --output baseline.json

Detect Anomalies

./centipede detect \
  --baseline baseline.json \
  --log-source <path-or-uri> \
  --config config.yaml \
  --output detections.json

Monitor Continuously

./centipede monitor \
  --baseline baseline.json \
  --log-source <path-or-uri> \
  --config config.yaml \
  --alert slack

Emergency Block

./centipede kill \
  --tenant <tenant-id> \
  --config config.yaml \
  --reason "Suspected compromise"

Generate Report

./centipede report \
  --detections detections.json \
  --baseline baseline.json \
  --html \
  --output report.html

Check Status

./centipede status \
  --baseline baseline.json \
  --log-source <path-or-uri> \
  --config config.yaml

Configuration

See examples/config.yaml for a complete configuration example:

cloud: azure

azure:
  apim_name: my-apim
  resource_group: my-rg
  subscription_id: xxx

detection:
  volume_threshold: 2.0
  payload_threshold: 3.0
  error_rate_threshold: 10.0
  score_warning: 2
  score_critical: 4

honeypots:
  - path: /admin/debug
    severity: 3
  - path: /.env
    severity: 5

tenants:
  - id: salesforce-ro
    name: Salesforce Romania
    endpoints:
      - /api/crm/*
      - /api/orders/*
    rate_limit_rps: 1000

Architecture

centipede/
├── cmd/centipede/          # CLI entrypoint
├── internal/
│   ├── baseline/           # Baseline learning
│   ├── detection/          # Anomaly scoring engine
│   ├── cloud/              # Cloud provider abstractions
│   ├── parsers/            # Log parsers
│   ├── models/             # Data models
│   ├── alert/              # Alerting (Slack, webhooks)
│   ├── config/             # Configuration
│   ├── cmd/                # Command handlers
│   └── storage/            # Cloud storage integration
├── pkg/metrics/            # Prometheus metrics
├── examples/               # Sample configs and logs
└── tests/                  # Tests

Documentation

Supported Platforms

Platform Status Support
Azure APIM ✅ Stable Production-ready
AWS API Gateway 🗺️ Planned Phase 2
GCP Cloud API Gateway 🗺️ Planned Phase 3
Kubernetes ✅ Ready CronJob, Operator
Docker ✅ Ready Multi-stage builds

Development

Prerequisites

  • Go 1.24+
  • Azure SDK (for Azure support)
  • AWS SDK v2 (for AWS support)

Running Tests

go test ./...

Building for Production

go build -o centipede ./cmd/centipede

License

MIT

Contributing

Contributions welcome! Please open an issue or PR.

Roadmap

  • Phase 1: MVP (Azure + Core Detection)
  • Phase 2: AWS Support
  • Phase 3: GCP Support + Advanced Detection
  • Prometheus metrics export
  • REST API for dashboards
  • Kubernetes operator

Community

⬆ back to top

Made with ❤️ by Bogdan Ticu

About

Centipede is a multi-cloud API anomaly detection and threat response system. It monitors API traffic against learned baselines, detects suspicious behavior through cumulative threat scoring, and automatically blocks or rate-limits compromised tenants. Built for high-volume API environments with Azure APIM, AWS API Gateway, and multi-tenant

Topics

golang api-gateway incident-response rate-limiting cicd anomaly-detection cloud-security api-security threat-detection api-monitoring behavioral-analysis azure-apim tenant-isolation

Resources

Readme

License

MIT license

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

 
 
 

Contributors

Languages