Skip to content

devansh436/threat-detection

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits
client
client
 
 
endpoint-side
endpoint-side
 
 
images
images
 
 
server
server
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 

Repository files navigation

🔥 AI-Driven Threat Detection & Prioritization

🚨 Alert Fatigue is Real – SOC teams face thousands of alerts every day, and missing one critical threat can cost millions.
This project solves that by using AI-driven threat detection, prioritization, and visualization in real-time.

--- ## 📖 Table of Contents - 🚩 [Problem Statement](#-problem-statement) - ✨ [Features](#-features) - 🧠 [System Architecture](#-system-architecture) - 📊 [Screenshots & Visualizations](#-screenshots--visualizations) - 🛠 [Tech Stack](#-tech-stack) - ⚡ [Installation & Setup](#-installation--setup) - 🖥 [Usage](#-usage) - 📈 [Example Output](#-example-output) - 🚀 [Future Enhancements](#-future-enhancements) - 🤝 [Contributing](#-contributing) - 📚 [References](#-references) ---

🚩 Problem Statement

Security teams face alert fatigue due to thousands of daily alerts. This leads to missed critical threats and delayed incident response. Our project aims to: ✅ _Detect_ threats in real-time using AI/ML ✅ _Prioritize_ threats with risk scoring ✅ _Visualize_ attacks on a global map ✅ _Explain_ why each alert was classified as a threat --- ## ✨ Features - 🔍 _AI-Driven Anomaly Detection_ – Trained on CICIDS 2017 dataset - 📊 _Statistical IP Analysis_ – Track frequency of malicious IPs, destination ports, etc. - 🌍 _Global Attack Visualization_ – Map attacker IPs on a world map with red markers - 🏷 _Threat Prioritization & Explanation_ – Risk score, type and reason - 🛢 _MongoDB Backend_ – Stores predictions in structured JSON format - 🖥 _Interactive Dashboard_ – Clean UI to view, filter, and analyze threats --- ## 🧠 System Architecture ```mermaid graph TD A[Dataset - CICIDS 2017] -->|Data Cleaning & Merging| B[Model Training] B --> C[Primary ML Model - Anomaly Detection] C -->|Normal Traffic| D1[Store in MongoDB] C -->|Malicious Traffic| C2[Secondary ML Model - Attack Type Classification] C2 --> D2[Store Detailed Results in MongoDB] D1 --> E[Backend API] D2 --> E[Backend API] E --> F[Frontend Dashboard] F -->|Visualization| G[Global Attack Map + Risk Scores] ```

📊 Screenshots & Visualizations

Below are some key screenshots of our ML model training and prediction workflow:

🧠 Model Training – Trained on the CICIDS 2017 dataset to classify network traffic as Normal or Malicious.
🔎 Primary Prediction – First model classifies incoming logs in real time.
🤖 Secondary Analysis (Gemini Model) – If malicious, a secondary ML model classifies the exact attack type (e.g., DDoS, PortScan).
🛢 Data Storage – Predictions (both normal & malicious) are pushed into MongoDB for dashboard visualization.
🌍 Visualization – Dashboard maps attackers, shows risk scores, and allows filtering for SOC analysis.

Screenshot 1

Screenshot 2

Screenshot 3

Screenshot 4

Screenshot 5

Screenshot 6

Screenshot 7

Screenshot 8

Screenshot 9

Screenshot 10

Full Dashboard

Card View

IP Stats

Map Panel

Pie Chart

Stats Panel

MongoDB Dashboard

🛠 Tech Stack

Frontend: React.js, Chart.js Backend: Node.js (Express) Database: MongoDB Machine Learning: Scikit-learn, Pandas, NumPy, Dataset: CICIDS 2017 (Combined & Preprocessed)

⚡ Installation & Setup

# 1️⃣ Clone the repo git clone https://github.com/devansh436/threat-detection.git
cd threat-detection # 2️⃣ Install backend dependencies cd server
npm install # 3️⃣ Start the backend server npm run dev # 4️⃣ Start the frontend (if React) cd client
npm install
npm run dev # 5️⃣ Start the python microservice pip install -r requirements.txt
python3 ml-service.py

🖥 Usage

Upload network logs or use sample data
Model will process logs & generate predictions
Visit dashboard → See threats, risk scores & map visualization
Filter results by threat type or risk level

📈 Example Output

{
"source_ip": "192.168.15.22",
"dest_ip": "192.168.10.1",
"protocol": "udp",
"threat_score": 15,
"threat_level": "Low",
"reason": "The log shows a single DNS query (UDP port 53) from a local IP to another local IP. This is generally normal network activity.",
"threat_type": "normal_traffic"
}

🚀 Future Enhancements

📈 More explainable AI with SHAP/LIME
🧠 Deep Learning models for advanced detection

🤝 Contributing

We welcome contributions! Feel free to fork this repo, make changes, and submit a pull request. For major changes, open an issue first to discuss what you would like to change.

👨‍💻 Team Members

Ketan Dav (Team Lead)
Devansh Deshpande
Dharm Patel
Aksh Patel
Devarsh Dalwadi

📚 References

- [CICIDS 2017 Dataset](https://www.unb.ca/cic/datasets/ids-2017.html) - [Scikit-learn Documentation](https://scikit-learn.org/stable) - [MongoDB Docs](https://www.mongodb.com/docs/) # threat-detection

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages