● System active

ML-Powered Network
Intrusion Detection

Real-time network intrusion detection on a Raspberry Pi 5. Combines a Random Forest classifier trained on CIC-IDS-2017 with AbuseIPDB threat intelligence to detect attacks across 13 attack vectors - passively, with zero network impact.

View on GitHub How it works
0.94Macro F1
13Attack classes
70Flow features
~30msPrediction time

Detection Pipeline

Every packet on the network passes through a four-stage pipeline running on the Pi 5.

01
Packet Capture
Scapy listens passively on the mirror port. The TP-Link TL-SG105E managed switch copies all traffic to the NIDS - it never sits in the traffic path.
02
Flow Aggregation
Packets are grouped into bidirectional TCP sessions tracked by FIN/RST flags, or UDP flows tracked by timeout windows.
03
Feature Extraction
70 statistical features extracted per flow - matching the CIC-IDS-2017 feature set exactly, including column order.
04
Two-Layer Detection
AbuseIPDB checks source and destination IPs first. If clean, Random Forest classifies the flow across 13 attack types.

Two-Layer Detection

LAYER 01

Threat Intelligence

Source and destination IPs are checked against the AbuseIPDB community database. Any IP scoring above 50/100 triggers an immediate SMS alert - no ML classification needed.

LAYER 02

ML Classification

If no threat intel hit, the flow vector is passed to the Random Forest classifier. A custom 50% confidence threshold filters uncertain predictions before alerting.

Model Metrics

Trained on CIC-IDS-2017, 80/20 stratified split - 743,216 training / 185,805 test samples.

0.94Macro F1
39sTrain time
~30msPer flow on Pi 5
929KTraining rows
Class F1 Score Live Detected
BENIGN
1.00
DDoS
1.00
DoS GoldenEye
1.00
DoS Hulk
1.00
DoS Slowhttptest
1.00
DoS Slowloris
1.00
FTP-Patator
1.00
PortScan
1.00
SSH-Patator
1.00
Other Attack
0.99
Bot
0.90
Web Attack — Brute Force
0.75
Web Attack — XSS
0.61
Macro Average
0.94

Tech Stack

Built entirely on open source tools, deployable on affordable hardware.

Python 3.12Core language
ScapyPacket capture
Scikit-learnML framework
Random ForestClassifier
SHAPExplainability
imbalanced-learnSMOTE balancing
FlaskDashboard
AWS SNSSMS alerting
AbuseIPDBThreat intelligence
SQLitePersistence
Raspberry Pi 5Deployment hardware
CIC-IDS-2017Training dataset