An intelligent, AI-powered Network Intrusion Detection System that analyzes network traffic in real time using Machine Learning/Deep Learning to distinguish legitimate connections from cyber attacks (DoS, Port Scanning, etc.).
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Network / Internet β
βββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββ
β Raw packets / .pcap files
βΌ
βββββββββββββββββββββββββ
β Zeek / Suricata β β NIDS Engine (packet inspection)
βββββββββββββ¬ββββββββββββ
β Extracted metadata (IP, port, protocol, size)
βΌ
βββββββββββββββββββββββββ
β Redis Streams β β Async message pipeline
βββββββββββββ¬ββββββββββββ
β Feature vectors
βΌ
βββββββββββββββββββββββββ
β AI Service β β Python microservice (FastAPI)
β (Scikit-Learn / β Inference + confidence score
β TensorFlow) β
βββββββββββββ¬ββββββββββββ
β Prediction (Normal / DoS / Port Scan)
βΌ
βββββββββββββββββββββββββ
β Backend API β β Node.js / Express (TypeScript)
β REST + WebSockets β Auth (JWT/RBAC), Audit layer
ββββββββ¬βββββββββββββββββ
β β
REST (HTTPS) Socket.io push
β β
ββββββββ΄βββββββ ββββββ΄βββββββββββββββββββ
β MongoDB β β Frontend Dashboard β
β (Alerts + β β React.js / TS / β
β History) β β TailwindCSS β
βββββββββββββββ ββββββββββββββββββββββββββ
β²
Nginx reverse proxy (port 80/443)
Data flow in one sentence: Zeek/Suricata captures packets β metadata is pushed to Redis Streams β AI Service runs inference β Backend persists + pushes alerts via WebSockets β React Dashboard displays real-time alerts in < 500 ms.
nids-project/
β
βββ ai-service/ # Python microservice β model training & inference
β βββ src/
β β βββ main.py # FastAPI application entry point
β β βββ predictor.py # Model loading + prediction logic
β β βββ preprocessor.py # Feature extraction & normalization
β β βββ schemas.py # Pydantic request/response schemas
β βββ data/ # Training datasets (.csv) β gitignored if large
β βββ model/ # Serialized model files (.pkl, .h5) β gitignored
β βββ notebooks/ # Jupyter notebooks (EDA, training, evaluation)
β βββ tests/ # Unit tests for inference pipeline
β βββ requirements.txt # Python dependencies
β βββ Dockerfile
β
βββ backend/ # Node.js / Express API (TypeScript)
β βββ src/
β βββ config/ # DB connection, environment config
β βββ controllers/ # Route handler logic
β βββ middleware/ # JWT auth, RBAC, error handling, audit logger
β βββ models/ # Mongoose schemas (Alert, User, AuditLog)
β βββ routes/ # Express route definitions
β βββ services/
β βββ socketService.ts # Socket.io β push alerts to frontend
β βββ redisService.ts # Redis Streams consumer
β βββ auditService.ts # Audit trail for alerts + admin actions
β βββ package.json
β βββ tsconfig.json
β βββ Dockerfile
β
βββ frontend/ # React.js dashboard (TypeScript + TailwindCSS)
β βββ src/
β βββ components/ # Reusable UI: AlertBanner, TrafficChart, etc.
β βββ hooks/ # Custom hooks: useSocket, useAlerts
β βββ pages/ # Login.tsx, Dashboard.tsx
β βββ services/ # Axios REST client + Socket.io setup
β βββ types/ # Shared TypeScript interfaces
β βββ tailwind.config.ts
β βββ vite.config.ts
β βββ package.json
β βββ Dockerfile
β
βββ infra/ # Infrastructure & DevOps configuration
β βββ nginx/
β β βββ nginx.conf # Reverse proxy routing rules
β βββ prometheus/
β β βββ prometheus.yml # Scrape configs for backend + ai-service metrics
β βββ grafana/
β βββ dashboards/ # Pre-built Grafana dashboard JSON exports
β
βββ docs/ # Project specifications (PDFs)
β βββ Cahier_des_charges_NIDS.pdf
β βββ Cahier_des_Charges_Dashboard_NIDS.pdf
β βββ Cahier_des_charges_IA.pdf
β
βββ docker-compose.yml # Orchestrates all 6 services
βββ .env.example # Environment variable template
βββ .gitignore
βββ README.md # β you are here
| Service | URL | Description |
|---|---|---|
| Frontend | http://localhost:3000 |
React dashboard (Vite dev server) |
| Backend API | http://localhost:5000 |
Express REST API + Socket.io |
| AI Service | http://localhost:8000 |
FastAPI inference microservice |
| MongoDB | localhost:27017 |
Alert history + user database |
| Redis | localhost:6379 |
Streaming pipeline (Redis Streams) |
| Grafana | http://localhost:3001 |
Monitoring dashboards |
| Prometheus | http://localhost:9090 |
Metrics scraping & storage |
| Nginx | http://localhost:80 |
Reverse proxy (production) |
Note: In development, each service runs independently on its port. In production (
docker-compose up), Nginx proxies all traffic through port 80/443.
- Docker & Docker Compose v2+
- Node.js β₯ 18 (for local frontend/backend dev)
- Python β₯ 3.10 (for local AI service dev)
- Zeek or Suricata (NIDS engine β install on host)
git clone https://github.com/simoabid/NIDS-Project.git
cd NIDS-Project
# Copy environment template and fill in your values
cp .env.example .envEdit .env with your settings (JWT secret, MongoDB URI, etc.).
# Build and start all services in detached mode
docker-compose up --build -d
# View aggregated logs
docker-compose logs -f
# Stop all services
docker-compose downThe dashboard will be available at http://localhost:3000.
cd frontend
npm install
npm run dev # http://localhost:3000cd backend
npm install
npm run dev # http://localhost:5000 (ts-node-dev with hot reload)cd ai-service
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
uvicorn src.main:app --reload --port 8000docker run -d -p 6379:6379 redis:alpinedocker run -d -p 27017:27017 mongo:7cd ai-service
source .venv/bin/activate
# Place your dataset (e.g., NSL-KDD, CICIDS2017) in ai-service/data/
# Then run the training notebook or script:
jupyter notebook notebooks/01_train_model.ipynb
# or
python src/train.py --dataset data/cicids2017.csv --output model/nids_model.pkl# Using Zeek to process an offline capture:
zeek -r path/to/capture.pcap
# Using Suricata:
suricata -r path/to/capture.pcap -l /tmp/suricata-output/The system uses JWT + RBAC (Role-Based Access Control).
| Role | Permissions |
|---|---|
admin |
Full access: start/stop capture, view all alerts, manage users |
viewer |
Read-only: view dashboard, alerts, and statistics |
Tokens are issued on login and must be passed in the Authorization: Bearer <token> header for all protected API endpoints.
| Method | Endpoint | Auth | Description |
|---|---|---|---|
POST |
/api/auth/login |
β | Authenticate and receive JWT |
GET |
/api/alerts |
β | Paginated alert history |
GET |
/api/alerts/:id |
β | Alert detail (IP, type, timestamp) |
GET |
/api/stats |
β | Global traffic statistics |
POST |
/api/capture/start |
β admin | Start real-time network capture |
POST |
/api/capture/stop |
β admin | Stop capture |
GET |
/api/audit |
β admin | Audit log of all admin actions |
WebSocket events (Socket.io):
alert:newβ emitted when the AI detects an attack; payload:{ ip, type, confidence, timestamp }stats:updateβ periodic traffic statistics update
# Backend unit + integration tests
cd backend && npm test
# AI Service tests
cd ai-service && pytest tests/
# Frontend component tests
cd frontend && npm testOnce the stack is running:
- Grafana β
http://localhost:3001β pre-built dashboards for detection rate, alert volume, and system health - Prometheus β
http://localhost:9090β raw metrics from backend and AI service
| Layer | Technology |
|---|---|
| Frontend | React.js, TypeScript, TailwindCSS, Vite, Socket.io-client |
| Backend | Node.js, Express.js, TypeScript, Socket.io, Mongoose |
| AI Service | Python, FastAPI, Scikit-Learn / TensorFlow, Pydantic |
| Database | MongoDB |
| Streaming | Redis Streams |
| NIDS Engine | Zeek or Suricata |
| Auth | JWT, RBAC |
| Infrastructure | Docker, Docker Compose, Nginx |
| Monitoring | Prometheus, Grafana |
| Test Env | VirtualBox / GNS3, Wireshark |
Full project requirements are in docs/:
Cahier_des_charges_NIDS.pdfβ global system spec (architecture, use cases, sequence diagrams)Cahier_des_Charges_Dashboard_NIDS.pdfβ monitoring & dashboard module specCahier_des_Charges_IA.pdfβ AI/ML model specification- Phase 1 Summary β Phase 1 project summary