-
-
Landing Page
-
Dashboard
Inspiration We were inspired by the growing gap between sophisticated cyberattacks and the ability of small organizations to respond effectively. Every day, ransomware cripples hospitals, schools, and small businesses – not because they lack security awareness, but because existing tools are either too fragmented, too manual, or require expert forensic knowledge. We saw first‑hand how security analysts spend 6–8 hours per incident manually correlating logs from antivirus, SIEM, and forensic suites. Our inspiration came from a simple question: Why can't a small business with no dedicated security team detect a zero‑day attack, investigate it, and contain it – all in under 10 minutes? ForeSight is our answer.
What it does ForeSight is a unified hybrid AI platform that combines real‑time system monitoring, automated digital forensics, and a conversational incident response assistant – all in one accessible dashboard.
Real‑time monitor – A lightweight desktop agent tracks file operations, process executions, and network activity with only 2–5% CPU overhead.
Hybrid Ensemble Model (HEM) – Uses an unsupervised Local Outlier Factor (LOF) detector to catch zero‑day anomalies, then passes suspicious events to a supervised Logistic Regression classifier for high‑precision known‑attack detection. Achieves 94% precision and 82% F1‑score.
Automated forensics – After a breach, users upload disk images, memory dumps, or logs. The system reconstructs attack timelines, identifies compromised artifacts, and generates court‑ready PDF/JSON reports.
AI conversational assistant – A chatbot powered by RAG (Retrieval‑Augmented Generation) lets non‑experts ask plain‑language questions like “What files were encrypted?” and get step‑by‑step remediation guidance.
One‑click compliance – Produces executive summaries and MITRE ATT&CK‑mapped reports for GDPR, HIPAA, and other regulations.
In a simulated ransomware attack, ForeSight detected encryption behavior in 8 seconds and completed the full investigation in under 5 minutes – versus 2 hours using traditional tools.
How we built it Backend (Python, FastAPI, Scikit‑learn, Pandas)
Built the Hybrid Ensemble Model using LocalOutlierFactor (unsupervised stage) and LogisticRegression with balanced class weights.
Trained and evaluated on UNSW‑NB15 and CICIDS2017 datasets (over 2M samples). Used XGBoost for feature selection – retained top 15 features.
Implemented sequential decision policy: LOF anomaly score > threshold → immediate attack classification; else → LR probability ≥0.35 → attack.
Built REST APIs for evidence upload (hash verification, AES‑256 encryption), timeline reconstruction, and report generation.
Frontend (React, D3.js, Tailwind CSS)
Designed an interactive timeline using D3.js to visualize thousands of forensic events with zoom, filter, and search.
Created a dashboard with real‑time alert feeds, MITRE ATT&CK heatmap, and a chatbot interface.
Integrated the chatbot with a local LLM (fine‑tuned Llama 3) using RAG – the LLM retrieves factual evidence from the forensic engine before answering.
Used WebSockets for live monitoring alerts.
Infrastructure
Multi‑tenant isolation with separate namespaces per organization.
Encrypted evidence vault with chain‑of‑custody logging (hash + timestamp).
Deployed on Docker containers; scalable via Kubernetes.
Challenges we ran into Balancing precision vs. recall – Early versions of LOF alone had too many false positives (alert fatigue). Adding LR as a second stage reduced false positives but slightly lowered recall. We optimized the LR probability threshold to 0.35 based on validation data, achieving a 94% precision while keeping recall acceptable.
Real‑time performance – LOF inference on high‑dimensional data was slow. We solved this by reducing features from 78 to the top 15 using XGBoost importance, cutting latency by 40% without losing F1‑score.
LLM hallucination – The conversational assistant sometimes invented steps. We switched to a RAG architecture where the LLM only summarizes retrieved forensic facts – eliminating hallucinations.
Multi‑tenant evidence isolation – Ensuring that one organization’s evidence is never leaked to another required careful namespace design and database row‑level security. We implemented tenant context via middleware in every API call.
Frontend timeline rendering – Displaying thousands of events caused browser lag. We implemented virtual scrolling and server‑side pagination to keep the interface smooth.
Accomplishments that we're proud of 94.04% precision and 82.05% F1‑score – a 5.03% improvement over unsupervised‑only models, validated on standard benchmark datasets.
8‑second ransomware detection and <5 minute full investigation in a simulated attack – a 95% reduction in investigation time compared to traditional tools.
Accessibility for non‑experts – In our usability study, non‑technical users completed 80–93% of forensic tasks successfully, thanks to the conversational assistant.
Lightweight footprint – Only 2–5% CPU and 150MB RAM for the real‑time monitor – suitable for endpoints with limited resources.
Legally‑ready evidence – Automated chain‑of‑custody with hashing and timestamped audit logs meets requirements for court admissibility.
UN SDG alignment – Our work supports SDG 9 (industry innovation), SDG 11 (sustainable cities), and SDG 16 (peace, justice, and strong institutions).
What we learned Hybrid models work – Combining unsupervised anomaly detection with supervised classification gives the best of both worlds: catching zero‑days while maintaining low false positives.
Feature engineering matters – 15 well‑chosen features outperformed all 78 features. Less is often more.
Explainability drives trust – Investigators only trusted the system when they could see why a file or process was flagged (LOF scores, LR coefficients).
Conversational AI is a force multiplier – Non‑technical staff could perform basic triage without waiting for experts, dramatically reducing response time.
Deployment constraints are real – Real‑time systems must be lightweight; we learned to optimize aggressively for CPU and memory.
Ethical considerations – AI‑generated forensic reports need human oversight for legal decisions. We learned to design for “human‑in‑the‑loop” rather than full automation.
What's next for ForeSight Edge & IoT deployment – Distill the model to run on Raspberry Pi and industrial controllers for critical infrastructure protection.
Automated containment – Add SOAR integration to automatically isolate endpoints, block IPs, and kill malicious processes (with human approval).
Cloud & container forensics – Build native connectors for AWS CloudTrail, Azure Monitor, and Kubernetes audit logs.
Blockchain chain‑of‑custody – Replace our current audit log with an immutable distributed ledger for maximum legal defensibility.
Federated learning – Enable cross‑organizational threat detection without sharing raw evidence – learn emerging attack patterns while preserving privacy.
Adversarial robustness – Train the hybrid model against evasion attacks (e.g., LOF‑aware malware) to harden real‑world deployments.
Compliance automation pack – Pre‑built report templates for NIS2, PCI‑DSS, HIPAA, and GDPR to reduce compliance overhead.
We are actively seeking beta testers and academic collaborators. ForeSight is open for pilot deployments in healthcare, education, and small business environments.
Built With
- att&ck
- dfir-(digital-forensics-&-incident-response)-pipeline
- docker-(kubernetes-planned)-integrations-&-apis:-google-oauth
- express.js
- framework
- gemini/gpt-via-ai-gateway-cloud-&-devops:-supabase-cloud
- groq-api-(optional)
- ioc-enrichment
- javascript
- jupyter-notebook-frontend:-react-18
- languages:-typescript
- lovable-cloud
- lucide-react
- mitre
- openai-api-database-&-authentication:-postgresql
- python
- react-router
- recharts
- row-level-security
- storage)-ai/ml-&-security-layer:-convolutional-neural-networks-(cnn)-for-anomaly-detection
- supabase-(auth
- supabase-(edge-functions)
- tailwind-css
- tanstack-query-backend:-node.js
- typescript
- virustotal-api-(threat-intelligence)
- vite-5
- wazuh-(log-monitoring)
Log in or sign up for Devpost to join the conversation.