Guardian-Shield: AI proxy for cyber threat defense

these are requests being processed and getting response in json format

GuardianShield: AI Proxy for Cyber Threat Defense

Hey everyone, I'm Thierry Mukiza, a full-stack dev from Kigali, Rwanda, with a passion for turning code into shields against the chaos of the digital world. GuardianShield isn't just a project—it's my response to the invisible wars raging on the web. As a guy who's bootstrapped apps in a place where one breach can wipe out months of work, I built this to make security accessible, smart, and unstoppable. Inspired by late-night reads of OWASP reports and the thrill of ML models "learning" to fight back, I dove in during the Infinity Code Hackathon. What started as a simple proxy evolved into a hybrid beast that blocks OWASP Top 10 threats with 85% recall. Let's dive into the story.

Inspiration

It all kicked off one rainy evening in Kigali, scrolling through the 2025 Verizon DBIR report 80% of breaches from injection attacks like SQLi and XSS, costing $4.45M on average. As a dev building e-commerce tools for local startups, I thought, "Why do we still lose to these predictable hacks?" Heroes like Tony Stark in his Iron Man suit came to mind: adaptive, intelligent defense. That's when GuardianShield sparked an AI proxy that learns from data, not just rules. The Infinity Code Hackathon's Cyber Shield Mission track was the perfect call to action: "Defend against digital threats with CS innovation." I wanted to create something that empowers devs in places like Rwanda, where resources are tight but threats are global. No fancy WAFs needed—just Python, ML, and grit. What it does GuardianShield is a lightweight FastAPI proxy that intercepts HTTP requests, scans for threats, and decides: allow or block. It combines OWASP rules for instant pattern matching (e.g., spotting alert(1) or ' OR 1=1--) with an XGBoost ML model for probabilistic scoring (e.g., 0.98 on SQLi payloads). Hugging Face's toxic-bert LLM adds semantic analysis for "sneaky" threats. Benign requests like "search=OpenAI" sail through (whitelisted), while malicious ones get a 403 with mitigation tips. Logs everything to JSON files for audits, and emails alerts. Deploy it as middleware for any web app protects APIs, forms, or full sites in milliseconds.

How we built it

I started with the basics: a FastAPI server in main.py for the proxy, features.py to extract OWASP signals (34 features like entropy and injection scores), and train_model.py for the ML backbone. Dataset? I curated MASTER_training_dataset.csv from OWASP payloads and benign logs—107K rows of real-world chaos. Training flow: Load data, validate features, split with stratification, weight samples for imbalance, tune XGBoost via GridSearchCV (best params: learning_rate=0.05, subsample=0.9), select top features with SelectFromModel, calibrate for probabilities, and optimize threshold to 0.7 for precision. Saved everything as .pkl files. The middleware in main.py reads requests, whitelists safe ones, runs rules/ML/LLM, and logs. Tested with curl in PowerShell—safe inputs get "ALLOWED," malicious get blocked with reasons like "critical_xss_pattern_<script". No Docker headaches—just pip install -r requirements.txt and uvicorn main:app. Deployed on Render for live demos.

Challenges we ran into

The struggles were real starting with that .json dataset nightmare. I had raw OWASP payloads in JSON format, but cleaning it was a beast: malformed entries, nested objects, and missing labels. Spent hours parsing with json.loads(), handling exceptions for bad data, and mapping to CSV for training—lost a full day debugging NaNs that crashed XGBoost. Then, hitting the 0.7 threshold for precision while keeping 85% recall? Brutal. Early models hit 90% accuracy but tanked on recall (false negatives let SQLi slip). Tweaked sample weights for critical patterns (e.g., 1.8x for LDAP injection), calibrated with CalibratedClassifierCV, and fine-tuned GridSearchCV params—trials upon trials until we balanced it. Building the master dataset was the grind: Merged OWASP JSONs with synthetic benign data (e.g., search queries), labeled 107K rows manually, and fought imbalance (56K benign vs. 50K malicious). Feature engineering took weeks—clipping entropy to [0,8], ensuring binary flags like XSS patterns are 0/1. One wrong regex, and the model hallucinated on path traversal! But hey, that's the hackathon spirit—turning frustration into breakthroughs.

Accomplishments that I am proud of

I'm grinning just thinking about it. First, the 86% validation accuracy on a diverse OWASP dataset—our hybrid model blocked 100% of Top 10 samples in live tests, with ML nailing nuanced ones at 0.98 probability. Second, ditching Docker for a pure Python setup: Deployed on Render in 5 mins, no daemon drama. Third, the seamless integration—curl a malicious payload, and boom, 403 with mitigation like "Use parameterized queries." Finally, the README and GitHub repo: Clean, with demos and setup—ready for anyone to fork and fortify their app. Proudest? Seeing it run locally, blocking an XSS in PowerShell while logging to JSON. From idea to shield—that's the win.

What I learned

This project was a masterclass in grit and growth. I learned ML isn't just black-box—calibration turned raw predictions into trustworthy probabilities, and handling imbalanced data with weights saved recall from 70% to 85%. Cleaning JSON datasets taught me the power of pandas for messy data (one fillna(0) fixed half my woes). FastAPI middleware? Game-changer for proxies—async handling made it fly at 50ms/request. Challenges like threshold tuning showed me iteration is key: Start simple, measure, tweak. On a personal level, it reinforced why I code: To build tools that protect, especially for undeserved devs in Africa. Hackathons like Infinity Code? They push you to blend CS with real impact heroic stuff.

What's next for GuardianShield

The journey's just starting. Next up: Integrate MySQL for persistent logging of false positives retrain the model dynamically on them for 90%+ accuracy. Upgrade the dashboard with Streamlit for real-time threat maps and alerts. Add encryption for logs (AES via cryptography) and AR/VR visualization for "Strange Data Dimension" fun.

Thierry Mukiza, October 2, 2025

Built With

fastapi
python-package-index

Updates

Thierry Nshimiyumukiza started this project — Oct 02, 2025 04:08 AM EDT

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.