NetShield-AI

Inspiration

The idea for NetShield AI came from a frustrating realization — cybersecurity tools like Wireshark and Snort are incredibly powerful, but completely inaccessible to anyone who isn't already an expert. As CS students, we wanted to practice network security and understand real attack patterns, but every tool we picked up either dumped raw packet data with no context or required root-level system access just to get started. We kept asking: why does monitoring your own network feel like reading assembly code? That question became the project.

We also found that 60% of SMBs have zero real-time network monitoring in place — not because they don't care, but because the tools available are either too technical or too expensive. That gap felt worth solving.

What We Built

NetShield AI is a real-time network intrusion detection system with a visual, browser-based dashboard. It captures live network traffic using Scapy and pcap, runs it through a rule-based detection engine that flags threats like DDoS, port scans, brute force attempts, and ARP spoofing, then pushes alerts to a React dashboard over WebSocket in under 500ms. The whole stack — backend, frontend, and MongoDB — spins up with a single docker-compose up. We also built a built-in attack simulator that works on loopback only, so anyone can demo a DDoS detection without touching a real network or needing special permissions.

How We Built It

We split the system into four independently testable layers: the capture layer (Scapy/pcap), the detection engine (sliding window + rule evaluator), the backend API (Node.js + Express + Socket.IO), and the React frontend (Chart.js, Tailwind, real-time alert feed). We used MongoDB Atlas for alert history and PM2 for process management. The team divided ownership by layer — which let us build and test each piece in parallel before wiring them together on Day 2. Docker Compose was the glue that made the final integration surprisingly clean.

Challenges

The hardest part was the alert pipeline latency. Getting end-to-end detection — from packet capture to dashboard alert — under 500ms required rethinking how we batched and forwarded events. We initially buffered too aggressively on the backend, which killed responsiveness. Moving to an event-driven push model over WebSocket instead of polling fixed it.

The second challenge was the attack simulator. Running attack simulations safely without touching real network interfaces meant isolating everything to loopback and carefully sandboxing the Scapy scripts so they couldn't accidentally affect external traffic. Getting that right took more iteration than expected.

Finally, making the detection engine accurate enough to be useful without being noisy was a constant tuning exercise — too sensitive and the dashboard floods with false positives, too conservative and real threats slip through.

What We Learned

We came in knowing React and Node.js. We left understanding how packets actually move through a network, what makes an IDS rule effective, and why alert fatigue is one of the most underrated problems in security. We also learned that Docker Compose is genuinely underrated as a demo tool — the ability to hand someone a repo and have them fully up in two minutes is worth more than almost any feature.