Inspiration
Cyber attacks are evolving rapidly, especially in critical infrastructures. We wanted to build a system that not only detects attacks in real-time but also responds automatically and intelligently.
What it does
SentinelStream captures live network traffic via SPAN, extracts features using CICFlowMeter, classifies traffic using a trained AI model, and triggers automated incident response through Wazuh, TheHive, and Shuffle.
How we built it
We used CICFlowMeter to extract features directly from a SPAN port in real time. The AI model (built with Scikit-learn and TensorFlow) classifies each connection as benign or malicious. Upon detection, alerts are generated and forwarded to Wazuh and TheHive via custom API integrations. GPT OSS was used to assist in analyzing unknown threats and generating recommendations.
Challenges we ran into
- Configuring SPAN on physical switches
- Integrating CICFlowMeter with real-time pipelines
- Ensuring compatibility between Elasticsearch ports for multiple services (Wazuh, TheHive)
- Creating fast, reliable ML pipelines for live traffic
What we learned
- Real-time ML on live traffic
- How to integrate SIEM and SOAR tools in production
- Advanced use of CICFlowMeter
- Deploying and securing multiple services on Linux
What's next
We aim to expand the detection to multiclass attack classification and integrate a response verification loop powered by GPT OSS for smarter mitigation.
Built With
- cicflowmeter
- cortex
- docker
- elasticsearch
- flask
- linux
- python
- scikit-learn
- shuffle
- span
- tensorflow
- thehive
- wazuh
Log in or sign up for Devpost to join the conversation.