◈ INTELLIGENT IDS/IPS

IoT/OT Intelligent Intrusion Detection Framework

A lightweight, rule-based IDS/IPS framework for non-traditional IoT/OT environments. Detects SYN floods, data exfiltration, and DDoS activity across the Purdue Model zones using real-world RT-IoT2022 dataset traffic data.

RT-IoT2022 Dataset Rule-Based Detection Purdue Model 3-Zone Architecture 10+ Attack Types 15+ Visualizations IPS Response Python 3.11 Pandas Matplotlib
PURDUE MODEL — ZONE ARCHITECTURE
ENTERPRISE ZONE
LEVEL 3–4
Network infrastructure & cloud. Detects large-scale DDoS traffic floods targeting network availability.
DDoS Detection flow_pkts_per_sec > 5000
CONTROL ZONE
LEVEL 2
Gateways, routers, local controllers. Primary detection point for SYN floods & port scanning.
SYN Flood / Scan flow_SYN_flag_count > 0
FIELD ZONE
LEVEL 0–1
IoT cameras & edge devices. Detects abnormal payload volumes indicating data exfiltration.
Data Exfiltration payload_bytes/sec > 1M
🛡️ IDS DETECTION LAYER
Rule-Based · Alert Generation · IPS Response Simulation
Dataset: RT-IoT2022 · Real-Time Internet of Things Network Traffic
Zones: Control · Field · Enterprise
Architect/Developer Hassaan Alrifai
01 — Core Logic
Rule-Based Detection Engine
◈ PRIORITY 1 · CONTROL ZONE
SYN Flood / Scan
→ Control Zone Alert
Detects SYN flag anomalies from port scanning and connection flooding attacks. Any SYN activity triggers an immediate Control Zone alert — the highest-priority detection in the system.
if row['flow_SYN_flag_count'] > 0:
  Zone = "Control Zone"
  Type = "SYN Flood / Scan"
→ Block IP · Log Alert · Simulate IPS
◈ PRIORITY 2 · FIELD ZONE
📡
High Data Exfiltration
→ Field Zone Alert
Monitors payload transmission rates from IoT devices. Unusually high payload bytes per second indicate compromised devices transmitting sensitive data outside normal communication patterns.
elif row['payload_bytes_per_second'] > 1_000_000:
  Zone = "Field Zone"
  Type = "High Data Exfiltration"
→ Block IP · Log Alert · Simulate IPS
◈ PRIORITY 3 · ENTERPRISE ZONE
🌊
DDoS-like Activity
→ Enterprise Zone Alert
Detects high-rate traffic flooding patterns targeting network availability. Packets-per-second exceeding threshold signals a coordinated DDoS attack at the enterprise network layer.
elif row['flow_pkts_per_sec'] > 5000:
  Zone = "Enterprise Zone"
  Type = "DDoS-like Activity"
→ Block IP · Log Alert · Simulate IPS
02 — Threat Coverage
10+ Detected Attack Types
01
DOS_SYN_Hping
DoS
02
DDOS_Slowloris
DDoS
03
NMAP_UDP_SCAN
Scan
04
NMAP_TCP_scan
Scan
05
NMAP_XMAS_TREE_SCAN
Scan
06
NMAP_OS_DETECTION
Recon
07
Metasploit_Brute_Force_SSH
Brute Force
08
ARP_poisioning
ARP Spoof
09
Thing_Speak
Normal
10
MQTT_Publish
IoT Proto
03 — Analytics Output
15+ Visualization Types
Attack Type Distribution
Detected Alerts by Zone
3
ZONES
Control Zone — SYN Flood
72%
Enterprise Zone — DDoS
20%
Field Zone — Exfiltration
8%
Attack Intensity Over Time
DOS_SYN_Hping (dominant) ARP_poisoning NMAP scans
Normal vs Attack Traffic Split
Attack Traffic
~87%
Normal (Thing_Speak)
~6%
Normal (MQTT_Publish)
~4%
Normal (Wipro_bulb)
~3%
⚠ Dataset is heavily skewed toward DoS-based attacks — important for IDS threshold calibration
04 — New Extension
Live Device Integration
🔴 NEW · Real-Time Firewall & IDS/IPS Live Connection Feature

This extension moves the framework beyond static dataset analysis into live network monitoring — connecting directly to physical firewalls, IDS appliances (Snort/Suricata), and compatible cyber security devices for real-time alert ingestion and automated response.

INTEGRATION ARCHITECTURE
🔥
Firewall (pfSense / Fortinet / Cisco)
Syslog feed → Python socket listener on UDP 514
NEW
↓ syslog stream
🛡️
IDS/IPS Engine (Snort / Suricata)
Alert output via unified2 / EVE JSON socket
NEW
↓ parsed alert stream
🧠
IoT/OT Detection Engine
Apply existing rule-based logic to live traffic
LIVE
↓ zone classification
Automated IPS Response
iptables block · SNMP trap · webhook alert
NEW
LIVE INTEGRATION CODE
# Live syslog listener — replace CSV with real traffic import socket, threading, json class LiveIDSEngine: def __init__(self, host='0.0.0.0', port=514): self.sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) self.sock.bind((host, port)) def parse_syslog(self, raw): # Extract flow features from syslog line return { 'flow_SYN_flag_count': self.extract_syn(raw), 'flow_pkts_per_sec': self.extract_pps(raw), 'payload_bytes_per_second': self.extract_bps(raw) } def listen(self): while True: data, addr = self.sock.recvfrom(4096) row = self.parse_syslog(data.decode()) alert = detect_single_event(row) if alert: self.trigger_ips(alert, addr[0]) def trigger_ips(self, alert, ip): # Block at firewall via iptables os.system(f"iptables -A INPUT -s {ip} -j DROP") send_webhook_alert(alert, ip)
05 — Outcomes
System Results & Capabilities
100K+
Alerts Generated
3
Zone Classifications
15+
Graph Outputs
10+
Attack Types Detected
⚠️ Known Limitations
Static thresholds — rule-based logic may not adapt to evolving attack patterns or generate false positives under unusual traffic conditions.
Static dataset only — operates on RT-IoT2022 CSV rather than live real-time traffic (addressed in the new Live Integration feature above).
Simulated IPS — response actions such as blocking IPs are simulated in software, not enforced at the network layer (also addressed in Live Integration).
Limited protocol depth — does not perform deep application-layer inspection for advanced persistent threats.
🚀 Future Enhancements
ML-based anomaly detection — integrate Isolation Forest or Autoencoder models for adaptive, threshold-free detection of unknown attacks.
Real-time traffic monitoring — live syslog ingestion from firewalls, Snort/Suricata, and compatible IoT security appliances (in progress above).
SIEM integration — connect to Splunk or OpenSearch for centralized analysis, correlation across devices, and automated playbook response.
Deep packet inspection — extend protocol-level analysis to application layer for detection of encrypted tunneling and advanced exfiltration techniques.
06 — Data Foundation
Dataset & Tools
📡
RT-IoT2022 Dataset
Primary · Real-Time IoT Network Traffic
Kaggle/UCI dataset containing labeled real-world IoT network traffic with 10+ attack types. Includes flow-level features: SYN flag counts, packet rates, payload bytes per second, protocol types, and service identifiers — directly aligned with the detection logic.
PRIMARY DATASET
🛠️
Tech Stack
Python 3.11 · VS Code · Libraries
Built entirely in Python using Pandas for data manipulation and alert generation, Matplotlib for 15+ visualization types, and standard library modules for file I/O and random sampling. Designed for simplicity, transparency, and suitability for resource-constrained IoT environments.
LIGHTWEIGHT & PORTABLE
07 — Contributions
Project Team
HA
Hassaan Alrifai
Lead · Architect + Developer
AA
Aliaa Abusultan
Analyst
RT
Ryan Tapp
Analyst
UK
Usman Quddus Khan
Analyst
Intelligent Intrusion Detection System · CSAI · Cybersecurity & Artificial Intelligence
SELECT THEME
IOT THREAT GREEN
CYBER GRID
NEXGEN ORIGINAL
LIGHT SLATE TEAL
SOFT INDIGO
CLEAN NAVY
SLATE OBSIDIAN