Graduation Project Product

Network intrusion detection that scales as Kubernetes worker pods.

NURT, Network Utility for Real-Time Detection, is a Kubernetes-native IDS that observes network flows, runs attack detectors in parallel, and issues real-time verdicts that can ban malicious traffic before it keeps consuming resources.

Explore architecture Technical details

0 flow features

0 ms verdict timeout

1-5 detector replicas

Product

A modular IDS control plane for monitored networks.

At completion, NURT is delivered as a running Kubernetes deployment with a management API, an admin dashboard, simulation containers, and reusable detector modules for common attack patterns.

Worker-based monitoring

Each worker is a self-contained IDS unit assigned to a network interface or IP range. Workers can be created, deleted, and reconfigured at runtime through the Management API.

Real-time verdict flow

Feature vectors are published over NATS, detectors vote on the flow, and the decision engine emits BENIGN, HONEYPOT, DROP, or TIMEOUT verdicts according to the configured quorum policy.

Ban enforcement

Malicious flows are written into a pluggable ban store. The feature extractor and MITM simulation bridge both consume ban events and drop later packets from the same source.

Architecture

Packet windows become decisions through an event-driven pipeline.

The system separates packet capture, detection, voting, enforcement, and management. This keeps detector implementations focused and makes the deployment easier to scale horizontally.

01 Traffic AF_PACKET or MITM simulation

02 Feature Extractor 5-tuple flows, 1s windows

03 NATS worker-scoped subjects

04 Detectors SYN flood, port scan, UDP, LDAP, ETA

05 Decision Engine quorum voting and bans

Detection logic

Hybrid detectors combine explicit security rules with trained models.

The end product includes detector services with common lifecycle behavior: NATS subscription, health endpoints, heartbeat messages, registry announce/deregister, and runtime enable-disable commands.

SYN flood

Connection pressure detection

Flags high SYN rate, abnormal SYN/ACK ratio, and half-open connection ratio.
Uses a scikit-learn model with probability thresholding in ML mode.
Default hybrid mode blends heuristic and model confidence.

Port scan

Multi-timescale reconnaissance detection

Tracks unique destination ports across 1 minute, 5 minute, and 1 hour windows.
Uses sequential-port ratio, port entropy, and activity spread.
Includes ML support for slow scan profiles.

Extensible

Detector template and registry

New detector containers can be added using the shared detector base class.
The decision engine learns active detectors through registry messages.
Runtime control commands avoid pod restarts during reconfiguration.

Engineering details

Built as a deployable distributed system, not only a prototype script.

The project includes Kubernetes manifests, Docker images, health checks, local simulation, benchmarks, tests, and a dashboard that surfaces workers, verdicts, bans, and registered detectors.

Namespace nurt-ids

Kubernetes resources are grouped with RBAC for management operations.

Messaging NATS

Worker-scoped subjects isolate features, detections, verdicts, bans, registry, and control traffic.

Features ~70

Flow-level metrics include packet rates, TCP flags, inter-arrival stats, and port behavior.

Quorum modes 4

Any, majority, unanimous, and weighted voting can be selected per worker.

worker-1.yaml

worker:
  id: worker-1
  interface: eth0
  ip_ranges:
    - 0.0.0.0/0
  detectors:
    - type: syn-flood
      enabled: true
    - type: port-scan
      enabled: true
  quorum_mode: any
  verdict_threshold: 0.7
  verdict_timeout_ms: 500
  ban_store:
    backend: nats
    default_ban_duration_seconds: 30

Completion stage

The completed project demonstrates detection, control, and observability end to end.

NURT can be deployed locally on Kubernetes, exercised through Docker simulation containers, and inspected through its dashboard and HTTP APIs. The system shows the complete loop from traffic generation to feature extraction, detector confidence, decision-engine verdict, ban publication, and later packet drops.

Implemented

Management API, worker lifecycle, NATS subjects, decision engine, ban store abstraction, dashboard.

Validated

Simulation scenarios for normal traffic, SYN flood, and port scan; unit tests for core components.

Prepared for extension

Detector template, common library, Kubernetes manifests, and benchmark scripts for future attacks.