Introduction

Cyberattacks are no longer rare or isolated events. From large-scale DDoS attacks to low-rate reconnaissance scans, modern networks face continuous threats that require real-time visibility and intelligent detection.

As part of my hands-on cybersecurity work, I built a Real-Time Cyber Attack Detection System that combines:

• Raspberry Pi as a lightweight network sensor

• Machine Learning trained on real-world attack datasets

• Rule-based detection for immediate anomaly spotting

• Live Telegram alerts for instant response

This project focuses on turning theoretical security concepts into a working, end-to-end system that monitors live traffic and reacts in real time.

Project Objective

The goal of this project was to design and implement a system that can:

• Capture live network traffic

• Extract meaningful flow-level features

• Detect suspicious behaviour using a hybrid AI approach

• Send instant alerts when potential attacks are identified

Rather than relying solely on traditional signature-based IDS tools, this system explores a hybrid detection model, combining the strengths of rule-based logic and machine learning.

The system is divided into two primary components:

The Raspberry Pi acts as a network sensor placed within the local network. Its responsibilities include:

• Capturing packets in real time using Scapy

• Aggregating traffic into short time-based flows

• Extracting lightweight features such as:

  • Packets per second

  • Bytes per second

• Sending extracted features to a central analysis server

This approach keeps the Pi lightweight and power-efficient while still providing meaningful visibility.

System Architecture Overview

A Windows-based analysis server performs the heavy lifting:

• A Random Forest classifier trained on multiple CICIDS2017 datasets

• A rule-based detection engine for immediate threshold-based alerts

• A FastAPI service that receives flow data and returns predictions

• Telegram bot integration for real-time mobile alerts

This separation allows the system to scale and keeps detection logic flexible.

2. Central Analyzer – Machine Learning Server

1. Edge Sensor – Raspberry Pi

Hybrid Detection Approach

One of the key design decisions was to use a hybrid AI model rather than relying on a single technique.

Rule-Based Detection

Rules provide fast and deterministic detection for obvious anomalies, such as:

• Sudden spikes in packet rate

• Unusually high bandwidth consumption

These rules are transparent, easy to tune, and effective for immediate threats.

Machine Learning Detection

The ML model is trained on multiple real-world attack scenarios, including:

• DDoS attacks

• Port scanning

• Infiltration attempts

• Web-based attacks

The model outputs a probability score (prob_attack) that represents how likely a flow is malicious.

Final Decision Logic

An alert is raised when:

• A rule is triggered or

• The ML model reports a high attack probability

This hybrid approach reduces false positives while still catching fast, high-impact attacks.

Real-Time Alerts and Monitoring

When suspicious activity is detected, the system sends an instant Telegram alert containing:

• Source IP address

• Destination IP address

• Attack probability score

• Detection reason (rule-based or ML-based)

This mimics how real-world SOC (Security Operations Center) systems notify analysts, providing immediate situational awareness.

Testing and Evaluation

The system was tested under multiple scenarios:

Normal Traffic

• Web browsing

• Streaming

• Background system updates

These flows were correctly classified as benign, with low attack probability scores.

Synthetic Attack Traffic

• High-rate traffic generation

• Network scanning behaviour

These scenarios resulted in:

• Increased packet and byte rates

• Elevated ML attack probability

• Successful real-time alerts via Telegram

The results demonstrate that the system can differentiate between normal and attack-like behaviour in real time.

Key Learnings

This project reinforced several important cybersecurity principles:

• Real-time detection requires both speed and intelligence

• Edge devices like Raspberry Pi are effective for distributed monitoring

• Machine learning works best when combined with domain knowledge and rules

• Visibility and alerting are just as important as detection itself

Most importantly, building the system end-to-end provided insight into the practical challenges of real-world security monitoring, such as feature selection, threshold tuning, and false positives.

Limitations and Future Improvements

While functional, the system has clear areas for enhancement:

• Runtime features are simplified compared to training datasets

• Thresholds require manual tuning per environment

• No automated mitigation (e.g., firewall blocking) yet

Planned future work includes:

• Adding more flow features

• Multi-node Raspberry Pi deployment

• Automated response actions

• Dashboard-based visualisation

• Online learning and adaptive models

Conclusion

This project demonstrates how theoretical cybersecurity concepts can be transformed into a practical, real-time detection system using affordable hardware and open-source tools.

By combining Raspberry Pi, machine learning, and intelligent alerting, the system provides a strong foundation for scalable and modern intrusion detection research.