B.TECH GRADUATION MAJOR PROJECT · CSE · 2026

Smart Firewall
With AI & Cloud

Detect · Enforce · Share

A three-component network defence system that combines machine learning based attack detection, kernel-level firewall enforcement, and real-time cloud threat intelligence sharing across firewall instances.

View Source on GitHub Learn More

94.6%Macro F1 (5-fold CV)

12/13Attack Variants Caught

6Attack Classes

<10sDetection Latency

12Flow Features

The Problem

Why We Built This

Traditional firewalls filter traffic using fixed rules based on port numbers, IP addresses, and protocols. They cannot detect attacks whose identity only emerges from patterns of behaviour across many packets over time. A port scan looks normal packet by packet. A brute-force attempt looks like ordinary login traffic. A Slowloris attack looks like a slow but legitimate connection. We built a system that learns what these attacks actually look like in practice.

What It Does

Captures live network traffic, aggregates packets into ten-second windows per source address, computes statistical features, and classifies each window as benign or one of five attack types using a hybrid rule-plus-machine-learning approach. When an attack is detected, the system automatically blocks the source at the kernel level and shares the event with peer firewall instances through a cloud database.

How It Is Different

Unlike a pure rule-based firewall, the model learns from real captured attack traffic generated in the actual deployment environment rather than a generic public dataset. Unlike a pure ML detector, it layers deterministic rules on top of the model so obvious attacks are caught immediately. The result is a hybrid that is both fast and accurate, with a dashboard for human oversight and approval.

System Design

Three-Tier Architecture

The system is split into three independent components that communicate through documented contracts. Each component can be run, tested, and modified without changing the others.

🧠

AI Detection

ai/

Opens a raw socket on the network interface and captures packets in real time using Scapy. Aggregates packets per source address into ten-second rolling windows and computes twelve statistical flow features per window. Runs deterministic rules first, then a Random Forest model for ambiguous cases. When an attack is detected above a confidence threshold, appends a JSON event to a shared contract file and writes a heartbeat so the agent can verify the detector is alive.

detector.py sfw_model.joblib dataset.csv

🛡

Firewall Agent

agent/

The enforcement layer. Tails the shared JSON events file, parses each new alert, and applies iptables DROP rules at the kernel level. Supports automatic mode (blocks immediately) and manual mode (queues for human approval). Blocks auto-expire after five minutes. A tabbed dashboard shows live alerts, pending approvals, blocked addresses, and the detector log. The agent also launches and monitors the detector subprocess.

main.py enforcer.py gui.py database.py

☁

Cloud Intelligence

agent/cloud_hooks.py

Publishes every detection event and block decision to Firebase Realtime Database. Subscribes to block decisions from every other connected firewall node and applies them locally so an attack seen on one node pre-emptively protects others. Runs in a background thread and degrades gracefully if the cloud is unreachable, keeping the core system working in offline mode.

cloud_hooks.py Firebase RTDB

Data Flow

Attacker
Traffic

→

Scapy
Sniffer

→

Rolling
Buffer (10s)

→

12 Feature
Vector

→

Rules +
Random Forest

→

events.jsonl
(contract)

→

Agent +
iptables

→

Firebase
Cloud

# Live detector output — port scan detected by rule, brute force by ML
[14:25:36] src=192.168.254.20 pred=port_scan conf=0.490 pkts=1118 ports=559
[14:25:39] RULE src=192.168.254.20 pred=port_scan conf=1.000 pkts=3262 ports=1635
-> emitted: port_scan (block)
[14:55:49] ALERT src=192.168.254.20 pred=brute_force_ssh conf=0.980 pkts=64
-> emitted: brute_force_ssh (block)
[14:56:38] ALERT src=192.168.254.20 pred=dos_flood conf=0.780 pkts=4241
-> emitted: dos_flood (rate_limit)

Evaluation

Performance Results

The model was evaluated under five-fold stratified cross-validation and tested live against thirteen attack variants including tools and protocols not seen during training.

Cross-Validation Summary

Macro F1 Mean94.6%

Standard Deviation±7.9%

Folds5 stratified

Training Samples123 windows

AlgorithmRandom Forest

Test Set Accuracy96.8%

Per-Class F1 Score (Test Set)

benign1.000 ✓

port_scan1.000 ✓

brute_force_ftp1.000 ✓

dos_flood1.000 ✓

brute_force_ssh0.909 ✓

dos_slow0.667 (small sample, n=9)

Top Feature Importances

mean_pkt_size19.8%

mean_iat12.3%

byte_count11.9%

std_pkt_size11.0%

pkt_count10.7%

unique_dst_ips0.000 (zero variance in env)

Live Generalisation Tests

nmap SYN scanDETECTED ✓ (rule)

masscan — different toolDETECTED ✓ (rule)

nmap FIN scan, no SYN flagsDETECTED ✓ (rule)

hydra SSH brute forceDETECTED ✓ (ml)

medusa — different toolDETECTED ✓ (ml)

hping3 SYN / UDP / ICMP floodDETECTED ✓ (rule)

slowhttptest SlowlorisDETECTED ✓ (rule)

nmap -T2 slow scanMISSED — known limitation

Honest Assessment

Known Limitations

These are real constraints, not disclaimers.

Environment-Specific Model The classifier was trained on traffic captured in a specific VirtualBox host-only network between two virtual machines. Deploying on a different network topology or hardware platform will likely require re-capturing training data and retraining the model. It is tuned for this deployment, not for a generic network.
Limited to Trained Attack Classes The system can only identify the five attack types it was trained on: port scanning, SSH brute force, FTP brute force, volumetric denial of service, and slow-rate denial of service. Any attack outside these categories will be classified as the nearest known class rather than flagged as unknown. It does not perform anomaly detection.

Technology

Built With

🐍

Python 3.12

Core language

📡

Scapy

Packet capture

🤖

scikit-learn

Random Forest

🔢

NumPy / Pandas

Feature engineering

🔥

Firebase RTDB

Cloud sync

🛡

iptables

Enforcement

🖥

customtkinter

Dashboard GUI

🗄

SQLite

Local logging

The Team

Who Built What

Animesh Mamgain

AI Detection

Designed and built the entire AI component: dataset capture in a controlled lab environment, feature engineering, model training and cross-validation, the hybrid rule-plus-ML classifier, and the live detector script. Responsible for the integration contract between the detection and enforcement tiers.

Priyanshu Bisht

Firewall Agent

Built the firewall enforcement layer: the iptables-based blocker, auto-unblock timer, event consumer, local SQLite log, alert store, and the customtkinter dashboard with auto and manual blocking modes. Integrated the agent with the AI detector through the shared events contract.

Princy Samant

Cloud Integration

Implemented the Firebase Realtime Database integration: publishing threat events and block decisions from each node, maintaining the peer block index, and pulling shared blocklists so every connected firewall benefits from what any node detects. Also contributed to project documentation and research.

Smart FirewallWith AI & Cloud

Why We Built This

What It Does

How It Is Different

Three-Tier Architecture

AI Detection

Firewall Agent

Cloud Intelligence

Performance Results

Cross-Validation Summary

Per-Class F1 Score (Test Set)

Top Feature Importances

Live Generalisation Tests

Known Limitations

Built With

Who Built What

Smart Firewall
With AI & Cloud