Skip to content

README.md

Latest commit

 

History

History
275 lines (203 loc) · 10 KB

README.md

File metadata and controls

275 lines (203 loc) · 10 KB

🔐 AI CyberLog Analyzer - CyberGuard SOC Dashboard

🛡️ Project Overview

AI CyberLog Analyzer (CyberGuard) is a futuristic SOC (Security Operations Center) style cybersecurity dashboard that analyzes log files, detects suspicious activities, and visualizes threats in real-time using an eye-catching cyber-themed interface.

It is designed for: - 🔵 Blue Team Learning - 🛰️ SOC Dashboard Simulation - 📊 Log Intelligence & Threat Detection - 🔐 Cybersecurity Portfolio Projects

The system supports multi-format log parsing, AI-driven insights, MITRE ATT&CK mapping, and real-time cyber threat visualization.

🔷 System Architecture Diagram

flowchart TD
    A[User Uploads Log File] --> B[Frontend Dashboard Interface]
    
    B --> C[File Validation and Preprocessing]
    C --> D[Backend Analysis API]
    
    D --> E[Log Processing Engine]
    
    E --> F[Log Parsing Module]
    E --> G[Feature Extraction Module]
    E --> H[Metadata and Pattern Analysis]
    
    F --> I[AI Analysis Engine]
    G --> I
    H --> I
    
    I --> J[Anomaly and Threat Detection]
    
    J --> K[Risk Classification Layer]
    
    K --> L[Analysis Report Generator]
    
    L --> M[Database Storage]
    M --> N[Log Records and Analysis History]
    
    L --> O[JSON Response to Frontend]
    
    O --> P[Visualization Dashboard]
    P --> Q[Threat Insights Panels]
    P --> R[Charts and Log Statistics]
    P --> S[Alert and Anomaly Reports]
Loading

⚙️ Detailed System Workflow

1️⃣ Log Input Layer

Users can upload logs in multiple formats: - .log - .txt - .json - .csv - Apache/Nginx access logs

OR use live stream simulation for real-time SOC experience.

2️⃣ Frontend --- CyberGuard Dashboard

Built using: - React + Vite - Tailwind CSS (Cyber Theme) - Recharts (Data Visualization) - Framer Motion (Animations)

Main Modules: - Dashboard (Threat Analytics) - Upload Logs Panel - Live Stream Viewer - AI Analysis Section - MITRE ATT&CK Mapping Panel - Recent Analysis Sessions

3️⃣ Backend Processing (Node.js + Express)

The backend handles: - Secure file uploads - REST API communication - Log analysis orchestration - Real-time data processing - Threat detection routing

4️⃣ Log Parsing Engine (Core Intelligence)

The parser extracts key attributes: - Timestamp - IP Address - Event Type - Status Codes - Users & Endpoints

Detection Methods: - Regex pattern matching - Frequency analysis - Behavioral correlation - Event classification

5️⃣ Threat Detection Engine (Blue-Team Logic)

Detects: - 🔴 Brute Force Attacks (Multiple failed logins) - 🟠 Credential Stuffing - 🟡 Unauthorized Access (401/403) - 🟣 DDoS Patterns (Request spikes) - 🔵 IP Anomalies - ⚠️ Privilege Escalation Attempts

Example Rule: IF failed_logins_from_same_IP > 5 within 60 seconds
→ Flag as Brute Force Attack (HIGH Severity)

6️⃣ AI Analysis Module

Provides intelligent insights: - Automated threat summaries - Risk scoring - Behavior explanation - Human-readable cyber analysis

Example Output: "Possible brute force attack detected from IP 185.243.44.12 with multiple failed login attempts within a short time window."

7️⃣ Database Layer (SQLite)

Why SQLite: - No external DB setup - Lightweight & portable - Auto-created on first run - Perfect for GitHub cloning - No MongoDB / No Supabase

Stored Data: - Uploaded Logs - Threat Results - Analysis Sessions - IP Activity Metrics

8️⃣ Visualization & SOC Dashboard Output

Displayed Analytics: - Threat Severity Pie Chart - Top IP Activity Graph - Threat Breakdown Chart - Unique IP Counter - Logs Processed Counter - Recent Threat Table

🔍 MITRE ATT&CK Mapping

Attack Type MITRE ID Description
Brute Force T1110 Credential Guessing
Unauthorized Access T1078 Valid Accounts Abuse
DDoS Pattern T1498 Network Denial of Service
Privilege Escalation T1068 Exploitation for Privilege

🚀 Installation (Clone & Run)

git clone https://github.com/LoganthP/AI-CyberLog-Analyzer.git
cd AI-CyberLog-Analyzer
npm install
npm run dev

⚡ SQLite database auto-generates on first run (Zero configuration required)

✨ Features

Core Functionality

  • 📤 Smart Log Upload — Drag & drop .log, .txt, .json, .csv files with preview
  • 📡 Real-Time Streaming — WebSocket-based SIEM-style live log feed with terminal UI
  • 🧠 AI Anomaly Detection — Rule + heuristic hybrid engine with natural-language summaries
  • 🛡️ MITRE ATT&CK Mapping — Auto-map threats to framework techniques with visual badges
  • 📊 Interactive Analytics — Recharts-powered dashboards with pie, bar, and line charts

Detection Engine (Blue-Team Logic)

Threat Type Description MITRE ID
Brute Force Attack >5 failed logins from same IP in 60s T1110
DDoS Pattern >100 requests/min from single IP T1498
Exploit Attempt SQL injection, XSS, path traversal T1190
Reconnaissance Directory/service scanning T1046
Unauthorized Access Repeated admin panel probing T1133
Suspicious Tool Known scanner user-agents (Nikto, sqlmap, Nmap) T1595
Auth Failures Clusters of 401/403 responses T1078

UI/UX

  • 🌑 Futuristic cyber-dark theme (#0A0F1F)
  • ✨ Neon glow accents (cyan, purple, blue)
  • 🔲 Glassmorphism cards with backdrop blur
  • 🎬 Framer Motion animations throughout
  • 📟 Terminal-style live log viewer
  • 📱 Fully responsive design

📂 Project Structure

cyber-log-analyzer/
├── client/                    # React Frontend
│   ├── src/
│   │   ├── components/        # Layout, Sidebar, ThreatBar
│   │   ├── pages/             # Dashboard, Upload, LogStream, Analysis, MitreAttack
│   │   ├── hooks/             # useWebSocket custom hook
│   │   ├── utils/             # Axios API client
│   │   ├── App.jsx            # Router + routes
│   │   ├── main.jsx           # Entry point
│   │   └── index.css          # Global styles + cyber theme
│   ├── tailwind.config.js     # Custom theme config
│   ├── vite.config.js         # Vite + proxy config
│   └── package.json
├── server/                    # Express Backend
│   ├── routes/
│   │   └── logs.js            # API endpoints
│   ├── db.js                  # SQLite setup + MITRE seeding
│   ├── index.js               # Server entry point
│   └── package.json
├── parser/                    # Detection Engine
│   ├── logParser.js           # Multi-format log parser
│   ├── detectionEngine.js     # 7 threat detection rules
│   └── aiAnalyzer.js          # AI analysis + risk scoring
├── websocket/
│   └── streamManager.js       # WebSocket + simulated stream
├── database/
│   ├── schema.sql             # Reference SQL schema
│   ├── sample.log             # Test log file
│   └── logs.db                # Auto-generated SQLite DB
├── .env.example               # Environment template
├── .gitignore
├── package.json               # Root scripts
└── README.md

🧱 Tech Stack

Layer Technology Purpose
Frontend React 18 + Vite Fast development & build
Styling Tailwind CSS Utility-first cyber theme
Animations Framer Motion Smooth micro-interactions
Charts Recharts Interactive data visualization
Icons Lucide React Consistent icon system
Backend Node.js + Express REST API server
Real-time WebSocket (ws) Live log streaming
Database SQLite (better-sqlite3) Zero-config portable DB
Security Helmet + Rate Limiter API hardening

🔐 Security & Performance

  • Secure file validation
  • Async log parsing (high performance)
  • Large log file support
  • Modular scalable architecture
  • Robust error handling

🌟 Future Enhancements

  • Real-time WebSocket Log Streaming
  • AI Threat Explanation (LLM Integration)
  • PDF Threat Report Export
  • Geo-IP Visualization Map
  • Machine Learning Anomaly Detection
  • Alert Notification System