Catching Hackers with Math: How I Built a Self-Healing Server

try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3901423) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } Ajibola Anjorin Posted on Apr 28 Catching Hackers with Math: How I Built a Self-Healing Server #beginners #cybersecurity #security #showdev If you’ve never worked in cybersecurity before, the word "DevSecOps" sounds intimidating. It sounds like you need to be in a dark room wearing a hoodie, typing furiously to stop hackers. But in reality? Good security isn't about typing fast. It’s about building smart alarms. For my latest engineering project, I built an Anomaly Detection Engine from scratch. Here is a beginner-friendly breakdown of how I used simple math to teach a server to defend itself. The Problem: Hard-Coded Rules Fail Imagine you run a popular online store. You tell your bouncer (your firewall): "If anyone tries to enter the store more than 10 times a second, kick them out! They must be a hacker doing a brute-force attack." That works great on a normal Tuesday. But what happens on Black Friday? Suddenly, hundreds of real customers are rushing the doors. Your bouncer kicks them all out, and your business crashes. Hard-coded limits don't adapt to reality. The Solution: The "Resting Heartbeat" Instead of a strict rule, my security engine calculates a Rolling Baseline. Think of this as the server's resting heartbeat. Every single minute, a background script looks at the traffic and says, "Okay, right now, we are averaging about 1 request per second." If traffic slowly builds up over the afternoon (like a Black Friday sale), the baseline adjusts to accept it as the new normal. The Trigger: The Z-Score (The Conveyor Belt) To catch actual attacks, the engine uses a 60-second "Sliding Window"—like a conveyor belt of incoming traffic. It tracks every IP address on that belt and compares them to our baseline heartbeat using a mathematical formula called a Z-Score. A Z-Score tells us exactly how "weird" a spike in traffic is. In my engine, the alarm triggers if an IP hits a Z-Score of 3.0. In the world of statistics, anything past a 3.0 means there is a 99.7% chance that this spike is a massive anomaly, not just an enthusiastic user. (During testing, I accidentally triggered a Z-Score of 40.17! The engine didn't hesitate.) The Trapdoor: Auto-Banning and Slack Alerts When the math catches an attacker, the engine doesn't wait for a human to respond. It takes immediate action: The Block: It talks directly to the server's core firewall (iptables) and drops all network traffic from that specific IP address instantly. The Alert: It sends a formatted alert directly to my phone via Slack, showing me the attacker's IP and how hard they tried to hit the server. The Recovery: It starts a 10-minute timer. When the timer expires, it automatically unbans the IP. This ensures that if a real user's device just glitched out, they aren't permanently banned forever. Conclusion Building this taught me that modern security isn't just about building taller walls; it’s about building smarter sensors. By combining simple statistics with automated firewalls, you can build a server that heals itself while you sleep! Top comments (0) Subscribe Personal Trusted User Create template Templates let you quickly answer FAQs or store snippets for re-use. Submit…

This excerpt is published under fair use for community discussion. Read the full article at DEV Community.