How I Built an Adaptive "Immune System" for Cloud Traffic
Wandile Ndlovu developed an adaptive defense system for cloud traffic that learns normal behavior and detects anomalies in real time. The system uses statistical analysis, sliding windows, and dynamic baselines to identify suspicious activity on a Nextcloud instance. It automatically enforces bans via iptables and provides real-time observability through a custom UI.
- ▪The system uses a time-based sliding window with Python's deque to track requests within the last 60 seconds.
- ▪It establishes a baseline of normal traffic by collecting 30 minutes of data and recalculating mean and standard deviation every minute.
- ▪Anomalies are detected using a Z-score greater than 3.0 or a 5x increase over baseline, with stricter thresholds for high error rates.
- ▪Banned IPs are managed through escalating iptables DROP rules and a backoff schedule ranging from 10 minutes to permanent bans.
- ▪A Flask-based UI provides real-time metrics including request rates, banned IPs, and system health.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3666948) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } Wandile Ndlovu Posted on Apr 29 How I Built an Adaptive "Immune System" for Cloud Traffic #programming #devops #security #cloud Recently, I was tasked with a challenge: Build an automated defense system for a live Nextcloud instance. The goal wasn't just to block "bad guys," but to build a system that actually learns what a normal day looks like and reacts when things get weird.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).
Discussion
0 commentsMore from DEV.to (Top)
