SharkEye: An Intelligent Network Intrusion Detection System Running Local LLM on Raspberry Pi 5

SharkEye is a self-hosted Network Intrusion Detection System (NIDS) developed by avik-root, released on May 31, 2026. Its GitHub repository is at https://github.com/avik-root/SharkEye. It innovatively combines Deep Packet Inspection (DPI) with local Large Language Model (LLM) inference capabilities, and can run fully offline on Raspberry Pi 5. This solves the problem that traditional NIDS rely on predefined rules and struggle to handle new types of attacks, while ensuring data privacy and real-time response.

Traditional Network Intrusion Detection Systems (NIDS) usually rely on predefined rules and signatures to identify attacks, and often fall short when facing new or variant attacks. By introducing local LLM inference, SharkEye enables the system to understand the contextual semantics of network traffic, thereby identifying complex attack patterns that are difficult to detect with traditional methods.

Deep Packet Inspection (DPI) Layer

The system uses DPI technology at its core to deeply analyze packet content (not just header information), identify application-layer protocols, extract communication features, and provide structured input for LLM analysis.

Local LLM Inference Engine

An optimized LLM runs on Raspberry Pi 5 to achieve: real-time traffic pattern analysis (converting network data into natural language for the model to understand), semantic-level threat identification (understanding potential malicious intent), and generation of human-readable security reports.

Fully Offline Operation Capability

All inference is done locally, ensuring data privacy (sensitive traffic does not leave the device), low-latency response, suitability for network-isolated environments, and immunity to cloud service failures.

SharkEye has been specially optimized for the resource constraints of Raspberry Pi 5:

1. Model Quantization Technology: Uses quantized lightweight models to balance accuracy and memory usage;
2. Efficient Inference Framework: Adopts an engine optimized for ARM architecture to fully utilize hardware features;
3. Streaming Processing Architecture: Designs an efficient data pipeline to ensure real-time performance. After optimization, Raspberry Pi 5 with 8GB memory can maintain usable detection throughput and response speed.

Home Network Security Protection

Detects abnormal external connections, suspicious IoT device communications, malware callbacks, network scans, and other behaviors, providing a low-cost and high-privacy solution.

Small Business Edge Protection

24/7 monitoring, no subscription fees, self-controllable, lightweight and easy to deploy and maintain, serving as the first line of defense for network boundaries.

Network Security Education and Research

It is a practical case of AI+security integration, which can be used to explore the application boundaries of LLMs in the security field, edge AI inference optimization, and the design of new threat detection algorithms.

SharkEye is a self-hosted solution. Users only need to prepare a Raspberry Pi 5 and configure it according to the project documentation to start the local intrusion detection service. The system configuration interface and report output are user-friendly, so even non-professional security personnel can understand and operate it.

SharkEye represents the trend of AI capabilities sinking to the edge in the field of network security. The future holds promise: more powerful local AI security tools will emerge, traditional security devices will deeply integrate with AI, and privacy-protecting security solutions will become mainstream. For developers and technology enthusiasts, it is an excellent starting point to explore AI+security integration and innovation.