Real-Time Intrusion Detection System Based on Deep Learning: Practice of Integrating Neural Networks with SIEM

Introduces the neural-network-ids project released by sharvesh830 on GitHub (2026-06-16). This production-grade system uses a two-stage deep learning architecture, can detect 15 attack types with an accuracy rate of 95.61%, deeply integrates with Wazuh SIEM, provides real-time monitoring, multi-channel alerts, and automated response capabilities, and offers a practical solution for small and medium-sized enterprises (SMEs) to build their Security Operations Centers (SOC).

Traditional rule-based IDS struggles to handle complex unknown threats, and deep learning brings new possibilities to cybersecurity. This project combines neural networks and SIEM to build a real-time intrusion detection solution, trained on the CICIDS2017 dataset (800,000 traffic samples), identifies 15 attack types with an accuracy rate of 95.61%, and helps SMEs build their SOC.

The core is a two-stage detection mechanism: 1. A multi-classification neural network identifies 15 known attacks (e.g., DDoS, DoS Hulk, etc., with DDoS detection accuracy of 99.2%); 2. An autoencoder detects unknown anomalies. The system supports real-time traffic capture, extracts network flow features (packet size, time interval, etc.), has sub-second latency (100ms per flow), a throughput of over 1000 flows per second, and memory usage of approximately 2GB.

After detecting a threat, alerts are sent through multiple channels: colored console output (including attack type, confidence level, IP, etc.); deep integration with Wazuh SIEM, forwarding standardized events to the Wazuh manager; intelligent email alerts (rate limiting, aggregation strategy, only for high/severity levels). It also supports threat intelligence integration, allowing queries of IP reputation, historical records, and other rich alert information.

It has automated response capabilities: SEVERE-level threats automatically block the attack source IP (default 1 hour), supporting whitelists/blacklists, manual unblocking, and adjustable thresholds. The deployment uses a distributed architecture: Windows 11 host (training environment, PyTorch + CICIDS2017); Ubuntu virtual machine (production environment, Wazuh components + inference engine). System requirements include Python 3.8+, PyTorch, Scapy, etc.

Applicable scenarios: 1. SOC construction for SMEs (replacing expensive commercial equipment); 2. Security training and drills (learning intrusion detection principles); 3. Red team vs. blue team exercises (blue team monitoring tool); 4. IoT/industrial control network protection (lightweight resource usage).

This project demonstrates the application value of deep learning in cybersecurity, providing a complete solution through a two-stage architecture, SIEM integration, etc. Future improvement directions: introducing Transformer to enhance time-series modeling, supporting protocol parsing such as HTTP/2, and integrating the MITRE ATT&CK framework. It is a resource worth researching and secondary development in the open-source community.