Intelligent Security Operations Center: Real-Time Network Attack Detection System Based on Wazuh and Machine Learning

This article introduces an intelligent Security Operations Center (SOC) project built using an open-source tech stack (Wazuh, Suricata, pfSense, etc.) and machine learning (Random Forest + Isolation Forest), aiming to provide a practical cybersecurity monitoring solution for small and medium-sized enterprises. The project covers architecture design, component integration, ML model training, and automated response mechanisms. It is a cybersecurity graduation project from TEK-UP University in Tunisia, authored by Amir Ghediri, with the code open-sourced on GitHub (link: https://github.com/emirghdiri/Intelligent-SOC-System). The core goal is to achieve enterprise-level security monitoring capabilities using open-source tools and reduce operational costs.

Nowadays, network threats are complex and frequent, but traditional SOC solutions are expensive and complex to deploy, making them inaccessible to small and medium-sized enterprises. This project proves that a fully functional security monitoring infrastructure can be built entirely using open-source technologies and machine learning. Key values include:

1. Real-time detection of known attacks (log collection and intrusion detection via Wazuh+Suricata)
2. AI identification of abnormal behaviors (ML models detect unknown threats)
3. Automated response (alerts and protection triggered by malicious activities)

The lab is built on VMware with an internal-external network isolation architecture. Virtual machine roles: Kali (external/internal attacker), pfSense (firewall/router, traffic filtering), Windows10 (victim, with Sysmon+Wazuh Agent deployed), Ubuntu Server (SOC server, running Wazuh Manager, Suricata NIDS, ML engine). Core components:

• Wazuh: Log collection and analysis, alert generation, web management
• Suricata: Network traffic analysis, rule detection, EVE log generation
• Sysmon: Fine-grained Windows monitoring (processes, network, registry, etc.)
• pfSense: Boundary protection, only allowing OpenVPN and HTTPS traffic

The dataset consists of 28,186 Wazuh alerts (9,576 normal, 18,610 attack). Features include rule_id, rule_level, firedtimes, etc. A dual-model strategy is adopted:

1. Random Forest Classifier: Identifies known attacks with precision/recall/F1 all at 1.00
2. Isolation Forest Algorithm: Unsupervised anomaly detection to identify unknown threats Training process:
3. Data collection (collect_data.py)
4. Model training (train_model.py generates rf_model.pkl, etc.)
5. Real-time detection and response (detect_response.py)

When malicious activities are detected, the following actions are automatically executed:

1. Intelligent classification: Use ML models to distinguish between normal and attack events
2. Email alert: Send attack type, source IP, severity level, and timestamp to administrators
3. IP blacklist: Automatically add malicious IPs to blacklist.txt, which can be linked to the firewall for blocking
4. Audit logs: Record all events for traceability and compliance

Tested attack types include network scanning (Nmap), vulnerability scanning, SMB enumeration/brute force, RDP brute force, encoded PowerShell, etc. (corresponding to MITRE ATT&CK IDs). Firewall rule verification: Before application, external parties could scan the internal network; after application, only OpenVPN and HTTPS traffic are allowed, and unauthorized traffic is blocked.

Environment requirements: VMware, Ubuntu22.04, Win10, Kali, pfSense, Python3.8+. Key steps: Deploy pfSense firewall → Install Wazuh → Install Suricata → Deploy Sysmon+Wazuh Agent on Windows → Configure ML environment. Project value: Feasibility of open-source solutions (cost reduction), practical value of ML (dual-model complementarity), necessity of automated response (efficiency improvement), educational value (complete SOC construction case).

The project has achieved comprehensive log collection, real-time network detection, intelligent threat identification, and automated response handling, serving as a reference case for organizations with limited budgets. Applicable scenarios: Small and medium enterprise monitoring, lab teaching, CTF environments, red-blue team exercises. Expansion directions: Integrate threat intelligence sources, add SOAR capabilities, introduce deep learning, develop visualization interfaces.