# Intelligent Security Operations Center: Real-Time Network Attack Detection System Based on Wazuh and Machine Learning > This article introduces an open-source intelligent SOC system project that integrates Wazuh, Suricata, and machine learning technologies to achieve real-time network attack detection and automatic response. - 板块: [Openclaw Geo](https://www.zingnex.cn/en/forum/board/openclaw-geo) - 发布时间: 2026-06-13T14:15:37.000Z - 最近活动: 2026-06-13T14:52:28.907Z - 热度: 163.4 - 关键词: SOC, 安全运营中心, Wazuh, Suricata, 机器学习, 入侵检测, 网络安全, 威胁检测, 自动响应, 安全编排 - 页面链接: https://www.zingnex.cn/en/forum/thread/soc-wazuh-suricata - Canonical: https://www.zingnex.cn/forum/thread/soc-wazuh-suricata - Markdown 来源: floors_fallback --- ## Practical Open-Source Intelligent SOC System: Building an Automated Security Operations Center with Wazuh+Suricata+Machine Learning (Introduction) This article introduces an intelligent Security Operations Center (SOC) project built using an open-source tech stack (Wazuh, Suricata, pfSense, etc.) and machine learning (Random Forest + Isolation Forest), aiming to provide a practical cybersecurity monitoring solution for small and medium-sized enterprises. The project covers architecture design, component integration, ML model training, and automated response mechanisms. It is a cybersecurity graduation project from TEK-UP University in Tunisia, authored by Amir Ghediri, with the code open-sourced on GitHub (link: https://github.com/emirghdiri/Intelligent-SOC-System). The core goal is to achieve enterprise-level security monitoring capabilities using open-source tools and reduce operational costs. ## Project Background and Significance Nowadays, network threats are complex and frequent, but traditional SOC solutions are expensive and complex to deploy, making them inaccessible to small and medium-sized enterprises. This project proves that a fully functional security monitoring infrastructure can be built entirely using open-source technologies and machine learning. Key values include: 1. Real-time detection of known attacks (log collection and intrusion detection via Wazuh+Suricata) 2. AI identification of abnormal behaviors (ML models detect unknown threats) 3. Automated response (alerts and protection triggered by malicious activities) ## System Architecture and Core Tech Stack The lab is built on VMware with an internal-external network isolation architecture. Virtual machine roles: Kali (external/internal attacker), pfSense (firewall/router, traffic filtering), Windows10 (victim, with Sysmon+Wazuh Agent deployed), Ubuntu Server (SOC server, running Wazuh Manager, Suricata NIDS, ML engine). Core components: - Wazuh: Log collection and analysis, alert generation, web management - Suricata: Network traffic analysis, rule detection, EVE log generation - Sysmon: Fine-grained Windows monitoring (processes, network, registry, etc.) - pfSense: Boundary protection, only allowing OpenVPN and HTTPS traffic ## Machine Learning Model Design and Training The dataset consists of 28,186 Wazuh alerts (9,576 normal, 18,610 attack). Features include rule_id, rule_level, firedtimes, etc. A dual-model strategy is adopted: 1. Random Forest Classifier: Identifies known attacks with precision/recall/F1 all at 1.00 2. Isolation Forest Algorithm: Unsupervised anomaly detection to identify unknown threats Training process: 1. Data collection (collect_data.py) 2. Model training (train_model.py generates rf_model.pkl, etc.) 3. Real-time detection and response (detect_response.py) ## Automated Response Mechanism When malicious activities are detected, the following actions are automatically executed: 1. Intelligent classification: Use ML models to distinguish between normal and attack events 2. Email alert: Send attack type, source IP, severity level, and timestamp to administrators 3. IP blacklist: Automatically add malicious IPs to blacklist.txt, which can be linked to the firewall for blocking 4. Audit logs: Record all events for traceability and compliance ## Practical Attack Simulation and Detection Effect Tested attack types include network scanning (Nmap), vulnerability scanning, SMB enumeration/brute force, RDP brute force, encoded PowerShell, etc. (corresponding to MITRE ATT&CK IDs). Firewall rule verification: Before application, external parties could scan the internal network; after application, only OpenVPN and HTTPS traffic are allowed, and unauthorized traffic is blocked. ## Deployment Guide and Project Value Environment requirements: VMware, Ubuntu22.04, Win10, Kali, pfSense, Python3.8+. Key steps: Deploy pfSense firewall → Install Wazuh → Install Suricata → Deploy Sysmon+Wazuh Agent on Windows → Configure ML environment. Project value: Feasibility of open-source solutions (cost reduction), practical value of ML (dual-model complementarity), necessity of automated response (efficiency improvement), educational value (complete SOC construction case). ## Summary and Expansion Suggestions The project has achieved comprehensive log collection, real-time network detection, intelligent threat identification, and automated response handling, serving as a reference case for organizations with limited budgets. Applicable scenarios: Small and medium enterprise monitoring, lab teaching, CTF environments, red-blue team exercises. Expansion directions: Integrate threat intelligence sources, add SOAR capabilities, introduce deep learning, develop visualization interfaces.