This guide provides instructions for deploying the APT Detection System in a production environment.
- Python 3.8 or higher
- Kafka server running (for event ingestion)
- Redis server (optional, for alert storage)
- Wazuh EDR and/or Elasticsearch SIEM (for real data sources)
The system is configured through the config.yaml file. For production deployment, ensure the following settings are properly configured:
Configure at least one data source connector:
data_sources:
wazuh:
enabled: true
api_url: "https://your-wazuh-server:55000"
username: "your-wazuh-username"
password: "your-wazuh-password"
verify_ssl: true
fetch_interval: 60data_sources:
elasticsearch:
enabled: true
hosts: ["your-elasticsearch-host:9200"]
index_pattern: "winlogbeat-*"
username: "your-elasticsearch-username"
password: "your-elasticsearch-password"
verify_certs: true
fetch_interval: 60kafka:
bootstrap_servers: your-kafka-server:9092
topic: apt_topic
group_id: apt_detection_group
auto_offset_reset: earliest
enable_auto_commit: true
session_timeout_ms: 30000
request_timeout_ms: 40000dashboard:
host: 0.0.0.0 # Allow external connections
port: 5000
debug: false # Disable debug mode in productionThe dashboard includes real-time features that provide:
- Real-time alert streaming with WebSocket support
- Interactive attack timeline visualization
- Live connection monitoring and status indicators
- Enhanced metrics with comprehensive analysis
settings:
overwrite_models: false # Don't overwrite models in production
log_level: INFO
collection_interval_seconds: 60
behavioral_analytics:
baseline_period_days: 7
anomaly_threshold: 0.6
time_window_minutes: 10
alerts:
max_alerts: 10000
retention_days: 90Ensure simulation is disabled for production:
simulation:
enabled: false-
Install Dependencies
pip install -r requirements.txt
-
Train Models (if not already trained)
python main.py --train
-
Run in Production Mode
./run_production.sh
Or manually:
python main.py --production
- Use HTTPS for the dashboard by setting up a reverse proxy (e.g., Nginx, Apache)
- Secure all API credentials and passwords
- Use SSL/TLS for Kafka and Redis connections
- Implement proper authentication for the dashboard
- Set up monitoring for the APT Detection System process
- Configure log rotation for the
apt_detection.logfile - Monitor disk space for log files and alert storage
- Consider running multiple instances behind a load balancer
- Set up redundant Kafka and Redis servers
- Implement database backup strategies for alert storage
- Adjust
collection_interval_secondsbased on your data volume - Tune Kafka consumer settings for optimal throughput
- Adjust
time_window_minutesfor feature aggregation based on your environment
-
Connection to data sources fails
- Check network connectivity
- Verify credentials
- Ensure API endpoints are correct
-
No alerts are generated
- Check if data is being ingested from sources
- Verify Kafka topic exists and is receiving messages
- Check log files for errors
-
Dashboard is not accessible
- Verify the dashboard is running
- Check firewall settings
- Ensure the correct host and port are configured
The system logs to apt_detection.log in the project directory. Check this file for detailed error messages and debugging information.
To update the machine learning models:
- Stop the running instance
- Run
python main.py --train - Restart the system
Baseline models are automatically created if they don't exist. To force an update:
- Stop the running instance
- Delete the files in
models/baselines/ - Restart the system
For additional support, please refer to the project documentation or contact the development team.