🛡️ ThreatIntelAI - AI-Powered Security Log Analysis & Incident Response

An intelligent system that ingests security logs, detects anomalous patterns, and leverages Google Generative AI to explain incidents and suggest mitigation strategies.

🎯 Features

✅ Real-time Log Analysis - Upload CSV/TXT security logs instantly
✅ AI Threat Detection - Identifies 4+ threat categories using pattern matching
✅ Automated Risk Scoring - Real-time severity assessment (High/Medium/Low)
✅ AI-Generated Reports - Google Gemini creates comprehensive incident reports
✅ Interactive Security Bot - Ask questions, get expert security advice
✅ Beautiful Visualizations - Interactive threat breakdown charts with Plotly
✅ JSON Export - Download detailed analysis reports for compliance

🏗️ System Architecture

┌─────────────────────────────────────────────────┐
│    STREAMLIT FRONTEND (Port 8501)               │
│  ✓ File Upload & Visualization                  │
│  ✓ Real-time Threat Dashboard                   │
│  ✓ AI-Powered Security Bot Chat                 │
└────────────────┬────────────────────────────────┘
                 │ HTTP/REST API
                 ▼
┌─────────────────────────────────────────────────┐
│      FLASK BACKEND (Port 5000)                  │
│  ✓ Anomaly Detection Engine                     │
│  ✓ Pattern-Based Threat Scoring                 │
│  ✓ AI Report Generation                         │
│  ✓ Security Q&A Processing                      │
└────────────────┬────────────────────────────────┘
                 │
                 ▼
┌─────────────────────────────────────────────────┐
│    GOOGLE GENERATIVE AI (Gemini 2.0)            │
│  ✓ Incident Report Writing                      │
│  ✓ Expert Security Guidance                     │
│  ✓ Threat Analysis & Explanations               │
└─────────────────────────────────────────────────┘

🚀 Quick Start

Prerequisites

• Python 3.12+
• Google Generative AI API Key (free tier)
• 2 minutes setup

Installation

# Clone repository
git clone https://github.com/deekshithaby/ThreatIntelAI.git
cd ThreatIntelAI

# Install dependencies
pip install -r requirements.txt

# Create .env file with your Google API key
echo 'GOOGLE_API_KEY=your_key_here' > .env

Running the Application

Terminal 1 - Start Backend:

python3 backend.py

Expected:

🚀 Flask Backend Starting...
📍 http://localhost:5000
✅ AI Chatbot ENABLED (Google Gemini)

Terminal 2 - Start Frontend:

streamlit run app.py

Expected:

Local URL: http://localhost:8501

Open Browser:

http://localhost:8501

📊 How It Works

1. Upload Logs

User uploads security logs (CSV/TXT) containing system events, authentication attempts, network activity.

2. Anomaly Detection

Backend analyzes logs for threats:

• Brute Force Attacks - Multiple failed login attempts
• Privilege Escalation - Unauthorized sudo/admin access
• Data Exfiltration - Suspicious data transfers
• System Anomalies - Crashes, errors, timeouts

3. Risk Assessment

Threats are quantified:

• 🔴 High Risk (>10 anomalies)
• 🟡 Medium Risk (3-10 anomalies)
• 🟢 Low Risk (<3 anomalies)

4. AI Analysis

Google Gemini generates:

• Executive summary
• Root cause analysis
• Immediate action items
• Long-term remediation plans
• Prevention strategies

5. Interactive Security Bot

Ask questions like:

• "What does this threat mean?"
• "How do I fix this?"
• "What are my top 3 risks?"

AI responds with expert security guidance.

🔍 Detected Threats

Threat	Detection Method	Severity
Brute Force Attack	Failed login patterns	🔴 Critical
Privilege Escalation	Sudo/admin access logs	🔴 Critical
Data Exfiltration	Large transfer detection	🟡 High
System Anomaly	Error/crash patterns	🟡 Medium

📡 API Endpoints

POST /detect-anomalies

Detects threats in logs.

{
  "logs": "log file content"
}

Response:

{
  "threat_scores": {...},
  "total_anomalies": 14,
  "top_threat": "Brute Force Attack",
  "risk_level": "🔴 High"
}

POST /incident-report

Generates AI incident report.

POST /ask-security

Answers security questions about threats.

🛠️ Tech Stack

Component	Technology
Frontend	Streamlit
Backend	Flask (REST API)
Detection	Regex pattern matching
AI/LLM	Google Generative AI (Gemini)
Visualization	Plotly
Data Processing	Pandas, NumPy

📈 Resume Bullet Points

• Built AI-driven security log analysis system to detect and classify anomalous patterns across multiple threat categories
• Designed Flask REST API backend with pattern-based anomaly detection achieving real-time threat scoring
• Integrated Google Generative AI (Gemini) for automated incident report generation and expert security guidance
• Developed Streamlit frontend with interactive visualizations and AI-powered security chatbot
• Implemented full-stack architecture connecting data ingestion → analysis → visualization → AI explanation

🚀 Future Enhancements

• Real-time log streaming from SIEM tools
• Machine learning-based anomaly detection (Isolation Forest, Autoencoders)
• Database integration for log persistence
• Multi-user dashboard with role-based access control
• Automated alert notifications (email, Slack)
• Integration with security tools (Splunk, Datadog, ELK)
• Docker containerization & Kubernetes deployment
• Advanced threat intelligence correlation
• MITRE ATT&CK framework mapping

📄 License

MIT License - Free for educational and commercial use

👨‍💻 Author

Created as an AI security automation project.

---

Status: Active Development
Last Updated: January 6, 2025