NEURAL FORTRESS LIVE – Autonomous AI Cyber Defense Network

A full-stack, real-time system simulating a virtual SOC where LLM agents detect, explain, and mitigate cyberattacks autonomously.

🎯 Overview

Neural Fortress LIVE is an autonomous AI cyber defense network that simulates a virtual Security Operations Center (SOC). The system leverages LLM agents to detect, explain, and mitigate cyberattacks in real-time, providing a comprehensive platform for cybersecurity training, testing, and demonstration.

What It Does

Neural Fortress LIVE performs the following key functions:

1. Real-time Attack Simulation: Generates realistic cyber attack patterns through the RedTeam agent
2. Anomaly Detection: Uses ML algorithms to identify unusual patterns in network traffic and system logs
3. Threat Analysis: Maps detected anomalies to MITRE ATT&CK framework using RAG techniques
4. Natural Language Explanations: Generates human-readable explanations of detected threats
5. Automated Response: Recommends and simulates defensive actions in a sandboxed environment
6. Performance Evaluation: Tracks system metrics like detection accuracy and response time

🏗️ Architecture

graph TD
    A[RedTeamAgent] -->|Attack Events| B[Kafka]
    B -->|Log Ingestion| C[WatcherAgent]
    C -->|Anomalies| D[BlueTeamAgent]
    D -->|Context Query| E[MITRE ATT&CK RAG]
    D -->|Threat Alert| F[AnalystAgent]
    F -->|Explanation| G[Dashboard]
    F -->|Mitigation Request| H[DefenseAgent]
    H -->|SOAR Actions| I[Sandboxed Environment]
    J[MemoryAgent] <-->|Vector Store| D
    J <-->|Vector Store| F
    K[Frontend] <-->|WebSockets| G

Loading

Detailed Component Architecture

Backend Architecture

The backend is structured into several key modules:

1. Agents Module (backend/agents/):

   • base_agent.py: Abstract base class defining common agent functionality
   • watcher_agent.py: Monitors logs and detects anomalies using ML models
   • redteam_agent.py: Simulates various attack patterns (brute force, SQL injection, etc.)
   • blueteam_agent.py: Analyzes anomalies and correlates with MITRE ATT&CK framework
   • analyst_agent.py: Generates natural language explanations of security events
   • defense_agent.py: Recommends and executes mitigation actions
   • memory_agent.py: Maintains historical context of security events

2. AI Module (backend/ai/):

   • llm_explainer.py: Generates natural language explanations using LLMs
   • mitre_rag.py: Implements RAG for MITRE ATT&CK framework knowledge retrieval
   • cti_indexer.py: Indexes and retrieves cyber threat intelligence
   • guardrails.py: Implements safety measures for LLM inputs and outputs

3. ML Module (backend/ml/):

   • anomaly_detector.py: Implements anomaly detection using IsolationForest
   • llm_integration.py: Handles integration with LLM services
   • llm_analyzer.py: Analyzes security alerts using LLMs

4. API Module (backend/api/routes/):

   • RESTful endpoints for authentication, alerts, defense actions, and simulations

5. Core Module (backend/core/):

   • config.py: System configuration and environment variables
   • db.py: Database connection and models
   • utils.py: Utility functions
   • ws.py: WebSocket handling for real-time updates

6. Evaluation Module (backend/evals/):

   • metrics.py: Tracks system performance metrics
   • replay_dataset.py: Provides datasets for system evaluation

⚙️ Core Stack

• Backend: FastAPI (Python) + Celery + Redis + PostgreSQL
• Streaming: Kafka (attack/event feed) + WebSockets (Socket.IO)
• ML: scikit-learn IsolationForest + PyOD for anomaly detection
• LLM Layer: LangChain + GPT-4 / Claude 3 + FAISS (RAG with MITRE ATT&CK, CVE)
• Frontend: React + Tailwind + Zustand + Socket.IO + Recharts + D3.js
• Infra: Docker Compose (+ optional K8s manifests)
• Auth: JWT + RBAC (Admin, Analyst, RedTeam, BlueTeam)

Technology Implementation Details

Backend Implementation

1. FastAPI Framework:

   • Provides high-performance, async API endpoints
   • Automatic OpenAPI documentation
   • Dependency injection for services

2. Kafka Integration:

   • Used for streaming attack events and logs
   • Implemented with aiokafka for async processing
   • Topics: logs, alerts, actions

3. Redis Usage:

   • Caching for performance optimization
   • Pub/Sub for real-time notifications
   • Session management

4. ML Pipeline:

   • Feature extraction from log data
   • Anomaly detection using IsolationForest
   • Batch and real-time processing capabilities

5. LLM Integration:

   • RAG implementation for MITRE ATT&CK knowledge
   • Guardrails for safe LLM input/output
   • Structured output parsing for consistent results

Frontend Implementation

1. React Components:

   • Modular component architecture
   • Real-time updates via Socket.IO
   • Responsive design with Tailwind CSS

2. Data Visualization:

   • Network topology visualization with D3.js
   • Time-series charts with Recharts
   • Alert feed with real-time updates

3. State Management:

   • Zustand for global state
   • WebSocket integration for live updates
   • Authentication and session handling

🤖 Agents

1. WatcherAgent – consumes Kafka logs, extracts IOCs, scores anomalies
2. RedTeamAgent – simulates live attacks (brute-force, SQLi, port scan)
3. BlueTeamAgent – analyzes anomalies, matches MITRE TTPs via RAG, escalates threat
4. AnalystAgent – generates natural-language LLM reports with structured output
5. DefenseAgent – runs safe SOAR actions (block IP, disable user, isolate host) as dry-runs
6. MemoryAgent – maintains semantic vector store of past incidents and agent decisions

Agent Implementation Details

WatcherAgent

• Purpose: Monitors system logs and network traffic for anomalies
• Implementation:
  • Uses anomaly_detector.py to identify unusual patterns
  • Extracts Indicators of Compromise (IOCs) from logs
  • Enriches alerts with additional context (geoIP, reputation data)
  • Publishes anomalies to Kafka for further processing

RedTeamAgent

• Purpose: Simulates realistic cyber attacks for testing and training
• Implementation:
  • Generates various attack patterns (brute force, SQL injection, port scanning)
  • Configurable attack intensity and frequency
  • Produces realistic log entries that mimic actual attacks
  • Supports scheduled and on-demand attack simulations

BlueTeamAgent

• Purpose: Analyzes detected anomalies and determines threat level
• Implementation:
  • Correlates anomalies with known attack patterns
  • Uses mitre_rag.py to map events to MITRE ATT&CK framework
  • Calculates confidence scores for detected threats
  • Escalates significant threats to the AnalystAgent

AnalystAgent

• Purpose: Generates human-readable explanations of security events
• Implementation:
  • Uses llm_explainer.py to create natural language reports
  • Provides threat assessment and impact analysis
  • Recommends appropriate mitigation actions
  • Ensures explanations follow security best practices via guardrails

DefenseAgent

• Purpose: Executes or simulates defensive actions
• Implementation:
  • Validates proposed actions using guardrails.py
  • Simulates actions in a sandboxed environment
  • Provides feedback on action effectiveness
  • Maintains an audit log of all actions

MemoryAgent

• Purpose: Maintains historical context for better decision-making
• Implementation:
  • Stores past incidents and responses in a vector database
  • Provides relevant historical context for similar events
  • Enables learning from past incidents
  • Improves detection and response over time

🚀 Quick Start

Prerequisites

• Docker and Docker Compose
• Python 3.9+
• Node.js 16+

Setup

1. Clone the repository:

git clone https://github.com/yourusername/neural-fortress-live.git
cd neural-fortress-live

2. Configure environment variables:

cp .env.example .env
# Edit .env file with your configuration settings

3. Start the application using Docker Compose:

docker-compose up -d

4. Access the dashboard at http://localhost:3000

Implementation Steps

1. Backend Setup:

   # Install backend dependencies
   pip install -r requirements.txt
   
   # Start backend services individually (development mode)
   cd backend
   uvicorn main:app --reload --host 0.0.0.0 --port 8000

2. Frontend Setup:

   # Install frontend dependencies
   cd frontend
   npm install
   
   # Start frontend development server
   npm start

3. Infrastructure Setup:

   # Start supporting services only
   docker-compose up -d kafka zookeeper redis postgres

4. Running Tests:

   # Backend tests
   cd backend
   pytest
   
   # Frontend tests
   cd frontend
   npm test

Demo Users

Username	Password	Role	Description
admin	fortress-admin	Admin	Full system access
analyst	fortress-analyst	Analyst	View and analyze alerts
redteam	fortress-red	RedTeam	Simulate attacks
blueteam	fortress-blue	BlueTeam	Respond to incidents

📡 Example Flow

1. RedTeam attack injection → Kafka topic
2. WatcherAgent ingests, normalizes, enriches (geoIP, whois)
3. BlueTeamAgent detects pattern → queries RAG for context
4. AnalystAgent explains via LLM → streams reasoning tokens
5. DefenseAgent triggers sandboxed mitigation (dry-run)
6. Dashboard updates live: alerts, logs, 3D network visualization

Data Flow Implementation

The system implements a real-time data flow pipeline:

1. Attack Generation:

   • RedTeamAgent generates attack events in JSON format
   • Events are published to Kafka topic logs
   • Example attack event:

   {
     "timestamp": "2023-07-15T14:22:33Z",
     "source_ip": "192.168.1.100",
     "target_ip": "10.0.0.5",
     "protocol": "TCP",
     "port": 22,
     "action": "CONNECT",
     "status": "FAILED",
     "user": "admin",
     "attempts": 5
   }

2. Anomaly Detection:

   • WatcherAgent consumes events from Kafka
   • ML pipeline extracts features and detects anomalies
   • Anomalies are enriched with additional context
   • Alerts are published to Kafka topic alerts

3. Threat Analysis:

   • BlueTeamAgent consumes alerts from Kafka
   • MITRE RAG system provides attack technique context
   • Threat score is calculated based on multiple factors
   • High-confidence threats are escalated

4. Response Generation:

   • AnalystAgent generates natural language explanations
   • DefenseAgent recommends mitigation actions
   • Actions are validated through guardrails
   • Results are sent to frontend via WebSockets

5. Frontend Visualization:

   • Dashboard receives real-time updates via Socket.IO
   • Network map visualizes affected systems
   • Alert feed displays latest threats
   • Detailed view shows full analysis and recommendations

🔒 Security Guardrails

• Prompt injection & PII filter in guardrails.py
• DefenseAgent limited to predefined safe actions
• All LLM outputs validated by JSON schema
• Token-based session isolation for agents
• Audit log for every SOAR and LLM event

Guardrails Implementation

The system implements several security measures to ensure safe operation:

1. Input Sanitization:

   • All user inputs and log data are sanitized before processing
   • PII detection and redaction using regex patterns
   • Prompt injection prevention for LLM interactions

2. Action Validation:

   • Defense actions are validated against an allowlist
   • Actions are executed in a sandboxed environment
   • Potentially harmful actions require explicit approval

3. Output Validation:

   • LLM outputs are validated against predefined schemas
   • Structured outputs ensure consistent and safe responses
   • Confidence scores help identify uncertain recommendations

4. Audit Logging:

   • All system actions are logged for accountability
   • Logs include timestamps, actors, actions, and outcomes
   • Audit logs are immutable and tamper-evident

📊 Evaluation

The system includes an evaluation pipeline that:

• Replays sample RedTeam scenarios → computes detection precision/recall
• Graphs Mean Time To Detect (MTTD) & Mean Time To Respond (MTTR)
• Evaluates LLM explanation confidence vs correctness
• Generates confusion matrix + trend charts

Evaluation Implementation

The evaluation system is implemented in backend/evals/ and notebooks/evals.ipynb:

1. Performance Metrics:

   • Detection accuracy (precision, recall, F1-score)
   • Response times (MTTD, MTTR)
   • LLM quality metrics (relevance, accuracy, completeness)

2. Replay Dataset:

   • Pre-defined attack scenarios for consistent testing
   • Includes various attack types (brute force, SQL injection, etc.)
   • Configurable parameters for scenario customization

3. Visualization:

   • Confusion matrices for detection performance
   • Time-series plots for response times
   • Distribution charts for LLM quality metrics

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

🛠️ Detailed Implementation Guide

Docker Configuration

The project uses Docker Compose for containerization:

1. Backend Container:

   • Base image: Python 3.9
   • Exposes port 8000 for API access
   • Mounts code and data volumes
   • Runs FastAPI with Uvicorn server

2. Frontend Container:

   • Multi-stage build with Node.js and Nginx
   • Builds React app and serves static files
   • Exposes port 80 for web access
   • Configured for SPA routing

3. Supporting Services:

   • Kafka and Zookeeper for message streaming
   • Redis for caching and pub/sub
   • PostgreSQL for persistent storage

Code Structure Best Practices

The codebase follows these best practices:

1. Modular Architecture:

   • Clear separation of concerns
   • Dependency injection for testability
   • Interface-based design for flexibility

2. Asynchronous Processing:

   • FastAPI async endpoints
   • Kafka consumers with aiokafka
   • WebSocket handlers for real-time updates

3. Error Handling:

   • Comprehensive exception handling
   • Graceful degradation
   • Detailed error logging

4. Testing Strategy:

   • Unit tests for core functionality
   • Integration tests for component interactions
   • End-to-end tests for critical flows

Deployment Considerations

For production deployment, consider:

1. Scaling:

   • Horizontal scaling of backend services
   • Kafka partitioning for load distribution
   • Redis clustering for high availability

2. Security:

   • HTTPS with proper certificates
   • API rate limiting
   • Regular security audits

3. Monitoring:

   • Prometheus metrics
   • Grafana dashboards
   • Log aggregation with ELK stack#