Learn how to build a real-time Network Intrusion Detection System (NIDS) with Python. This step-by-step guide covers key concepts, practical examples, and complete Python code to secure networks effectively.
Cybersecurity threats are growing rapidly in scale and sophistication, making it critical for organizations and individuals to secure their networks. One of the most effective ways to monitor suspicious activities is by using a Network Intrusion Detection System (NIDS). In this detailed guide, we will learn how to build a real-time NIDS with Python, exploring both fundamental concepts and practical implementations.
Table of contents [Show]
A Network Intrusion Detection System (NIDS) is a security tool that monitors network traffic for suspicious activity and alerts administrators when potential threats are detected. Unlike firewalls, which primarily block traffic, a NIDS focuses on identifying and analyzing malicious activities within the network.
Python is widely used in cybersecurity because of its simplicity and vast ecosystem of libraries. For building a NIDS, Python offers several advantages:
scapy for packet sniffing and manipulation.scikit-learn for anomaly detection.scapy, pandas, scikit-learn# Install dependencies
pip install scapy pandas scikit-learn
We will use scapy to capture packets in real-time.
from scapy.all import sniff
def capture_packets(packet):
print(packet.summary())
# Capture 10 packets
sniff(prn=capture_packets, count=10)
This snippet captures packets and prints a brief summary. In a real NIDS, you would store and analyze them further.
To make packet data useful, we need to extract details like IP addresses, protocols, and payloads.
from scapy.all import IP, TCP, UDP
def parse_packet(packet):
if packet.haslayer(IP):
ip_src = packet[IP].src
ip_dst = packet[IP].dst
protocol = packet[IP].proto
print(f"Source: {ip_src}, Destination: {ip_dst}, Protocol: {protocol}")
sniff(prn=parse_packet, count=10)
A basic rule-based system detects known attack patterns, such as excessive connection attempts or suspicious ports.
suspicious_ports = [22, 23, 3389] # SSH, Telnet, RDP
def detect_rules(packet):
if packet.haslayer(TCP):
dport = packet[TCP].dport
if dport in suspicious_ports:
print(f"[ALERT] Suspicious connection attempt on port {dport}")
sniff(prn=detect_rules, store=0)
Machine learning can detect previously unknown attacks by identifying anomalies in traffic patterns.
from sklearn.ensemble import RandomForestClassifier
import pandas as pd
# Example dataset
data = pd.DataFrame({
'packet_size': [100, 200, 500, 50],
'duration': [1, 2, 10, 1],
'malicious': [0, 0, 1, 0]
})
X = data[['packet_size', 'duration']]
y = data['malicious']
# Train model
model = RandomForestClassifier()
model.fit(X, y)
# Predict on new packet
new_packet = [[300, 5]]
print(model.predict(new_packet))
We now combine packet capturing, parsing, and detection into a real-time system.
from scapy.all import sniff, IP, TCP
def real_time_detection(packet):
if packet.haslayer(IP):
src = packet[IP].src
dst = packet[IP].dst
if packet.haslayer(TCP):
dport = packet[TCP].dport
if dport in [22, 23, 3389]:
print(f"[ALERT] Potential intrusion: {src} -> {dst} on port {dport}")
# Run indefinitely
sniff(prn=real_time_detection, store=0)
Here is a simplified end-to-end implementation of a Python-based NIDS that includes packet sniffing, rule-based detection, and alert generation.
from scapy.all import sniff, IP, TCP
# Define suspicious ports
SUSPICIOUS_PORTS = [22, 23, 3389]
def process_packet(packet):
if packet.haslayer(IP):
src_ip = packet[IP].src
dst_ip = packet[IP].dst
if packet.haslayer(TCP):
dport = packet[TCP].dport
if dport in SUSPICIOUS_PORTS:
print(f"[ALERT] Suspicious connection detected!")
print(f"Source IP: {src_ip}, Destination IP: {dst_ip}, Port: {dport}")
print("Starting NIDS... Press Ctrl+C to stop.")
sniff(prn=process_packet, store=0)
This code listens for packets indefinitely and prints an alert when suspicious activity is detected.
Building a real-time NIDS with Python provides valuable hands-on experience in network security. By leveraging Python libraries, rule-based logic, and machine learning, you can create a powerful tool to detect and respond to suspicious network activity. While this tutorial presented a simplified version, the core ideas can be expanded into enterprise-grade systems integrated with logging, dashboards, and automated responses.
Learn how garbage collection works in Python. You’ll learn the core ideas (reference counting and generational GC), explore the gc module, diagnose cyclic references, use weakref safely, and adopt practical patterns to keep memory usage healthy in real-world apps.
Learn Web Scraping with Python in 2025 with this complete step-by-step tutorial. Includes practical examples, code snippets, tools, and best practices for safe and efficient scraping.
Use Python and machine learning to forecast sales trends. Learn practical applications for retail, e-commerce, and business growth.
