π Cloud Run Hackathon 2025 - Intelligent security monitoring powered by Google Gemini 2.0 Flash
Transform raw security logs into actionable intelligence with the power of generative AI
SecuAI revolutionizes security monitoring by combining traditional rule-based detection with Google Gemini 2.0 Flash AI to transform raw security logs into intelligent, actionable insights.
AI-powered security monitoring architecture deployed on Google Cloud Run
Traditional security tools tell you "something happened". SecuAI's AI tells you:
- β What the attack is trying to achieve
- β Why it's dangerous (risk scoring)
- β How to respond (step-by-step recommendations)
- β Which techniques are being used (MITRE ATT&CK patterns)
SecuAI is an AI-powered security monitoring system that combines traditional rule-based detection with cutting-edge generative AI to provide intelligent threat analysis and actionable insights. Designed for hackathons and rapid prototyping, it delivers:
- π€ AI-Powered Threat Analysis using Google Gemini 2.0 Flash for intelligent threat assessment
- Real-time log analysis with rule-based threat detection
- Smart threat insights with severity scoring, attack patterns, and remediation recommendations
- Web dashboard for monitoring and management
- API endpoints for integration and automation
- Simulated blocking with safety controls
- Honeypot integration for threat intelligence
- Docker support for easy deployment
- Cloud Run ready for scalable deployment
# Install system dependencies
sudo apt update
sudo apt install -y python3 python3-pip python3-venv git
# Optional: Docker for containerized deployment
sudo apt install -y docker.io docker-compose
sudo usermod -aG docker $USER # Re-login after thisgit clone <your-repo-url>
cd SecuAI
# Create virtual environment
python3 -m venv venv
source venv/bin/activate
# Install Python dependencies
pip install -r requirements.txt# Create and seed database with sample data
python init_db.pyπ¨ IMPORTANT: Default admin credentials are:
- Email:
[email protected] - Password:
ChangeMe123! β οΈ CHANGE THESE IMMEDIATELY IN PRODUCTION!
# Development mode
python app.py
# The application will be available at:
# π Dashboard: http://localhost:5000
# π§ Admin Panel: http://localhost:5000/adminOption A: Quick Demo (No setup required)
# Generate sample alerts to see AI analysis in action
python generate_fresh_alerts.py
# Then open the dashboard and see AI-powered threat analysis!
# http://localhost:5000Option B: Simulate Real Attacks
# Start the Flask app in one terminal
python app.py
# In another terminal, run the threat simulator
python threat_simulator.py
# The simulator will generate realistic attack traffic
# Watch the dashboard populate with AI-analyzed threats in real-time!# Run all tests with pytest
pytest tests/ -v
# Run specific test modules
pytest tests/test_analyzer.py -v # Analysis engine tests
pytest tests/test_web.py -v # Web application tests
pytest tests/test_blocker.py -v # Blocking system tests# Build and run with Docker Compose
docker-compose up --build
# Access the application at http://localhost:5000# Build production image
docker build -t secuai:latest .
# Run container
docker run -d \
--name secuai \
-p 5000:5000 \
-v $(pwd)/data:/app/data \
-e SECRET_KEY="your-production-secret-key" \
-e ADMIN_PASSWORD="your-secure-password" \
secuai:latestSecuAI leverages Google Gemini 2.0 Flash to transform raw security alerts into actionable intelligence:
- Intelligent Threat Analysis: AI examines each alert to identify attack patterns, techniques, and intent
- Severity Assessment: Automatic risk scoring (Critical/High/Medium/Low) based on threat context
- Attack Pattern Recognition: Identifies specific attack types (SQL injection, XSS, brute force, etc.)
- Remediation Recommendations: AI-generated step-by-step response actions
- Rate Limiting & Caching: Efficient API usage with intelligent request throttling
- Fallback Protection: Graceful degradation if AI service is unavailable
AI Analysis Example:
IP: 203.0.113.45
Attack Type: SQL Injection + Directory Traversal
Severity: CRITICAL
Risk Score: 95/100
Analysis: Automated attack tool attempting database compromise
through SQL injection combined with file system access attempts.
Recommended Actions:
1. Block IP immediately at firewall level
2. Review application logs for successful breaches
3. Update WAF rules to prevent similar attacks
4. Audit database for unauthorized access
- Failed Login Detection: SSH, FTP, web application login failures
- Port Scan Detection: Nmap, SYN floods, reconnaissance activities
- Web Application Probing: Admin panel scanning, config file access
- Suricata Integration: EVE JSON format parsing
- SQL Injection Detection: Database attack pattern recognition
- Honeypot Integration: Threat intelligence from honeypot networks
- Simulated Blocking: Safe testing environment (default mode)
- IP Whitelisting: Protect trusted networks and IPs
- Admin Authentication: Secure admin panel access
- Audit Logging: Complete activity tracking
- Safety Controls: Multiple layers of protection against accidental blocks
- Real-time Dashboard: Live threat monitoring with 24-hour statistics
- AI Analysis Cards: Each alert shows AI-powered insights, severity, and recommendations
- Interactive Analytics: Confidence scoring and threat categorization
- Smart Loading: Staggered AI analysis with visual feedback
- File Upload: Drag-and-drop log analysis
- API Testing: Built-in API demonstration tools
- Responsive Design: Mobile-friendly Bootstrap interface with dark/light themes
Create a .env file from the template:
cp env.template .env
# Edit .env with your settingsKey configuration options:
# Security (CHANGE THESE!)
SECRET_KEY=your-secret-key-here
[email protected]
ADMIN_PASSWORD=YourSecurePassword123!
# AI Configuration (REQUIRED for AI features)
GEMINI_API_KEY=your-gemini-api-key-here # Get from https://aistudio.google.com/apikey
# Blocking behavior
SIMULATE_BLOCKS=true # Keep true for safety
REAL_BLOCKING_ENABLED=false # Enable only in controlled environments
CONFIDENCE_THRESHOLD=0.7 # Minimum confidence for alertsSecuAI uses SQLite by default for simplicity. For production, consider PostgreSQL:
# PostgreSQL example
DATABASE_URL=postgresql://user:password@localhost/secuai# Analyze log text
curl -X POST http://localhost:5000/api/analyze \
-H "Content-Type: application/json" \
-d '{"log_text": "Oct 15 10:30:15 server sshd[12345]: Failed password for root from 192.168.1.100 port 22 ssh2"}'
# Response
{
"status": "success",
"findings": [
{
"ip": "192.168.1.100",
"reason": "Multiple failed login attempts (4 attempts)",
"confidence": 0.8,
"ml_insights": {
"threat_level": "high",
"explanation": "Pattern consistent with automated attack tools"
}
}
],
"count": 1
}# Get AI-powered analysis for an alert
curl -X GET http://localhost:5000/api/ai-analysis/1
# Response
{
"success": true,
"analysis": {
"severity": "CRITICAL",
"risk_score": 95,
"attack_type": "SQL Injection + Directory Traversal",
"summary": "Automated attack tool attempting database compromise...",
"details": "The attacker is using SQL injection techniques combined with...",
"recommendations": [
"Block IP immediately at firewall level",
"Review application logs for successful breaches",
"Update WAF rules to prevent similar attacks"
],
"confidence": 0.92
}
}# Recommend blocking an IP
curl -X POST http://localhost:5000/api/block \
-H "Content-Type: application/json" \
-d '{"ip": "192.168.1.100", "action": "recommend"}'
# Approve and simulate block
curl -X POST http://localhost:5000/api/block \
-H "Content-Type: application/json" \
-d '{"ip": "192.168.1.100", "action": "approve"}'# Ingest threat intelligence
curl -X POST http://localhost:5000/api/honeypot \
-H "Content-Type: application/json" \
-d '{
"ips": [
{
"ip": "203.0.113.45",
"attacks": ["web_scanning", "sql_injection"],
"severity": "high"
}
]
}'# Comprehensive test suite
python run_tests.py
# Individual test modules
pytest tests/test_analyzer.py -v # Analysis engine tests
pytest tests/test_web.py -v # Web application tests
pytest tests/test_blocker.py -v # Blocking system testsSecuAI includes a threat simulator to generate realistic attack traffic for testing:
# Generate realistic attack traffic against local nginx server
python threat_simulator.py
# This will simulate:
# - SQL injection attempts
# - Directory traversal attacks
# - Admin panel scanning
# - Brute force attempts
# - Port scanning patterns
# Then check the dashboard to see AI-powered analysis of detected threats!Note: Make sure you have a local web server running (nginx, Apache, or Flask dev server) before running the simulator.
# Install coverage tools
pip install pytest-cov
# Run with coverage report
pytest --cov=. --cov-report=html
# Open coverage_html/index.html in browserTest the API endpoints:
# Load honeypot feed
curl -X POST http://localhost:5000/api/honeypot \
-H "Content-Type: application/json" \
-d @honeypot_feed.json
# Analyze text logs directly
curl -X POST http://localhost:5000/api/analyze \
-H "Content-Type: application/json" \
-d '{"log_text": "Failed password for root from 203.0.113.45 port 22"}'- Change Default Credentials: The default admin password
ChangeMe123!MUST be changed immediately - HTTPS in Production: Always use HTTPS in production environments
- Firewall Rules: Real blocking can permanently affect network access
- Database Security: Use strong database passwords and restrict access
- API Rate Limiting: Implement rate limiting for production APIs
Real IP blocking is DISABLED by default for safety. To enable:
- Test Environment Only: Never enable on production networks without testing
- Network Isolation: Use isolated test networks
- Backup Access: Ensure alternative access methods
- Whitelist Critical IPs: Add your management IPs to whitelist first
# Enable real blocking (DANGEROUS!)
export REAL_BLOCKING_ENABLED=true
export SIMULATE_BLOCKS=false
export ALLOW_PRIVATE_BLOCKING=true # Only for testing
# Run with elevated privileges (required for iptables)
sudo python app.pyFor Cloud Run and production deployments:
- Use Google Secret Manager for sensitive configuration
- Enable Cloud Armor for DDoS protection
- Use Cloud Firewall for real IP blocking instead of host-level rules
- Implement proper IAM and service accounts
The default frontend is production-ready and includes:
- Real-time dashboard updates
- Interactive threat analysis
- File upload interface
- API testing tools
The Flask application includes a modern shadcn-inspired UI with:
- Dark/Light Theme Toggle - Click the theme button in the top-right corner
- Modern Design System - Clean, responsive interface with CSS custom properties
- Interactive Components - Real-time updates and smooth animations
- Mobile Responsive - Works great on all devices
Theme Management:
- Automatic theme persistence via localStorage
- System theme detection
- Smooth transitions between themes
- Modify API calls to use the new endpoints
- Audit Logs: All security actions are logged
- System Status: Component health monitoring
- Performance Metrics: Request timing and error rates
Connect to external monitoring systems:
# Example: Send alerts to Slack
SLACK_WEBHOOK_URL = "https://hooks.slack.com/services/..."
# Example: Export metrics to Prometheus
PROMETHEUS_ENABLED = True
PROMETHEUS_PORT = 8000This is a hackathon MVP project. For improvements:
- Fork the repository
- Create feature branch:
git checkout -b feature/amazing-feature - Commit changes:
git commit -m 'Add amazing feature' - Push to branch:
git push origin feature/amazing-feature - Open Pull Request
# Install development dependencies
pip install -r requirements-dev.txt
# Run in development mode with auto-reload
export FLASK_ENV=development
export DEBUG=True
python app.pyThis project is created for hackathon purposes. Please ensure compliance with all applicable laws and regulations when deploying security monitoring systems.
Database Issues
# Reset database
rm secuai.db
python init_db.pyPermission Errors
# Fix file permissions
chmod +x run_tests.py
chmod +x init_db.pyDocker Issues
# Clean rebuild
docker-compose down
docker-compose build --no-cache
docker-compose upPort Already in Use
# Find and kill process using port 5000
sudo lsof -ti:5000 | xargs kill -9
# Or use different port
export PORT=8080
python app.py- Check logs: Application logs are in
secuai.log - Run tests:
python run_tests.pyto verify setup - Check configuration: Verify
.envfile settings - Docker logs:
docker-compose logsfor container issues
SecuAI - AI-Powered Security Monitoring for Modern Threats
- AI Engine: Google Gemini 2.0 Flash for intelligent threat analysis
- Backend: Flask, SQLAlchemy, Python 3.11+
- Frontend: Bootstrap 5, jQuery, HTML5
- Database: SQLite (development), PostgreSQL (production)
- Deployment: Docker, Google Cloud Run
- Testing: pytest, coverage
- Security: Rule-based detection + AI-powered analysis
We chose Google's Gemini 2.0 Flash model for several key reasons:
- Speed: Flash model provides rapid analysis (<2s per alert) perfect for real-time security monitoring
- Intelligence: Advanced reasoning capabilities understand complex attack patterns and relationships
- Context Understanding: Excellent at analyzing security logs and generating actionable recommendations
- Cost Efficiency: Optimized pricing for high-volume security analysis
- API Stability: Enterprise-grade reliability with rate limiting and retry logic built-in
Our implementation includes:
- Smart Rate Limiting: 60 requests/minute with automatic throttling
- Intelligent Caching: 5-minute cache TTL to reduce API calls for similar threats
- Retry Logic: Exponential backoff for transient failures
- Graceful Degradation: Falls back to rule-based analysis if AI is unavailable
π Ready to hack? Start with python init_db.py and visit http://localhost:5000