Skip to content

pipolimoa/QSentry

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
dashboard
dashboard
 
 
data
data
 
 
lab
lab
 
 
models
models
 
 
n8n
n8n
 
 
notebooks
notebooks
 
 
results
results
 
 
scripts
scripts
 
 
src
src
 
 
tools
tools
 
 
video_assets
video_assets
 
 
.gitignore
.gitignore
 
 
CITATION.cff
CITATION.cff
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

QSentry — Quantum-Confidence Gated Intrusion Detection System

Senior Project · Lusail University · College of Information Technology · 2026 Supervisor: Dr. Mouna Rabhi

A live, three-stage hybrid IDS that combines Suricata (signatures), LightGBM (classical ML), and a 4-qubit Quantum Support Vector Machine (QSVM). The novelty: the quantum classifier fires only when the classical model is uncertain — a confidence gate that keeps the quantum cost where it pays off and lets the classical pipeline handle the easy cases.

Network ─▶ Suricata (48,581 rules) ─▶ FastAPI hybrid core ─▶ n8n ─▶ Slack + dashboard
                                               │
                                       LightGBM (classical)
                                               │
                                  conf ≥ 0.75 ─┴─ conf < 0.75
                                                       │
                                                  QSVM gate
                                       (ZZ-feature-map · 4 qubits)

Highlight numbers

Setting Metric Value
CIC-IDS-2017 (in-distribution) LightGBM accuracy 99.89 %
CIC-IDS-2017 false-negative recovery Quantum gate 16 / 20 (80 %)
Docker lab 2025 (environment shift) Per-event recall, T = 0.5 20 % (1 / 5 attacks)
MAWI WAN 2020 (held-out, calibrated) Per-event recall, T = 0.1 66.7 % (8 / 12 events)
End-to-end alert latency Detection → Slack < 1 second

The 99.89 % / 80 % numbers are the core result on CIC-IDS-2017 (full report). The Docker / MAWI numbers are an external-validity check — honest out-of-distribution behaviour with IsotonicRegression calibration on a strictly held-out split.

Quick start

Prerequisites

  • Kali Linux (or Ubuntu 22.04+)
  • Python 3.13
  • Docker (for the lab containers)
  • Suricata 8.0.3
  • 8 GB RAM, 4 CPU cores, 20 GB disk

Install

git clone https://github.com/pipolimoa/QSentry.git
cd QSentry
python3 -m venv venv && source venv/bin/activate
pip install -r requirements.txt
sudo apt install suricata && sudo suricata-update

Bring everything up (six terminals)

# 1. Lab containers (attacker + victim)
cd lab && ./lab.sh up && ./lab.sh status

# 2. Hybrid prediction API
source venv/bin/activate
python -m uvicorn src.api.ids_api:app --host 127.0.0.1 --port 8000

# 3. n8n (alert orchestration)
n8n start

# 4. Dashboard servers (HTTP UI :8080 · WebSocket :9000 · n8n push receiver :9001)
source venv/bin/activate
python -u scripts/realtime_monitor.py --servers-only

# 5. Live sensor (Java CICFlowMeter on br-idslab)
cd lab && ./start_sensor.sh

# 6. CSV-to-n8n bridge (tail-from-end mode)
source venv/bin/activate
python -u lab/bridge/cicflow_bridge.py

Open http://127.0.0.1:8080 — the dashboard should show Connected in green.

Run the demo attack

docker exec ids-attacker nmap -sS -p 79,53,37,23,21 ids-victim

Within ~15 seconds: 4 ATTACK alerts on the dashboard (ports 23, 53, 79, 37), 1 BENIGN (port 21 — open FTP). All four attack flows fire the quantum gate ([Q✓]).

API

GET  /health                  → {"status":"ok","models":["lightgbm","qsvm"]}
POST /predict                 → classical-only
POST /predict/hybrid          → classical + quantum gate
POST /predict/batch           → batch classical

Hybrid response:

{
  "final_prediction": 1,
  "label": "ATTACK",
  "classical":       { "prediction": 0, "confidence": 0.7342 },
  "quantum":         { "used": true, "prediction": 1 },
  "quantum_recovery": true,
  "disagreement_flag": true,
  "alert_level": "HIGH"
}

Repository layout

ids_project/
├── src/
│   ├── api/                  # FastAPI hybrid prediction server
│   ├── data/                 # PCAP & CSV preprocessing
│   ├── models/               # LightGBM / XGBoost training
│   ├── quantum/              # QSVM, kernel computation, recovery analysis
│   └── eval/                 # External-validity evaluation (Docker, MAWI, calibration)
├── scripts/
│   ├── realtime_monitor.py   # Live capture + dashboard servers
│   ├── attack-scenarios.sh   # Lab attack simulation
│   └── ids-monitoring.sh     # Suricata helper
├── lab/
│   ├── lab.sh                # Bring up Docker attacker + victim
│   ├── start_sensor.sh       # Java CICFlowMeter on bridge interface
│   └── bridge/cicflow_bridge.py
├── tools/
│   ├── start_qcg_ids.py      # All-in-one launcher
│   └── suricata_to_n8n.py    # EVE JSON → n8n webhook bridge
├── dashboard/                # Static HTML + WebSocket client
├── n8n/                      # Workflow exports (Flow Ingest, Suricata)
├── models/                   # Trained models (.pkl, .npy) — gitignored
├── data/                     # Datasets — gitignored
└── requirements.txt

The 20 features

Selected from CIC-IDS-2017's 79 raw flow features via variance threshold → correlation pruning (> 0.95) → mutual information ranking. For the quantum stage they're further reduced to 4 components via PCA to match the 4-qubit circuit.

# Feature Category
1 Bwd Packet Length Max Packet size
2 Destination Port Connection
3 Flow IAT Std Timing
4 Flow IAT Mean Timing
5 Flow Packets/s Rate
6 Total Fwd Packets Volume
7 Total Length of Fwd Packets Volume
8 Init_Win_bytes_backward TCP window
9 Fwd Header Length Header
10 PSH Flag Count TCP flags
11 Init_Win_bytes_forward TCP window
12 Fwd Packet Length Max Packet size
13 Bwd Packets/s Rate
14 Fwd Packet Length Mean Packet size
15 Bwd Header Length Header
16 Fwd IAT Min Timing
17 Bwd Packet Length Min Packet size
18 Flow Bytes/s Rate
19 act_data_pkt_fwd Volume
20 Min Packet Length Packet size

QSVM details

  • ZZFeatureMap, 4 qubits, 2 repetitions, linear entanglement
  • Kernel: K(xᵢ,xⱼ) = |⟨Φ(xᵢ)|Φ(xⱼ)⟩|² (state fidelity)
  • Trained on 2 000 balanced samples (NISQ + quadratic-cost limit)
  • Kernel computation: ~4.2 hours on Intel i7-13700K, then cached as .npy
  • Runtime: noise-free Qiskit StatevectorSampler simulator

External validation (added post-submission)

Beyond CIC-IDS-2017 we ran two extra evaluations to gauge real-world transfer:

  • Docker lab 2025 — built a containerised attacker/victim pair, fired five attack scenarios (PortScan, SSH-brute, FTP-brute, Slowloris, SQLi). Per-event recall 20 % at default threshold — only the portscan fires reliably; the rest sit below 0.5 due to 2017 → 2025 OS-fingerprint drift on Init_Win_bytes_forward.
  • MAWI WAN 2020 — 5,362 flows from a real backbone trace, with MAWILab third-party anomaly labels. After IsotonicRegression calibration on 8 events and pre-specified T = 0.1 on the held-out 12 events: 66.7 % per-event recall. AUC-ROC = 0.552 — the honest ceiling of this distribution. Youden's J on the calibration split independently selects T = 0.125, yielding the same 66.7 % — defends against cherry-picking objections.

These numbers are deliberately shown alongside the headline 99.89 % / 80 %. They are the cost of distribution shift, and they scope future work.

Team

Name Student ID
Abderrahmane Moharrar 202200768
Malek Anas Al Kilani 202200311
Mohammed Al-Yazidi 202201028
Sultan Al-Thani 202100304

License

Academic project — Lusail University, College of Information Technology. Not licensed for commercial use.

About

Quantum-Confidence Gated IDS — Suricata + LightGBM + 4-qubit QSVM. Senior project, Lusail University 2026.

Topics

cybersecurity suricata ids lightgbm network-security intrusion-detection-system quantum-machine-learning qiskit qsvm hybrid-ml

Resources

Readme

License

View license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages