Work in progress - this project is not finished and is not production-ready. The real-time inference loop, alert persistence, and Docker packaging are not yet implemented.
nanoNIDS is a passive network intrusion detection system for the Jetson Orin Nano. It combines Suricata signature-based detection with an Isolation Forest anomaly detector and correlates both sources based on network tuples and temporal proximity.
flowchart LR
Traffic[/"Network Traffic"/]
subgraph nanoNIDS["nanoNIDS (Jetson)"]
Suricata["Suricata<br/>(Signatures)"]
nfstream["nfstream<br/>(Features)"]
IF["Isolation Forest<br/>(Anomalies)"]
Corr["Correlation Engine"]
end
Traffic --> Suricata
Traffic --> nfstream
Suricata -->|"EVE JSON"| Corr
nfstream -->|"CSV"| IF
IF -->|"Scores"| Corr
Corr --> Alerts[/"Alerts"/]
- Python 3.9+
uvpackage manager- Suricata installed and configured to output EVE JSON on a unix socket (for the engine)
libpcap(required by nfstream for packet capture)
uv syncEdit config.toml to match your environment:
| Key | Description |
|---|---|
network.interface |
Network interface to capture (e.g. eth0) |
paths.flows_csv |
Output path for captured flows |
paths.suricata_eve_json |
Path to Suricata EVE unix socket |
paths.model_path |
Path to the trained Isolation Forest model |
sudo make run-capture
# flows are written to data/flows.csvmake train
# model saved to models/isolation_forest.pklmake run-detect
# reads data/flows.csv, prints anomaliessudo make start-engine| Component | Status |
|---|---|
| Flow capture (nfstream → CSV) | Working |
| Isolation Forest training | Working |
| Batch anomaly detection | Working |
| Real-time inference in engine | Working |
| Alert persistence (JSON Lines) | Not implemented |
| Docker packaging | Not implemented |
In progress.
In progress.