Title:

Network Behavior

UNH's Palo Alto firewall infrastructure generates millions of log entries per day, capturing metadata for every allowed, denied, and dropped network session. Manually identifying meaningful deviations like an unusual spike in traffic from a foreign country or a rare application surging in volume is not possible at this scale without automated tooling. This project delivers an end-to-end firewall analytics platform consisting of a daily log ingestion pipeline and an interactive web dashboard. Logs are imported in chunks using Python and pandas, stored in SQLite, and processed against rolling 30-, 90-, and 180-day baselines. Three detection methods identify anomalies: categorical frequency shifts, z-score deviations, and unique-value-count ratio changes. Detected anomalies are scored LOW through CRITICAL using a weighted model that accounts for field security relevance, trend persistence, and traffic volume. A dampening mechanism suppresses false positives from sparse fields. Each morning, a cron shell script completes the full ingest-detect-report pipeline and delivers HTML anomaly reports via email for alerts above a configurable severity threshold. A Flask web dashboard which is served over Apache/WSGI, provides geographic mapping, traffic timeline, baseline comparison, and filtered log search views without requiring SQL knowledge or direct log access.

Name

Comment*

Comments are viewable only by submitter

Captcha*