SENTINEL

The Problem

What's a DDoS attack?

Imagine 10,000 people calling your phone at once. Your phone crashes. That's DDoS - bots flood your website with fake traffic until it goes offline.

The Real Problem: Protection is Expensive

Small businesses, nonprofits, and indie developers can't afford this. So they go unprotected.

How SENTINEL Works

Think of it like airport security with multiple checkpoints. Every visitor goes through layers of inspection:

The Inspection Process

• Layer 1: Rate Limiting — "You're making 1000 requests per second? That's not human behavior."
• Layer 2: Behavioral Analysis — "You visit the same 3 pages in the exact same order every time? Suspicious."
• Layer 3: Neural Network — "I've seen 10,000 bots before. Your pattern matches them."
• Layer 4: Honeypot Traps — "You clicked a hidden link that no human can see? Gotcha."
• Layer 5: Contagion Graph — "You behave exactly like these 50 other IPs we just blocked? You're part of the same botnet."

If you pass all checks: you're in. If you fail: you get a challenge (like a CAPTCHA) or get blocked.

The key: All the heavy analysis happens in the background, so your website stays fast (<1ms delay).

What Makes It Different

1. It Learns From Your Traffic

Most systems use fixed rules ("block if >100 requests/min"). SENTINEL watches your actual visitors and learns what "normal" looks like for YOUR site. A news site during breaking news looks different than a blog.

2. It Doesn't Slow You Down

The AI analysis happens in background threads while your website keeps serving pages. Think of it like a security guard reviewing camera footage AFTER you've already walked through the door.

3. It Catches Coordinated Attacks

Modern botnets use thousands of different IP addresses. SENTINEL groups them by behavior: "These 500 IPs all visit the same pages, at the same speed, in the same order. They're working together."

4. It Shares Intelligence

If you run multiple servers, they talk to each other. When Server A blocks an attacker, Server B knows about it instantly. No central database needed.

Does It Actually Work?

I tested SENTINEL against the CIC-DDoS2019 dataset - real attack traffic captured from actual DDoS attacks in 2019.

What This Means

Out of 100 bot attacks, SENTINEL stops 96. Out of 100 real humans, it accidentally blocks 3-4 (who can solve a challenge to get through).

Most commercial solutions don't publish their false positive rates. The ones that do aim for similar numbers, but charge thousands per month.

For The Technical Folks

The Neural Network

A simple 3-layer neural network that learns to recognize bot patterns:

• Looks at 10 features: request speed, timing patterns, path diversity, etc.
• Trains itself every 100 requests using backpropagation
• Runs in background worker threads so it never blocks your main server

The Contagion Graph

Uses LSH (Locality-Sensitive Hashing) to group similar IPs:

• Converts each IP's behavior into a "fingerprint"
• Groups IPs with similar fingerprints (likely same botnet)
• When one IP is confirmed as a bot, suspicion spreads to its neighbors

The P2P Network

Servers share threat intelligence via WebSocket gossip protocol:

• No central database - fully decentralized
• Each node verifies threats before accepting them (proof-of-threat)
• Threats propagate across the network in milliseconds

Why I Built This

→ github.com/matthewvaishnav/sentinel