Live operations
Analyst dashboard
Track packet volume, attack counts, connection status, and traffic distribution from one screen.
Security teams can move from live monitoring to packet-level review without switching context.
Production-ready AI IDS platform
AI intrusion detection,built for real-time defense.
XGuard AI combines streaming Kafka ingestion, FastAPI inference, SHAP explainability, alert history, and analyst-friendly monitoring in one AI intrusion detection system. It is designed to help teams detect malicious traffic quickly, understand why the model fired, and review incidents through a polished light or dark mode interface.
Live packet feed with alert counts, distribution charts, and stream health in one analyst workspace.
SHAP drill-down for explainable incident review on every selected prediction and flagged flow.
Replay controls for exercising the same backend pipeline with packaged traffic during testing, demos, and validation.
Streaming, persistence, and review layers tied together across FastAPI, Kafka, PostgreSQL, and Next.js.
3
trained model families
1,000
flows per batch request
REST + WS
history and live delivery
API Key
protected service access
Analyst Control Center
Stream active
Live stream
WebSocket + history
Explainability
SHAP enabled
Replay ready
Validation traffic
Explainability review
Trace every high-risk flow with ranked SHAP evidence.
Move from the live queue to the exact drivers behind a prediction without leaving the analyst workspace.
Signals ranked
3 drivers
Analyst path
Alert to SHAP
Review state
Traceable
Selected incident
Port Scan
Source
10.0.2.18
Destination
172.16.0.21
Dst Portfeature weight
Flow Bytes/sfeature weight
Packet Length Meanfeature weight
Packet context
Open any row to inspect the evidence behind each flagged flow.
14:20:18.22810.0.2.15 -> 172.16.0.9Benign
14:20:18.41310.0.2.18 -> 172.16.0.21DDoS
Platform capabilities
Built for teams that need speed, visibility, and explainable decisions.
XGuard AI brings together model-driven detection, explainability, live observability, and secured operations in a platform that can support analyst workflows beyond a static demo.
Explainability
SHAP-backed incident review
Open any prediction and inspect the features that pushed the model toward benign or malicious classification.
That gives analysts a reasoned trail instead of a raw confidence score alone.
Validation
Replay traffic on demand
Start and stop packaged traffic replay from the UI to exercise the same pipeline used for live monitoring.
It is useful for demos, smoke testing, and reviewing held-out traffic flows.
Detection engine
Multi-model ML foundation
The repository trains Random Forest, XGBoost, and LSTM models, with XGBoost serving production inference.
That keeps the system fast enough for streaming use while preserving explainability.
Secure delivery
Secured analyst operations
Prediction, explanation, alert history, and replay controls are protected with API-key access, while health checks stay simple for operations.
That keeps the operational control plane protected while preserving simple service health verification.
Architecture
Streaming loop from data to action
Kafka ingestion, FastAPI inference, PostgreSQL persistence, and a Next.js frontend work together as one workflow.
The platform is built to connect detection, persistence, and analyst visibility in one production-oriented path.
Workflow
From network traffic to analyst action in four steps.
The system is organized around a clear operational path: ingest traffic, score it with the serving model, persist alert history, and support fast explanation-driven review for analysts.
Kafka + API entry pathsPostgreSQL historyWebSocket alert fan-out
01
Stream or submit traffic
Bring flows in through Kafka for continuous monitoring or submit controlled scoring requests through the service layer.
That keeps the same detection logic available for streaming operations and direct validation.
02
Classify with the serving model
The backend applies the production inference service and returns label, severity, and confidence.
The current repo serves XGBoost for the main runtime path.
03
Persist and broadcast results
Predictions are stored for history views while live alerts are pushed to the analyst UI over WebSocket.
The same app provides both retrospective context and real-time awareness.
04
Explain and investigate
Analysts can open SHAP explanations to understand the top features driving each decision.
That closes the loop between detection quality and reviewer trust.
Technology stack
Modern infrastructure for production deployment and analyst operations.
XGuard AI combines streaming ingestion, machine-learning inference, explainability, persistence, and frontend monitoring into a cohesive AI IDS stack.
Core platform stack
Technologies behind live detection, persistence, and analyst review.
Next.js dashboard
FastAPI inference
Kafka streaming
PostgreSQL persistence
XGBoost production scoring
LSTM + Random Forest research baselines
SHAP explainability
Docker-based local setup
Operational benefits
Real-time WebSocket updates keep analysts aware of changing traffic conditions.
SHAP-backed review improves trust in automated decisions before escalation.
Replay controls help with demos, testing, and operator training on realistic traffic.
Light and dark modes support different analyst environments without changing workflows.
Deployment fit
Ready for SOC-style monitoring and explainable review.
The platform combines a professional dashboard, controlled replay, stored alert history, and explainability workflows in an interface that remains comfortable in both light and dark operating environments.
Deploy with confidence
Monitor live traffic, review flagged flows, and explain model decisions from one AI IDS workspace.
XGuard AI brings together streaming detection, alert history, secure analyst controls, and SHAP-backed explainability for teams moving toward production-ready network defense workflows.