🛡️ SentinelAI — AI-Powered Web Application Firewall
A full-stack, intelligent cybersecurity platform that combines Google Gemini AI, multi-layer encoding detection, and external threat intelligence to detect, classify, and block web attacks in real-time — with a sleek React dashboard for live monitoring.
🤖 Dual-Engine Threat Detection — Gemini AI + custom regex-based scoring engine working in tandem
🔗 Hybrid Risk Scoring — Combines AbuseIPDB IP reputation (60%) with local payload analysis (40%)
🧬 Multi-Layer Encoding Detection — URL encoding, double encoding, Base64, Unicode, hex, HTML entities
📊 Real-Time Dashboard — Live traffic feed, analytics charts, alerts, and attacker profiling
🔐 Dual Authentication — Local JWT + Firebase Google Sign-In
⚡ Auto-Blocking — IPs automatically blocked after repeated malicious requests
┌─────────────────────────────────────────────────────────┐
│ CLIENT REQUEST │
└─────────────────────┬───────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────┐
│ SECURITY LAYERS │
│ ┌──────────┐ ┌──────────┐ ┌────────────────────┐ │
│ │ Helmet │ │ CORS │ │ Rate Limiter │ │
│ │ (Headers) │ │ (Origin) │ │ (100 req/15 min) │ │
│ └──────────┘ └──────────┘ └────────────────────┘ │
└─────────────────────┬───────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────┐
│ WAF MIDDLEWARE │
│ ┌────────────────┐ ┌───────────────────────────────┐ │
│ │ IP Blocklist │ │ Gemini AI Classification │ │
│ │ (Fast Reject) │ │ SQLi | XSS | CSRF | RCE │ │
│ └────────────────┘ └───────────────────────────────┘ │
└─────────────────────┬───────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────┐
│ THREAT DETECTION ENGINE │
│ ┌────────────────┐ ┌────────────────┐ ┌───────────┐ │
│ │ Encoding │ │ Scoring │ │ AbuseIPDB │ │
│ │ Analyzer │ │ Engine │ │ Hybrid │ │
│ │ (6 decoders) │ │ (weighted) │ │ Risk API │ │
│ └────────────────┘ └────────────────┘ └───────────┘ │
└─────────────────────┬───────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────┐
│ MongoDB Atlas: Logs │ Alerts │ Profiles │ Blocked IPs │
└─────────────────────────────────────────────────────────┘
SentinelAI/
├── backend/
│ ├── config/ # MongoDB connection
│ ├── controllers/ # Auth, Logs, Stats, IP, Scanner, RiskScore, Profiles
│ ├── middleware/
│ │ ├── wafMiddleware.js # Core WAF interceptor (Gemini AI)
│ │ ├── authMiddleware.js # JWT verification
│ │ ├── rateLimiter.js # Rate limiting
│ │ └── validators.js # Input validation (express-validator)
│ ├── models/
│ │ ├── User.js # Users with bcrypt hashing
│ │ ├── Log.js # Request audit trail
│ │ ├── Alert.js # Security notifications
│ │ ├── BlockedIP.js # IP blocklist
│ │ └── AttackerProfile.js # Behavioral profiling
│ ├── routes/ # 8 route modules
│ ├── services/
│ │ ├── geminiService.js # Google Gemini AI integration
│ │ ├── abuseIPDBService.js # External IP reputation
│ │ ├── ipBlockService.js # IP management
│ │ ├── alertService.js # Alert generation
│ │ ├── profileService.js # Attacker profiling
│ │ └── threatDetector/ # Custom regex scoring engine
│ │ ├── index.js # Public API (analyze, classify)
│ │ ├── scoringEngine.js # Weighted pattern matching
│ │ ├── encodingAnalyzer.js # Multi-layer decoder
│ │ └── patterns.js # 50+ attack signatures
│ ├── tests/ # Jest + Supertest test suite
│ ├── server.js # Express entry point
│ └── .env # Environment configuration
│
└── frontend/
├── src/
│ ├── components/
│ │ ├── Navbar.jsx # Navigation + notification bell
│ │ ├── StatCard.jsx # Interactive metric cards
│ │ └── LoadingScreen.jsx # Animated boot screen
│ ├── context/
│ │ └── AuthContext.jsx # JWT + Google auth state
│ ├── pages/
│ │ ├── Dashboard.jsx # Live traffic + stat cards + alerts
│ │ ├── Analytics.jsx # Charts (Recharts)
│ │ ├── Logs.jsx # Filterable request log
│ │ ├── Scanner.jsx # Payload testing tool
│ │ ├── Profiles.jsx # Attacker behavior profiles
│ │ └── Login.jsx # Dual auth (local + Google)
│ ├── services/
│ │ └── api.js # Axios with JWT interceptor
│ └── index.css # Full design system (1400+ lines)
├── index.html
└── vite.config.js
Node.js v18+MongoDB Atlas account (or local MongoDB)Google Gemini API key (aistudio.google.com )AbuseIPDB free API key (abuseipdb.com ) — optional, for hybrid scoring
git clone https://github.com/cryptoujjwal07/SentinelAI.git
cd SentinelAI Create backend/.env:
# ServerPORT = 5000
NODE_ENV = development
# MongoDBMONGODB_URI = <your-mongodb-atlas-uri>
# JWTJWT_SECRET = <your-strong-secret-key>
JWT_EXPIRES_IN = 7d
# Google Gemini AIGEMINI_API_KEY = <your-gemini-api-key>
GEMINI_MODEL = gemini-2.0-flash
# WAF SettingsMALICIOUS_THRESHOLD = 3
RATE_LIMIT_WINDOW_MS = 900000
RATE_LIMIT_MAX_REQUESTS = 100
# Firebase (Google Sign-In)FIREBASE_PROJECT_ID = <your-firebase-project-id>
# Frontend CORSFRONTEND_URL = http://localhost:5173
# AbuseIPDB (optional — enables hybrid risk scoring)ABUSEIPDB_API_KEY = <your-abuseipdb-api-key> cd backend
npm install
npm run dev
# ✅ Server running on http://localhost:5000cd frontend
npm install
npm run dev
# ✅ Dashboard on http://localhost:51735. Create Your First Account Register via the Dashboard UI or via API:
curl -X POST http://localhost:5000/api/auth/register \
-H " Content-Type: application/json" ' {"username":"admin","email":"admin@sentinelai.com","password":"Admin123!","role":"admin"}' Incoming Request
│
├─ 1. IP Blocklist Check ──→ Blocked? ──→ 403 Forbidden
│
├─ 2. Rate Limit Check ────→ Exceeded? ─→ 429 Too Many Requests
│
├─ 3. Gemini AI Analysis ──→ Sends method, path, body, headers, IP
│ Returns: SAFE | SUSPICIOUS | MALICIOUS
│ + confidence score + attack type
│
├─ 4. Action:
│ ├─ MALICIOUS → 403 blocked, log saved, strike counter++
│ ├─ SUSPICIOUS → Warning headers, alert created, log flagged
│ └─ SAFE → Request passes through, log saved
│
└─ 5. Auto-Block: 3 malicious strikes → IP permanently blocked
Threat Detector (Regex Engine) Operates independently alongside Gemini AI for the Scanner and Hybrid Risk API:
Layer
Function
Encoding Analyzer Decodes URL, double-URL, Unicode, hex, Base64, HTML entities
Pattern Matcher 50+ weighted regex patterns across 13 attack categories
Scoring Engine Weighted scoring with category-based multipliers
Classifier Maps score → SAFE (0–29) / SUSPICIOUS (30–69) / MALICIOUS (70–100)
Hybrid Risk Scoring (AbuseIPDB Integration) POST /api/risk-score
{
"ip": "185.220.101.1",
"payload": "%27%20OR%201%3D1%20--"
}
Response:
{
"score": 82,
"level": "high",
"sources": {
"ipReputation": 95, ← AbuseIPDB (60% weight)
"payloadAnalysis": 62 ← Local regex engine (40% weight)
}
}
Fallback: If AbuseIPDB is unavailable, uses 100% local payload scoring automatically.
Method
Endpoint
Description
POST
/api/auth/registerRegister a new user
POST
/api/auth/loginLogin & receive JWT
POST
/api/auth/googleGoogle Sign-In (Firebase)
GET
/api/auth/meGet current user profile
Method
Endpoint
Description
GET
/api/stats/overviewDashboard summary (counts, rates)
GET
/api/stats/attack-typesAttack type breakdown
GET
/api/stats/timeline?period=24hTraffic over time (24h/7d/30d)
GET
/api/stats/top-ipsTop attacking IP addresses
GET
/api/stats/alerts?limit=20Recent security alerts
PATCH
/api/stats/alerts/readMark alerts as read
Method
Endpoint
Description
GET
/api/logsPaginated logs with filters
GET
/api/logs/recent?limit=10Live traffic feed
GET
/api/logs/:idSingle log detail
DELETE
/api/logs/:idDelete log entry
DELETE
/api/logs/allClear all logs
Method
Endpoint
Description
GET
/api/ip/blockedList all blocked IPs
POST
/api/ip/blockManually block an IP
DELETE
/api/ip/unblock/:ipUnblock an IP
GET
/api/ip/check/:ipCheck block status
Method
Endpoint
Description
POST
/api/scanner/testAnalyze a single payload
POST
/api/scanner/bulkBulk test up to 10 payloads
GET
/api/scanner/samplesGet sample attack payloads
Method
Endpoint
Description
POST
/api/threat-detector/analyzeDeep payload analysis
GET
/api/threat-detector/test-suiteRun built-in test cases (23 payloads)
Method
Endpoint
Description
POST
/api/risk-scoreCombined IP reputation + payload analysis
Method
Endpoint
Description
GET
/api/profilesList all attacker profiles
GET
/api/profiles/:ipProfile details for an IP
GET
/api/profiles/top-risk?limit=10Highest risk attackers
🎯 Attack Detection Capabilities
Category
Examples
Encoding Support
SQL Injection UNION SELECT, OR 1=1, DROP TABLE, time-based blind
URL, double, Base64, hex
Cross-Site Scripting <script>, onerror, eval, document.cookieURL, Unicode, HTML entity
Command Injection $(cmd), `whoami`, ; ls, && rm -rfURL, double encoding
Path Traversal ../../etc/passwd, %2e%2e%2fURL, Unicode (%uXXXX)
CSRF Missing tokens, suspicious origins
—
Defanged URLs hxxps[://], domain[.]comBracket notation
Null Byte Injection %00/etc/passwdURL encoding
Obfuscation String.fromCharCode, mixed encoding
JavaScript, multi-layer
Feature
Implementation
AI Threat Detection
Google Gemini 2.0 Flash
Regex Scoring Engine
Custom weighted pattern matcher (50+ rules)
External Threat Intel
AbuseIPDB API (IP reputation)
Rate Limiting
express-rate-limit (100 req/15 min)
Security Headers
helmet.js (HSTS, CSP, X-Frame)
IP Auto-Blocking
3-strike threshold system
JWT Authentication
jsonwebtoken (7-day expiry)
Google Sign-In
Firebase Authentication
Password Security
bcryptjs (12 salt rounds)
Input Validation
express-validator
CORS Protection
Restricted to frontend URL
Audit Trail
Full request logging in MongoDB
Attacker Profiling
Rule-based behavioral classification
Page
Features
Dashboard 8 interactive stat cards, live traffic table, alerts panel, notification bell
Analytics Attack type chart, traffic timeline, top IPs visualization
Logs Filterable/searchable request log with pagination
Scanner Test payloads against the detection engine, bulk scanning
Profiles Attacker behavior profiles, risk scores, attack type breakdown
Login Local credentials + Google Sign-In, animated loading screen
Layer
Technologies
Backend Node.js, Express.js, MongoDB (Mongoose), JWT
AI Engine Google Gemini 2.0 Flash API
Threat Intel AbuseIPDB API, Custom regex scoring engine
Frontend React 19, Vite, Recharts, Lucide Icons
Auth JWT + Firebase (Google Sign-In)
Styling Custom CSS design system (dark theme, glassmorphism)
Testing Jest, Supertest
Test SQL Injection Detection:
curl -X POST http://localhost:5000/api/scanner/test \
-H " Content-Type: application/json" " Authorization: Bearer <your-jwt-token>" ' {"payload": "' \' ' OR 1=1 --"}' Test Hybrid Risk Score:
curl -X POST http://localhost:5000/api/risk-score \
-H " Content-Type: application/json" ' {"ip": "185.220.101.1", "payload": "%27%20OR%201%3D1%20--"}' Test Encoded XSS:
curl -X POST http://localhost:5000/api/scanner/test \
-H " Content-Type: application/json" " Authorization: Bearer <your-jwt-token>" ' {"payload": "%3Cscript%3Ealert(1)%3C/script%3E"}' This project is for educational and hackathon purposes. Built with ❤️ by Team Codeholics.
🛡️ SecureNet Monitoring Platform — SentinelAI Intelligent. Adaptive. Real-Time.
