anomaly_detector_cpp GitHub Details, Stars and Alternatives | OpenRepoFinder
Suyash8 / repository
anomaly_detector_cpp
High-performance C++17 engine for real-time, stateful log anomaly detection. Uses a multi-tiered system combining heuristics, statistical Z-scores, and ONNX machine learning to find threats. Features flexible alerting (JSON, Syslog, HTTP) and live configuration reloading for operational maturity.
A transparent discovery signal based on current public GitHub metadata.
Recent activity35% weight
30
Community adoption25% weight
0
Maintenance state20% weight
100
License clarity10% weight
100
Project information10% weight
75
This score does not audit code, security, maintainers, documentation quality, or suitability. Verify the repository and its current documentation before adoption.
README preview
Anomaly Detection Engine
A C++ engine for analyzing web server logs and detecting unusual activity patterns in real-time.
The main idea here is pretty straightforward - instead of manually sifting through log files looking for problems, this thing automatically builds up a picture of what "normal" looks like for your traffic and flags anything that seems off. It's written in C++17 and can handle a decent amount of logs per second while running several different types of detection algorithms.
The basic approach is to layer different detection methods instead of relying on just one. Here's the thinking behind it:
Multiple Detection Layers: Fast pattern matching catches obvious stuff, statistical analysis spots behavioral changes, machine learning finds complex patterns, and external monitoring adds another perspective.
Context Matters: Rather than just looking at individual requests, the engine keeps track of what's normal for each IP address and URL path. So it can tell the difference between a legitimate user having a busy day versus someone probing your site.
Performance Considerations: Security tools shouldn't slow down your systems. The code uses modern C++ features and memory optimization to keep resource usage reasonable.
Operational Reality: Includes monitoring, error recovery, configuration reloading, and other features you actually need when running this in production.
Key Features
Multi-Tiered Detection System
The detection works in four tiers, each with different strengths:
Tier 1 (Pattern Matching): Quick checks for known bad things
Rate limiting violations (brute force attempts, scraping)
Suspicious string patterns using Aho-Corasick algorithm
User-Agent analysis - missing UAs, known bad bots, old browsers, UA switching
Threat intelligence feeds for known malicious IPs
Tier 2 (Statistical Analysis): Looks for deviations from normal behavior
Z-Score Analysis: How far current metrics are from historical averages
Behavior Change Detection: When trusted IPs suddenly act differently
Seasonal Patterns: Adapts to normal traffic cycles (like higher usage during business hours)
There are a few pre-made configs to get you started:
# For development work - more logging and debugging
cp config_templates/development.ini config.ini
# Production setup - stable and secure defaults
cp config_templates/production.ini config.ini
# High throughput - tuned for lots of logs per second
cp config_templates/high_performance.ini config.ini
Configuration System
The configuration uses INI format with hot-reloading and validation.