NikoTak – Tamara Shostak's blog

A Production Implementation Study

This paper presents a comprehensive real-time anomaly detection system for web traffic monitoring implemented using Grafana, ClickHouse, and Python-based machine learning algorithms. The system addresses limitations of traditional threshold-based monitoring by employing behavioral pattern analysis and derived metric ratios to identify malicious activities including DDoS attacks, bot campaigns, and credential stuffing attempts. Our implementation demonstrates sub-90-second detection latency while processing 50,000 requests per second with an 85% reduction in false positive rates compared to static threshold approaches. The system successfully detected and mitigated multiple attack vectors in production environments, including application-layer DDoS and coordinated bot networks. Key contributions include the development of ratio-based anomaly indicators, real-time streaming architecture design, and integration of multiple detection algorithms for comprehensive threat coverage.

Introduction

Modern web applications face increasingly sophisticated cyber threats while handling exponentially growing traffic volumes. Traditional security monitoring systems rely primarily on static threshold-based alerting mechanisms, which prove inadequate for contemporary threat landscapes characterized by adaptive attack strategies and complex legitimate traffic patterns. The challenge of distinguishing between benign traffic anomalies and malicious activities has become paramount for maintaining service availability and security posture.

Recent threat intelligence indicates continued evolution in attack methodologies, with threat actors increasingly targeting IoT devices for botnet expansion and employing application-layer attack vectors that bypass traditional network-based defenses. Simultaneously, legitimate traffic patterns exhibit greater complexity due to global application scaling, mobile device proliferation, and diverse user behavior patterns.

Modern web applications face increasingly sophisticated cyber threats while handling exponentially growing traffic volumes. Traditional security monitoring systems rely primarily on static threshold-based alerting mechanisms, which prove inadequate for contemporary threat landscapes characterized by adaptive attack strategies and complex legitimate traffic patterns. The challenge of distinguishing between benign traffic anomalies and malicious activities has become paramount for maintaining service availability and security posture.

Recent threat intelligence indicates continued evolution in attack methodologies, with threat actors increasingly targeting IoT devices for botnet expansion and employing application-layer attack vectors that bypass traditional network-based defenses. Simultaneously, legitimate traffic patterns exhibit greater complexity due to global application scaling, mobile device proliferation, and diverse user behavior patterns.

This paper presents a production-deployed anomaly detection system that addresses these challenges through behavioral pattern analysis, real-time processing capabilities, and multi-algorithmic threat detection. Our approach demonstrates significant improvements in detection accuracy, response time, and operational efficiency compared to conventional monitoring solutions.

Methodology and System Design

Behavioral Pattern Analysis Framework

Our approach employs behavioral pattern analysis through derived metric computation rather than raw traffic volume monitoring. The system focuses on ratio-based indicators that reveal anomalous behavioral patterns while maintaining resilience to legitimate traffic variations.

Session and Identity Patterns:

• Unique IP addresses per URI ratio (IP_URI_ratio): Quantifies diversity of source addresses accessing specific resources
• Sessions per IP address ratio (Session_IP_ratio): Identifies automated behavior through session multiplication patterns
• Session duration deviations (Duration_anomaly): Detects abnormal session length patterns compared to established baselines

Request Pattern Analysis:

• Requests per endpoint per minute (RPM_endpoint): Monitors sudden traffic concentration on specific resources
• URI diversity per session (URI_diversity): Identifies unusual navigation patterns inconsistent with normal user flows
• User agent diversity coefficient (UA_diversity): Quantifies agent string variations indicating potential bot network activity

Error Rate Intelligence:

• HTTP 5xx error rate per IP segment (Error_rate_IP): Identifies traffic sources causing server resource exhaustion
• HTTP 404 pattern analysis (NotFound_pattern): Detects reconnaissance and vulnerability scanning activities
• Response time outlier detection (Response_outlier): Identifies resource exhaustion attack patterns

System Architecture

The system architecture implements a three-component design optimized for real-time processing and low-latency detection:

Component 1: Data Visualization and Alerting Layer (Grafana)

• Native ClickHouse datasource integration for sub-second query execution
• Multi-layered anomaly visualization with confidence interval overlays
• Contextual timeline annotations for detected event correlation
• Intelligent alert routing based on severity classification and pattern recognition

Component 2: High-Performance Time-Series Engine (ClickHouse)

• Columnar data storage optimized for analytical query processing
• Real-time log ingestion from distributed web server infrastructure
• Materialized view implementation for continuous metric aggregation
• Historical context provision for baseline establishment and trend analysis

Component 3: Detection Algorithm Service (Python)

• Containerized microservice architecture for scalable deployment
• Multi-algorithmic detection pipeline combining statistical and machine learning approaches
• Real-time metric computation and feature vector generation
• Anomaly scoring and classification with confidence interval calculation

3.3 Detection Algorithm Implementation

The detection service implements multiple complementary algorithms to achieve comprehensive threat coverage:

Statistical Analysis Methods:

• Z-score threshold analysis for rapid outlier identification
• Rolling quantile-based thresholds with adaptive baseline adjustment
• Seasonal decomposition for temporal pattern recognition

Machine Learning Approaches:

• Isolation Forest algorithm for multivariate anomaly detection in high-dimensional feature spaces
• Prophet forecasting model for seasonal pattern deviation identification
• One-class SVM for novelty detection in traffic behavioral patterns

Algorithm Integration: The system employs ensemble methodology combining multiple detection approaches with weighted confidence scoring. Individual algorithm outputs undergo correlation analysis to reduce false positive rates while maintaining detection sensitivity.

Experimental Results and Case Studies

Performance Metrics

The implemented system demonstrates significant performance improvements over traditional threshold-based monitoring approaches:

Detection Performance:

• Detection latency: 30-90 seconds from event occurrence to alert generation
• Processing capacity: 50,000 requests per second across multiple application instances
• False positive reduction: 85% improvement compared to static threshold methodologies
• Query performance: Sub-second response times for 95% of dashboard queries
• Storage efficiency: 85% storage cost reduction through ClickHouse columnar compression

Resource Utilization:

• Computational requirements: 2 CPU cores, 4GB RAM for complete detection service
• Network overhead: Minimal impact on application performance (<1% latency increase)
• Storage growth rate: Linear scaling with traffic volume, optimized through data retention policies

Credential Stuffing Attack Detection

Attack Pattern: Coordinated credential stuffing campaign targeting authentication endpoints from distributed IP addresses.

Detection Methodology: The system identified anomalous patterns through multiple indicators:

• Session_IP_ratio increased by 847% above baseline threshold
• URI_diversity coefficient indicated focused targeting of authentication endpoints
• User agent diversity reached 203 distinct agents from 23 IP addresses
• Authentication success rate remained at zero despite elevated attempt volume

Response Timeline: Automated detection and mitigation occurred within 2 minutes of attack initiation, preventing service degradation for legitimate users.

Validation: Post-incident analysis confirmed coordinated bot network activity utilizing compromised credential databases.

Case Study 2: Application-Layer DDoS Mitigation

Attack Pattern: Sophisticated application-layer attack targeting resource-intensive search functionality while maintaining request volumes within normal parameters.

Detection Methodology: The system identified subtle behavioral anomalies:

• Normal aggregate request volumes masked endpoint-specific targeting
• Response_outlier detection identified server resource exhaustion patterns
• Error_rate_IP analysis revealed concentrated traffic sources causing service degradation

Response Strategy: Dynamic rate limiting applied to affected endpoints while maintaining service availability for legitimate traffic.

Outcome: Service availability maintained at >99% during attack duration, with minimal impact on user experience.

Comparative evaluation against baseline threshold-based monitoring systems demonstrates substantial improvements across multiple performance dimensions:

Metric	Threshold-Based	Our System	Improvement
False Positive Rate	23.4%	3.5%	85% reduction
Detection Latency	5-15 minutes	30-90 seconds	75% improvement
Attack Coverage	34%	89%	162% increase
Operational Overhead	High	Low	Significant reduction