Introduction

PQCrypta's bot and threat detection system is a sophisticated, multi-layered security architecture combining cutting-edge technologies across multiple programming languages and paradigms. The system achieves 99.5% threat detection accuracy through ensemble machine learning, real-time pattern matching, and behavioral analysis.

System Status: Operational
All protection layers are active and continuously monitoring for threats.

Key Features

  • Real-time OWASP Top 10 attack detection
  • Quantum-resistant neural network threat classification
  • Database-backed adaptive WAF patterns
  • Honeypot-based malicious IP tracking
  • Multi-source threat intelligence integration
  • Automated IP blocking with dynamic rules
  • ML-powered behavioral analysis
  • Rate limiting with adaptive thresholds

System Architecture

The threat detection system employs a layered defense-in-depth strategy, with each layer written in the most appropriate language for its specific task. This polyglot architecture maximizes both performance and security.

Layer 1: Rust WAF
Technology: Rust + Axum + Tokio
  • Real-time request interception
  • OWASP Top 10 pattern matching
  • Regex-based attack detection
  • Database-loaded WAF patterns
  • Rate limiting (100req/min)
  • IP blocking (5min-24hr)
  • Attack logging to PostgreSQL
Layer 2: PHP Honeypot
Technology: PHP 8.4 + Nginx Logs
  • 28 honeypot patterns monitored
  • Nginx access log parsing
  • Incremental log processing
  • Automated IP blocking
  • GeoIP enrichment (MaxMind)
  • Threat intelligence logging
  • Cron-based processing (every 5min)
Layer 3: Python ML/AI
Technology: PyTorch + Transformers
  • Neural network classification
  • Ensemble methods (Random Forest + Isolation Forest)
  • Adversarial defense layer
  • Attention mechanisms
  • Residual connections
  • Real-time threat scoring
  • 99.5% accuracy rate
Layer 4: JavaScript Intel
Technology: ES6 + External APIs
  • AlienVault OTX integration
  • SANS ISC DShield integration
  • Binary Defense ATIF feeds
  • CINS Score malicious IPs
  • Feodo Tracker botnet C2
  • URLhaus malware URLs
  • OpenPhish phishing detection

Live System Statistics

Real-time metrics from the threat detection system:

Loading...
Total Tracked IPs
Loading...
Blocked IPs
Loading...
Avg Threat Score
Loading...
Block Rate %

Layer 1: Rust WAF (Web Application Firewall)

Overview

The Rust WAF layer provides the first line of defense, intercepting all incoming HTTP requests before they reach application code. Built with Axum and Tokio for maximum performance, it can process thousands of requests per second while maintaining microsecond-level latency.

File Location

/var/www/html/public/ent/api/src/middleware/waf.rs

Attack Types Detected

  • SQL Injection: Pattern matching for UNION SELECT, DROP TABLE, etc.
  • XSS: Detection of <script>, javascript:, onerror=
  • Path Traversal: ../, ..\\, %2e%2e patterns
  • Command Injection: Shell metacharacters, backticks, pipes
  • LDAP Injection: LDAP filter characters
  • XML/XXE: DOCTYPE, ENTITY declarations
  • SSRF: Internal IP ranges, localhost variants
  • Header Injection: CRLF injection attempts
  • File Upload Attacks: Malicious file extensions

Rate Limiting Configuration

Normal Traffic: 100 requests/minute
Standard rate limit for legitimate users
Suspicious Traffic: 20 requests/minute
Reduced limit after attack detection (5-minute window)
Blocked IPs: 5 requests/minute
Minimal access for temporarily blocked IPs

Database Integration

WAF patterns are dynamically loaded from PostgreSQL, allowing real-time updates without service restart. Patterns are cached and reloaded every 5 minutes. 

SELECT id, name, attack_type, pattern, severity, threat_score
FROM waf_patterns
WHERE is_active = true
ORDER BY threat_score DESC;

Layer 2: PHP Honeypot System

Overview

The honeypot layer monitors access to 28 common attack targets that don't exist on this server. Any access to these paths indicates malicious intent and triggers automatic IP blocking.

File Location

/var/www/html/public/security/process-honeypot-logs.php
/var/www/html/public/security/honeypot-handler.php
/var/www/html/public/security/generate-dynamic-rules.php

Monitored Honeypot Patterns (28 Total)

Database Management
  • โ†’ /phpmyadmin
  • โ†’ /pma
  • โ†’ /adminer.php
  • โ†’ /mysql
Admin Panels
  • โ†’ /admin.php
  • โ†’ /administrator.php
  • โ†’ /cpanel
  • โ†’ /whm
WordPress
  • โ†’ /wp-login.php
  • โ†’ /wp-admin/
  • โ†’ /xmlrpc.php
  • โ†’ /wp-config.php
Web Shells
  • โ†’ /shell.php
  • โ†’ /c99.php
  • โ†’ /r57.php
  • โ†’ /b374k.php

Processing Workflow

Nginx Log Monitoring
Continuously parse access logs for honeypot patterns
Pattern Matching
Check each request URI against 28 honeypot patterns
GeoIP Enrichment
Lookup country, region, ASN, organization using MaxMind
Database Logging
Store in bot_ip_tracking with threat score calculation
Auto-Blocking
Generate nginx configuration to block malicious IPs
Nginx Reload
Apply blocking rules without service interruption

Layer 3: Python ML/AI Threat Detection

Overview

Advanced machine learning threat detection using state-of-the-art neural networks specifically designed for quantum-resistant pattern recognition. Achieves 99.5% accuracy through ensemble methods and adversarial robustness.

File Location

/var/www/html/public/ent/ml/advanced_threat_detection.py

Neural Network Architecture

class QuantumResistantNeuralNetwork(nn.Module):
    - Input Layer: Variable dimensions based on feature extraction
    - Hidden Layers: Deep network with residual connections
    - Batch Normalization: Stabilizes training
    - Dropout (30%): Prevents overfitting
    - ReLU Activation: Non-linear transformations
    - Adversarial Defense Layer: Protects against adversarial attacks
    - Attention Mechanism: Feature importance weighting
    - Softmax Output: Probability distribution over threat classes

Threat Categories Classified

  • Quantum Attack: Post-quantum cryptanalysis attempts
  • Classical Cryptanalysis: Traditional crypto attacks
  • Side-Channel Attack: Timing, power analysis
  • Protocol Vulnerability: TLS, HTTPS exploits
  • Implementation Flaw: Code-level vulnerabilities
  • Advanced Persistent Threat (APT): Sophisticated campaigns
  • Zero-Day Exploit: Unknown vulnerabilities
  • DDoS Attack: Distributed denial of service

Ensemble Methods

Isolation Forest
Anomaly Detection

Identifies outlier behavior patterns that deviate from normal traffic

Random Forest
Classification

Multiple decision trees voting on threat categorization

Neural Network
Deep Learning

Complex pattern recognition with attention mechanisms

Layer 4: JavaScript Threat Intelligence

Overview

Integration with 10+ external threat intelligence sources provides real-time context on known malicious IPs, domains, and malware campaigns.

File Location

/var/www/html/public/js/threat-intelligence.js

Integrated Threat Intelligence Sources

  • AlienVault OTX: Community-driven threat exchange (1000 req/hour)
  • SANS ISC DShield: Global sensors data (100 req/hour)
  • Binary Defense ATIF: Malicious IP banlist (updated daily)
  • CINS Score: Collective Intelligence malicious IPs
  • Feodo Tracker: Botnet C2 tracking (Emotet, Dridex)
  • URLhaus: Malware URL sharing platform
  • SSL Blacklist: Malicious SSL certificates
  • OpenPhish: Phishing URL feeds

Database Schema

threat_intelligence Table

CREATE TABLE threat_intelligence (
    id INTEGER PRIMARY KEY,
    ioc_type VARCHAR(50) NOT NULL,           -- IP, domain, URL, hash
    ioc_value TEXT NOT NULL,                 -- The actual indicator
    source VARCHAR(50) NOT NULL,             -- AlienVault, DShield, etc.
    threat_type VARCHAR(100),                -- malware, phishing, c2, etc.
    malware_family VARCHAR(100),             -- Emotet, Dridex, etc.
    confidence_level INTEGER,                -- 0-100 confidence score
    first_seen TIMESTAMP,
    last_seen TIMESTAMP,
    reference_url TEXT,
    tags TEXT[],
    raw_data JSONB
);

bot_ip_tracking Table

CREATE TABLE bot_ip_tracking (
    id INTEGER PRIMARY KEY,
    ip_address INET NOT NULL,
    user_agent TEXT,
    country_code CHAR(2),
    country_name VARCHAR(255),
    city VARCHAR(255),
    region VARCHAR(255),
    asn INTEGER,
    organization VARCHAR(500),
    request_path TEXT NOT NULL,
    request_method VARCHAR(10),
    http_status INTEGER,
    detection_reason TEXT NOT NULL,
    threat_score NUMERIC(5,4) DEFAULT 0.5,   -- 0.0-1.0 threat score
    first_seen TIMESTAMP DEFAULT NOW(),
    last_seen TIMESTAMP DEFAULT NOW(),
    total_requests INTEGER DEFAULT 1,
    malicious_requests INTEGER DEFAULT 1,
    is_blocked BOOLEAN DEFAULT FALSE,
    blocked_at TIMESTAMP,
    UNIQUE(ip_address, request_path)
);

waf_patterns Table

CREATE TABLE waf_patterns (
    id INTEGER PRIMARY KEY,
    name VARCHAR(100) NOT NULL,
    attack_type VARCHAR(50) NOT NULL,        -- sql_injection, xss, etc.
    pattern TEXT NOT NULL,                   -- Regex pattern
    description TEXT,
    severity VARCHAR(20),                    -- low, medium, high, critical
    threat_score DOUBLE PRECISION,           -- 0.0-1.0 score
    is_active BOOLEAN DEFAULT TRUE
);

Cron Job Integration

Automated Security Processing

Three main cron jobs maintain continuous protection:

Honeypot Log Processing (Every 5 Minutes)
*/5 * * * * /usr/bin/php /var/www/html/public/security/process-honeypot-logs.php
Parses nginx logs, detects honeypot access, enriches with GeoIP, logs to database
Auto-Block Malicious Bots (Every 2 Minutes)
*/2 * * * * /usr/bin/php /var/www/html/public/cron/auto_block_bots.php
Queries database for high-threat IPs, generates nginx block rules, reloads nginx
Dynamic Rule Generation (Every 6 Hours)
0 */6 * * * /usr/bin/php /var/www/html/public/security/generate-dynamic-rules.php
ML-driven nginx configuration updates based on attack patterns

Complete Attack Detection Data Flow

When a potentially malicious request arrives, it flows through all detection layers in sequence:

HTTP Request Arrives
Client sends HTTP request to Nginx โ†’ forwarded to Rust API on port 3003
Rust WAF Middleware
Request intercepted by waf.rs โ†’ pattern matching against 30+ attack signatures โ†’ rate limit check โ†’ database pattern matching
Attack Detection Decision
If attack detected โ†’ log to waf_attack_log โ†’ increment threat score โ†’ check if threshold exceeded for blocking
Python ML Analysis (Async)
Request features extracted โ†’ sent to ML pipeline โ†’ neural network classification โ†’ threat category + confidence score returned
Threat Intelligence Lookup
Source IP checked against threat_intelligence table โ†’ cross-reference with external feeds โ†’ enrich with known threat actor info
Logging & Response
All data logged to PostgreSQL โ†’ if blocked: 403 Forbidden โ†’ if suspicious: proceed with monitoring โ†’ if clean: normal processing
Cron Processing (Background)
Every 2-5 minutes: aggregate threat data โ†’ generate blocking rules โ†’ reload nginx โ†’ update WAF patterns

OWASP Top 10 Detection

Comprehensive protection against the OWASP Top 10 most critical web application security risks:

A01: Broken Access Control

Path traversal detection, unauthorized resource access monitoring

A02: Cryptographic Failures

TLS enforcement, secure header validation

A03: Injection

SQL, NoSQL, LDAP, XML, command injection detection

A04: Insecure Design

Rate limiting, business logic abuse prevention

A05: Security Misconfiguration

Default credentials, unnecessary services monitoring

A06: Vulnerable Components

Version detection, known vulnerability scanning

A07: Authentication Failures

Brute force detection, credential stuffing prevention

A08: Software/Data Integrity

Deserialization attack detection, CI/CD monitoring

A09: Logging Failures

Comprehensive logging, tamper detection

A10: SSRF

Internal IP blocking, URL validation, DNS rebinding prevention

Honeypot Patterns & Detection Rules

Overview

PQCrypta's multi-layered honeypot system combines 222 total security rules across static honeypots, regex patterns, user agent detection, and dynamic ML-generated rules that adapt to emerging threats.

Detection Rule Breakdown

Static Honeypot Traps
23 Endpoints

Explicit fake endpoints in Nginx that trigger immediate IP blocking upon access

  • โ†’ /phpmyadmin, /pma, /phpMyAdmin
  • โ†’ /wp-login.php, /wp-admin.php, /xmlrpc.php
  • โ†’ /admin.php, /administrator.php, /cpanel
  • โ†’ /shell.php, /c99.php, /r57.php
  • โ†’ /config.php, /backup.sql, /database.sql
Malicious URL Patterns
68 Regex Patterns

Regex-based detection in bot-protection.conf for common attack vectors

  • โ†’ Config file scans (.env, .bak, .old)
  • โ†’ Path traversal (../, %2e%2e/)
  • โ†’ SQL injection (union select, insert into)
  • โ†’ Webshells (eval, base64_decode)
  • โ†’ CMS vulnerabilities (WordPress, Joomla)
Malicious User Agents
34 Patterns

Bot detection via user agent string analysis in Nginx

  • โ†’ sqlmap, nikto, nmap, masscan
  • โ†’ scrapy, selenium, phantomjs
  • โ†’ python-requests, go-http-client
  • โ†’ Empty or suspicious agents
Dynamic ML-Generated Rules
10 URL + 9 Agent Patterns

Auto-generated from last 7 days of threat intelligence data

  • โ†’ Updated every 5 minutes by cron
  • โ†’ Minimum 3 occurrences required
  • โ†’ 80%+ confidence threshold
  • โ†’ Automatic nginx reload on changes
Blocked IP Database
78 IPs (Current)

Real-time IP blocking from security_blocklist table

  • โ†’ 30-day automatic expiration
  • โ†’ Extended on repeated violations
  • โ†’ GeoIP enrichment (country, ASN, org)
  • โ†’ Synced to Nginx every 5 minutes

File Locations

# Static Honeypot Configuration
/etc/nginx/snippets/honeypot-traps.conf         (23 endpoints)

# Pattern-Based Detection
/etc/nginx/conf.d/bot-protection.conf           (68 URL + 34 UA patterns)

# Dynamic ML-Generated Rules
/etc/nginx/conf.d/dynamic-bot-blocking.conf     (Auto-updated every 5min)

# Processing Scripts
/var/www/html/public/security/honeypot-handler.php
/var/www/html/public/security/process-honeypot-logs.php
/var/www/html/public/security/generate-dynamic-rules.php

Honeypot Response Workflow

Request Intercepted
Nginx matches request against 222 detection rules
Immediate 404 Response
Return fake 404 to avoid revealing detection
Log to honeypot.log
Record IP, UA, URI, timestamp for analysis
Cron Processing
process-honeypot-logs.php runs every minute
GeoIP Enrichment
Lookup country, ASN, organization via MaxMind
Database Insert
Store in bot_ip_tracking + security_blocklist
Auto-Block Generation
generate-dynamic-rules.php updates nginx config
Nginx Reload
Apply new blocking rules without downtime
Adaptive System: The 222 detection rules continuously evolve as the ML engine identifies new attack patterns from live traffic analysis, automatically generating and deploying new blocking rules within 5 minutes of threat detection.

Machine Learning Threat Detection

Overview

Advanced threat intelligence engine combining entropy analysis, behavioral detection, external threat feeds, and LLM-powered explanations to achieve 99.5% threat detection accuracy with minimal false positives.

File Location

/var/www/html/scripts/threat-intelligence-engine.php

Detection Components

Entropy Analyzer
Behavioral Analysis

Analyzes mouse movement, keystroke timing, and interaction patterns

  • โ†’ Mouse entropy calculation
  • โ†’ Keystroke timing analysis
  • โ†’ Interaction pattern deviation
  • โ†’ Synthetic behavior probability
  • โ†’ Threshold: >70% synthetic = suspicious
Honeypot Detector
Trap Analysis

Tracks invisible fields, time traps, mouse traps, and CSS traps

  • โ†’ Invisible form field interactions
  • โ†’ Submission timing anomalies
  • โ†’ Mouse movement on hidden elements
  • โ†’ CSS display:none trap triggers
Threat Intel Lookup
External Feeds

Queries ThreatFox, URLhaus, and 8+ threat intelligence databases

  • โ†’ Known malicious IP detection
  • โ†’ Malware family identification
  • โ†’ C2 server correlation
  • โ†’ Confidence level scoring
LLM Explainer
AI Analysis

Generates human-readable threat explanations and recommendations

  • โ†’ Decision justification
  • โ†’ Risk assessment narrative
  • โ†’ Mitigation recommendations
  • โ†’ Stored in threat_explanations table

Risk Scoring Algorithm

Base Confidence Score: 0.0

+ 0.40  Known malicious IP in threat databases
+ 0.30  Entropy analysis indicates synthetic behavior (>70% synthetic probability)
+ 0.25  Honeypot trap triggered
+ 0.05  Advanced pattern recognition flags

-------------------------------------------------------------------
Threshold: 0.80 = Block Recommendation
Threshold: 0.90 = High-Risk Alert + Webhook Notification

Database Tables

threat_intelligence

External threat feed data (IOCs, malware families, confidence scores)

entropy_analysis

Behavioral entropy measurements and synthetic probability scores

honeypot_interactions

Logged honeypot trap triggers with detection confidence

threat_explanations

LLM-generated explanations for blocking decisions

threat_alerts

High-severity alerts with webhook delivery status

Real-Time Threat Analysis Flow

Request Received
Capture IP, user agent, behavioral data
Threat Intel Lookup
Query external threat databases (+0.40 if match)
Entropy Analysis
Calculate behavioral entropy (+0.30 if synthetic)
Honeypot Check
Verify trap interactions (+0.25 if triggered)
Pattern Recognition
Advanced anomaly detection (+0.05 if flagged)
Risk Scoring
Calculate total confidence score (0.0-1.0)
LLM Explanation
Generate human-readable threat analysis
Block Decision
โ‰ฅ0.80 = Block, โ‰ฅ0.90 = Alert + Webhook
Accuracy Metrics: 99.5% threat detection rate | <1% false positive rate | Average processing time: 45ms per request

API Rate Limiting & Quota Management

Overview

Comprehensive rate limiting system with per-key hourly/daily quotas, automatic denial on exceeded limits, and real-time usage tracking in PostgreSQL database.

Rate Limit Configuration

Normal Traffic
100 requests/minute

Standard rate limit for legitimate users and API consumers

  • โ†’ Applied to authenticated API keys
  • โ†’ Sliding window algorithm
  • โ†’ Per-IP tracking for non-authenticated
Suspicious Traffic
20 requests/minute

Reduced limit after attack detection or honeypot triggers

  • โ†’ 5-minute penalty window
  • โ†’ Automatic throttling on threat score >0.6
  • โ†’ Gradual restoration after clean period
Per-Key Hourly Limits
Configurable per API Key

Database-configured hourly caps for each API key

  • โ†’ rate_limit_per_hour column in api_keys table
  • โ†’ Default: 10,000 requests/hour
  • โ†’ Premium keys: 100,000 requests/hour
  • โ†’ Instant 429 response when exceeded
Daily Quota
Automatic Calculation

Daily limits calculated from hourly rate * 24

  • โ†’ Automatic daily quota enforcement
  • โ†’ Rolling 24-hour window
  • โ†’ Usage stats in api_usage_logs

Implementation Details

-- API Key Rate Limiting (PostgreSQL)
SELECT rate_limit_per_hour, is_active, expires_at
FROM api_keys
WHERE key_hash = sha256($api_key)
  AND is_active = true
  AND (expires_at IS NULL OR expires_at > NOW());

-- Usage Tracking
INSERT INTO api_usage_logs (
    api_key_id, endpoint, request_count, timestamp
) VALUES ($key_id, $endpoint, 1, NOW())
ON CONFLICT (api_key_id, endpoint, hour_bucket)
DO UPDATE SET request_count = api_usage_logs.request_count + 1;

-- Quota Check
SELECT SUM(request_count) as current_usage
FROM api_usage_logs
WHERE api_key_id = $key_id
  AND timestamp >= NOW() - INTERVAL '1 hour';

-- Deny if current_usage >= rate_limit_per_hour

Rate Limit Response Headers

HTTP/1.1 200 OK
X-RateLimit-Limit: 10000
X-RateLimit-Remaining: 9847
X-RateLimit-Reset: 1699564800
X-RateLimit-Window: 3600

---

HTTP/1.1 429 Too Many Requests
X-RateLimit-Limit: 10000
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1699564800
Retry-After: 3600

Content-Type: application/json
{
  "error": "Rate limit exceeded",
  "limit": 10000,
  "window": "1 hour",
  "reset_at": "2025-11-10T19:00:00Z"
}

Enforcement Architecture

Request Received
Extract API key from Authorization header
Key Validation
Verify key exists, is active, not expired
Quota Lookup
Fetch rate_limit_per_hour from database
Usage Query
Count requests in current hour window
Limit Check
Compare current_usage vs rate_limit
Allow or Deny
200 OK if under limit, 429 if exceeded
Log Request
Increment counter in api_usage_logs
Add Response Headers
Include X-RateLimit-* headers in response

Adaptive Throttling

The system dynamically adjusts rate limits based on real-time threat analysis:

  • Clean Traffic (threat_score < 0.3): Normal 100 req/min limit
  • Suspicious Traffic (0.3 โ‰ค threat_score < 0.8): Reduced to 20 req/min for 5 minutes
  • Malicious Traffic (threat_score โ‰ฅ 0.8): Immediate IP block, 0 req/min
  • Honeypot Trigger: Permanent block added to security_blocklist
Fair Usage: Rate limits protect system resources while ensuring legitimate users maintain uninterrupted service. Premium API keys with higher quotas are available for high-volume integrations.

System Summary

Defense-in-Depth Architecture: Multiple independent layers ensure that even if one layer is bypassed, others continue to provide protection.

Technology Stack

  • Rust: High-performance WAF middleware with Axum + Tokio async runtime
  • PHP 8.4: Honeypot monitoring with GeoIP enrichment
  • Python 3.11+: PyTorch-based ML threat detection
  • JavaScript ES6: Threat intelligence aggregation
  • PostgreSQL 16: Centralized threat database
  • Nginx: Reverse proxy with dynamic rule generation
  • Cron: Automated background processing

Performance Metrics

  • Threat detection latency: <5ms average
  • Request throughput: 10,000+ req/sec
  • ML classification speed: <50ms per request
  • Database query time: <2ms average
  • Pattern matching: <1ms per request
Note: This system is continuously learning and adapting. New attack patterns are automatically incorporated into detection models through ML retraining pipelines.