AI/ML-Driven Open-Source Framework for Network Anomaly Detection

An accessible, modular alternative to traditional SIEMs that combines Zeek and Suricata for deep traffic visibility, AI/ML (Fine-Tuning + RAG) with MCP-controlled analysis for anomaly detection, and OPNsense API for automated, real-time enforcement.

How It Works

Here’s how it works: an OPNsense edge firewall sits at your network’s front door, seeing every connection and letting us spot and block unwanted activity in real time.

NALA passively mirrors that traffic from OPNsense—no interruptions—turning it into real‑time alerts and insights (with one‑click blocks).

How NALA Works - Traffic becomes detailed records, feeds into AI + Console for instant block/allow decisions

TECHNOLOGY STACK

🛡️

OPNsense

Gateway Layer

Firewall Policies

API Integration

Real-time Enforcement

AI/ML

Model Control Protocol (MCP)

Fine-Tuning

Retrieval-Augmented Generation (RAG)

Anomaly Detection Models

Behavioral Profiling

LOGGING

Zeek Network Analysis

Suricata IDS/IPS

Elasticsearch/OpenSearch Indexing

Threat Feeds (AbuseIP)

🖥️

INTERFACE

Electron Desktop App

Visualization Dashboards

Investigation Workflows

Real-time Decision Making

Frequently asked questions

How does this compare to traditional SIEM systems? ▼

It is a modular, low-cost alternative focused on real-time anomaly detection using Zeek/Suricata and AI/ML (Fine-Tuning + RAG). It reduces licensing and operational complexity while remaining scalable and suitable for research and educational environments.

What components make up the NALA system? ▼

OPNsense for gateway enforcement, Zeek for protocol metadata, Suricata for IDS/IPS alerts, Elasticsearch/OpenSearch for indexing and visualization, and an MCP-controlled analysis layer with Electron desktop UI for investigation and response.

How does the AI anomaly detection work? ▼

Logs are enriched and features extracted for anomaly detection models built with scikit-learn, PyTorch, and PyOD. Fine-tuned models capture attack patterns, while RAG provides contextual anomaly detection and explanation. MCP enables operator control for rapid rule deployment without waiting for long retraining cycles.

How does real-time enforcement work? ▼

The OPNsense API applies dynamic firewall actions (allow, block, quarantine) in real time, orchestrated from the NALA App based on model/MCP decisions.

What investigation capabilities are available? ▼

Dashboards for anomaly correlation and triage, behavioral profiling to detect deviations such as botnets, exfiltration, and APTs, with real-time Elasticsearch queries managed under MCP control.

What deployment options are available? ▼

Runs on Debian-based Linux, suitable for mini-PCs, RPi 4/5, VMs, or cloud. Network traffic can be mirrored to a sensor for collection.

What are the future development plans? ▼

Future plans include continued evaluation of Fine-Tuning vs RAG vs MCP strategies, integration of additional threat intelligence feeds, scaling performance to enterprise environments, and improved operator tooling through MCP. Open-source contributions and community feedback are encouraged.

Get in Touch

Have questions or want to collaborate?
Reach out through the following channels:

Email: havi@getnala.org
LinkedIn: linkedin.com/in/4rji/

Open Live Demo

Note: Works in Safari. Other browsers require HTTP (no SSL) due to WebSocket policy.