SnortNLPNetwork Security

SnortEduGuard – Student Integrity Surveillance System

Security Engineer·April 2025

Overview

SnortEduGuard is a real-time academic integrity IDS that detects AI tool usage, VPN evasion, and command-and-control behavior on educational networks. It goes beyond signature-matching by adding NLP-powered alert summarization and a default-deny Exam Mode for proctored sessions.

The Challenge

Academic integrity monitoring relied on manual log review and couldn't catch AI tool usage (ChatGPT, Claude) or VPN-based evasion in real time. Proctored sessions had no automated enforcement layer — instructors had to manually watch network logs during exams.

The Solution

Built 40+ custom Snort 3 rules targeting AI tool API calls, VPN handshakes, DNS tunneling, and Nmap scan signatures. Integrated a Flask backend that processes Snort alerts and feeds them to a spaCy NLP pipeline for automatic categorization and plain-English summarization. Exam Mode applies a default-deny policy that flags any unauthorized outbound traffic the moment a proctored session starts.

Tech Stack

Snort 3Core IDS engine with 40+ custom rules for AI tools, VPNs, C2 behavior

Python + FlaskBackend alert processor and web dashboard

spaCyNLP pipeline for Smart Search and alert summarization

DNS AnalysisDetection of DNS tunneling and covert channel exfiltration

Outcomes

▸40+ custom Snort 3 rules covering AI tools, VPN protocols, and C2 behavior
▸spaCy NLP pipeline reduces alert review time with plain-English summaries
▸Exam Mode enforces default-deny with zero false negatives on unauthorized outbound traffic
▸Real-time dashboard eliminates manual CMD log review during proctored sessions

← Back to all projects View Artifact ↗