Catching Hackers with Math: How I Built a Self-Healing Server

Source: Dev.to

If you’ve never worked in cybersecurity before, the word DevSecOps can sound intimidating—like you need to sit in a dark room wearing a hoodie, typing furiously to stop hackers. In reality, good security isn’t about typing fast; it’s about building smart alarms.

For my latest engineering project, I built an Anomaly Detection Engine from scratch. Below is a beginner‑friendly breakdown of how simple math can teach a server to defend itself.

The Problem: Hard‑Coded Rules Fail

Imagine you run a popular online store and tell your firewall:

“If anyone tries to enter the store more than 10 times a second, kick them out! They must be a hacker doing a brute‑force attack.”

That works on a normal Tuesday, but on Black Friday hundreds of real customers flood the site. Your firewall kicks them all out, and the business crashes. Hard‑coded limits don’t adapt to reality.

The Solution: The “Resting Heartbeat”

Instead of a strict rule, the engine calculates a Rolling Baseline—the server’s resting heartbeat.

• Every minute, a background script evaluates traffic and determines the current average (e.g., 1 request per second).
• As traffic gradually increases (e.g., during a sale), the baseline adjusts, treating the higher volume as the new normal.

The Trigger: Z‑Score (The Conveyor Belt)

To catch actual attacks, the engine uses a 60‑second Sliding Window—a conveyor belt of incoming traffic.

1. It tracks every IP address on that belt.
2. It compares each IP’s request rate to the baseline using a Z‑Score.

A Z‑Score of 3.0 or higher indicates a 99.7 % chance the spike is a massive anomaly, not just an enthusiastic user. (During testing I accidentally saw a Z‑Score of 40.17—the engine didn’t hesitate.)

The Trapdoor: Auto‑Banning and Slack Alerts

When the math flags an attacker, the engine acts automatically:

• Block: Sends a command to the server’s core firewall (iptables) to drop all traffic from the offending IP instantly.
• Alert: Posts a formatted message to Slack, showing the attacker’s IP and the severity of the attempt.
• Recovery: Starts a 10‑minute timer; when it expires, the IP is automatically unbanned, preventing permanent lock‑outs for legitimate users who may have glitched.

Conclusion

Building this engine taught me that modern security isn’t about constructing taller walls; it’s about creating smarter sensors. By combining simple statistics with automated firewalls, you can build a server that heals itself while you sleep!