GeoIDS is an open-source intrusion detection system (IDS) that operates on fully encrypted traffic without decryption. It uses Conformal Geometric Algebra (Clifford algebra) to model multilinear relationships between network flow features and detect zero-day exploits in real time.
| Feature | Description |
|---|---|
| 🔐 Encrypted-traffic native | Analyses TLS metadata, not payload content |
| ⚡ Real-time | Up to 100 000 flows/second via zero-copy ring buffers |
| 🧮 Geometric Algebra core | Sparse multivectors over ℝ^(p,q), blades up to order 3 |
| 🤖 Zero-day detection | Online learning with forgetting factor — no retraining needed |
| 🔍 Explainable | Blade attribution: "e₁₂ anomaly → packet-size ∧ timing" |
| 📊 Dashboard | 3-D PCA projection of the multivector manifold |
| 🔗 SIEM-ready | JSON/WebSocket output for Splunk, ELK; Zeek/Bro integration |
PCAP / NetFlow / Zeek logs
│
▼
┌─────────────────────┐
│ Ingestion Engine │ (scapy / dpkt / nfstream, ring buffer)
└────────┬────────────┘
│ raw flows
▼
┌─────────────────────┐
│ Feature Extractor │ (25–30 features incl. TLS metadata)
└────────┬────────────┘
│ feature vectors
▼
┌─────────────────────┐
│ Multivector Embed │ (Conformal GA, sparse blades order ≤ 3)
└────────┬────────────┘
│ multivectors
▼
┌─────────────────────┐ ┌──────────────────────┐
│ Anomaly Detector │◄─────│ Reference Multiframe │
│ (blade distance) │ │ (GA mean, Grassmann) │
└────────┬────────────┘ └──────────────────────┘
│
▼
┌─────────────────────┐
│ Alert Engine │ (GPD threshold + blade attribution)
└────────┬────────────┘
│
▼
SIEM / Dashboard / Log
git clone https://github.com/Chege-N/GeoIDS.git
cd GeoIDS
pip install -e ".[dev]"geoIDS ingest --source pcap --file traffic.pcap --output alerts.jsonsudo geoIDS ingest --source live --interface eth0geoIDS dashboard --port 8050A demonstration script (scripts/demo.py) generates synthetic encrypted traffic with
five attack categories, including a zero‑day DoH‑based backdoor. On this synthetic
benchmark, GeoIDS achieves detection rates above 85% at false positive rates below 1%.
Full evaluation on public datasets (CIC‑IDS2017, CSE‑CIC‑IDS2018, UNSW‑NB15) is in progress. The evaluation protocol and expected results are documented in docs/evaluation.md.
GeoIDS/
├── geoidslib/
│ ├── algebra/ # Sparse multivector & GA operations
│ ├── features/ # Flow feature extraction
│ ├── detection/ # Anomaly scoring & online learning
│ ├── ingestion/ # PCAP / NetFlow / Zeek ingestion
│ └── output/ # Alerts, SIEM, WebSocket
├── dashboard/ # Plotly Dash visualisation
├── tests/ # Pytest unit + integration tests
├── benchmarks/ # Performance benchmarks
├── configs/ # YAML configuration files
├── scripts/ # CLI helpers
└── docs/ # Extended documentation
@software{GeoIDS2026,
title = {GeoIDS: Hyperdimensional Anomaly Detection via Geometric Algebra},
year = {2026},
url = {https://github.com/Chege-N/GeoIDS}
}MIT — see LICENSE.