COM0453 IoT — Final Project · Istanbul Kültür University · Spring 2026

EdgeShield

A physically deployed, multi-layer secure IoT gateway on Raspberry Pi 5 — combining MQTT, nftables, HMAC integrity, Suricata IDS, and AI-driven anomaly detection.

▶ Watch Demo View on GitHub
6
Active Services
100%
Crypto Detection
480
AI Training Windows
4
Attack Scenarios
13K+
Log Records
orhunx@edgeshield:~/edgeshield
$ python3 scripts/attack_replay.py
[*] Sending legitimate packet fcnt=100...
[*] Replaying same packet 5 times...
[02:27:58] [REPLAY_DETECTED] device=sensor-01 fcnt=100 last_known=1854
[02:27:59] [REPLAY_DETECTED] device=sensor-01 fcnt=100 last_known=1854
 
$ python3 scripts/attack_hmac.py
[02:30:00] [INTEGRITY_FAIL] device=sensor-01 topic=iot/gateway/sensor-01/telemetry
[02:30:01] [INTEGRITY_FAIL] device=sensor-01 topic=iot/gateway/sensor-01/telemetry
 
$ tail -3 logs/anomaly.log
[02:45:15] [NORMAL] device=sensor-01 score=0.2562
[02:49:31] [ANOMALY] device=sensor-01 score=0.1148 features=[-76.49, 9.01, 3.78, 488.46]
$
System Design
4-Layer Defense Architecture
L1

IoT Devices

3 simulated sensor nodes — temperature · humidity · pressure — publishing HMAC-signed MQTT messages with DB-persisted FCnt counters

L2a

MQTT Broker

Mosquitto 2.x with TLS 1.2+, password authentication, per-device ACL rules, and WireGuard VPN tunneling

L2b

Security Enforcement

nftables stateful firewall (whitelist + rate-limit + auto-block) · Suricata IDS · HMAC-SHA256 verification · FCnt replay protection

L2c

Log Pipeline

Python collector → SQLite · Isolation Forest anomaly detection (480 training windows, score threshold 0.15)

L3

Observability

Flask REST API (4 endpoints) · Grafana 13 dashboard (3 panels: telemetry, alerts, gateway stats)

Security Scenarios
4 Live Attack Demonstrations
🔁

Replay Attack

Captured MQTT frame retransmitted with stale FCnt. DB-persisted counter rejects any frame with FCnt ≤ last accepted.

5/5 detected · <1s MTTD
✂️

HMAC Tampering

Payload body modified in transit with fabricated MAC string. Timing-safe compare_digest catches every mismatch.

5/5 detected · <1s MTTD
🔍

Port Scan

nmap SYN scan against gateway interface. nftables rate-limiter activates, dropping excess SYN packets automatically.

100% blocked · rate-limit active
🤖

AI Anomaly Injection

Valid HMAC packets with fixed RSSI and 10× normal rate — simulating a software radio. Isolation Forest flags behavioral deviation.

Score 0.256 → 0.114 · Δ=0.14
Runtime
6 Services — Auto-start on Boot
mosquitto
MQTT broker · TLS + ACL
grafana-server
Dashboard · port 3000
edgeshield-collector
HMAC + FCnt + SQLite writer
edgeshield-sim
3-device sensor simulator
edgeshield-api
Flask REST API · port 5000
edgeshield-anomaly
Isolation Forest detector
Team EdgeShield
Istanbul Kültür University · Spring 2026
OT

Orhun Utku Topal

2200003909

Python pipeline, sensor simulator, HMAC engine, Flask API, SQLite schema, Grafana dashboard, Isolation Forest model, anomaly injection simulation, LaTeX report, README.

Python ML/AI Flask Grafana LaTeX
BA

Berk Can Akbaba

2200004131

RPi5 OS setup, Mosquitto TLS+ACL, nftables firewall, Suricata IDS, TLS certificate generation, attack simulations (replay, HMAC, port scan), systemd service units, GitHub SSH setup.

Linux nftables Mosquitto Suricata systemd

Explore EdgeShield

Source code, documentation, and full LaTeX report available on GitHub.

▶ Watch Demo Video GitHub Repository