🛡️ SentinelMesh — Zero-Trust AI Gateway for IoT Devices
SentinelMesh is a Zero-Trust secure gateway designed to protect IoT infrastructure from compromised, misbehaving, or malicious devices — even when those devices possess valid credentials.
The system combines: • Mutual TLS (mTLS) authentication • Device identity enforcement • Behavioral traffic monitoring • AI-based payload anomaly detection • Rule-based policy enforcement • Full forensic logging for offline ML analysis
This project simulates how real industrial IoT security gateways protect critical infrastructure when trusted devices cannot be blindly trusted.
⸻
Problem Statement
In real IoT deployments: • Devices get compromised after deployment • Certificates and keys are stolen • Legitimate devices begin transmitting malicious payloads • Attackers overwhelm gateways with request floods • Payloads appear structurally valid but are malicious in size or content
Most systems stop at identity verification.
SentinelMesh assumes a stricter threat model:
Any device — even one with a valid certificate — can behave maliciously.
This is the foundation of a true Zero-Trust architecture.
⸻
Security Layers (Execution Order)
Every incoming request is evaluated through the following layers: 1. mTLS Authentication (Uvicorn SSL layer) 2. Device Registry Check (Is this a known device?) 3. Behavior Monitor (Is the device spamming or behaving abnormally?) 4. AI Payload Detector (Is the payload statistically abnormal?) 5. Policy Engine (Does the payload violate defined rules?) 6. Forensic Logger (Persist full request with decision outcome)
A device with a valid certificate can still be blocked at any stage.
⸻
System Architecture
Device │ ▼ mTLS Authentication │ ▼ Device Identity Check │ ▼ Behavior Monitoring │ ▼ AI Payload Analysis │ ▼ Policy Enforcement │ ▼ Forensic Logging │ ├── Accept └── Block
⸻
📂 Project Structure
sentinelmesh/ │ ├── ai/ │ └── live_detector.py # Real-time ML anomaly detection │ ├── gateway/ │ ├── secure_server.py # Main Zero-Trust gateway │ ├── behavior_monitor.py # Detects request spamming │ ├── policy_engine.py # Rule-based filtering │ ├── device_registry.py # Known device list │ └── logger.py # Forensic traffic logging │ ├── devices/ │ ├── base_device.py │ └── temp_sensor.py # Simulated IoT device │ ├── logs/ │ └── traffic_log.jsonl # All traffic stored here │ ├── security/ca/ # Certificates for mTLS ├── run_device.py # Device simulator runner └── requirements.txt
⸻
Operational Flow
Normal Device Traffic
Example payload:
{"temperature_c": 28}
Result: Accepted
⸻
AI Detection — Payload Attack
Device sends:
"X" * 5000
Gateway output:
🚨 RULE BLOCK: Huge string payload [GATEWAY] AI BLOCKED anomalous payload
⸻
Behavior Detection — Spamming Attack
Device sends 25 rapid requests:
🚨 BEHAVIOR BLOCK: temp-sensor-01 spamming (6 reqs in 10s) [GATEWAY] BLOCKED by behavior monitor
After this point, the payload is never analyzed.
⸻
▶ Running the Gateway
cd sentinelmesh source venv/bin/activate
python -m uvicorn gateway.secure_server:app
--host 127.0.0.1
--port 8000
--ssl-certfile security/ca/gateway.crt
--ssl-keyfile security/ca/gateway.key
--ssl-ca-certs security/ca/ca.crt
--ssl-cert-reqs 2
--reload
⸻
▶ Running a Device
In a separate terminal:
export DEVICE_ID=temp-sensor-01 python run_device.py temp_sensor
To simulate an attack:
for i in {1..25}; do python run_device.py temp_sensor; done
⸻
Forensic Logging
All traffic — accepted and blocked — is stored in:
logs/traffic_log.jsonl
These logs are used for offline ML training, behavioral analysis, and security forensics.
⸻
AI Model Details
The system uses an Isolation Forest model trained on normal IoT payload characteristics.
Features extracted: • Whether the payload value is numeric • Length of the payload value
This enables automatic detection of abnormal payload sizes and formats without relying on static rules.
⸻
What This Demonstrates
This project demonstrates practical understanding of: • Zero-Trust Architecture for IoT systems • Secure gateway design patterns • Mutual TLS authentication • Real-time ML inference in request pipelines • Behavioral anomaly detection • Forensic logging for ML pipelines • Defensive, layered system design
⸻
Why This Is Different
Most IoT projects follow this pattern:
“Device sends data to server.”
SentinelMesh follows a security-first mindset:
“Device is treated as a potential attacker.”
This mirrors how real industrial IoT security gateways are designed.
⸻
Future Improvements • Dashboard to visualize blocked devices and traffic patterns • Continuous retraining of AI model from live logs • Device reputation scoring • Alerting and incident response integration • Cloud deployment and scalability testing
⸻
Author
Samiksha Tiwari itable for research portfolios and professional review.