README.md

🔐 SecureSync by AG34 (ROPGadgets)

The Safest Distance Between Two Points

Enterprise-Grade Secure Data Synchronization for Distributed Manufacturing Networks

A military-grade secure data pipeline enabling 15+ manufacturing plants across India to sync mission-critical data (production orders, inventory, quality reports) to a central cloud analytics platform—with zero-trust cryptographic guarantees.

---

🎯 The Challenge We Solved

Real-World Problem: A manufacturing company with 15+ plants across India needed to sync critical ERP data to a central analytics platform. They faced:

Challenge	Impact	Status
🔓 Data breaches during transmission	Intellectual property theft, compliance violations	✅ Solved
🔏 No proof of data origin	Disputes, audit failures, accountability gaps	✅ Solved
💥 DDoS attacks flooding endpoints	System downtime, operational disruption	✅ Solved
🚫 Unauthorized access attempts	Data integrity compromises, security incidents	✅ Solved

---

Innovation Highlights

🧠 Two-Stage ML-Powered Attack Detection

Unlike traditional rule-based systems, SecureSync employs a sophisticated machine learning pipeline:

┌─────────────────────────────────────────────────────────────────────┐
│                    TWO-STAGE ML DETECTION SYSTEM                    │
├─────────────────────────────────────────────────────────────────────┤
│  STAGE 1: Binary Classification (Benign vs Attack)                 │
│  ┌─────────────────┐    ┌──────────────────┐    ┌───────────────┐  │
│  │  Contrastive    │ ─► │   64-dim         │ ─► │   LightGBM    │  │
│  │  Learning       │    │   Embeddings     │    │   Classifier  │  │
│  └─────────────────┘    └──────────────────┘    └───────────────┘  │
├─────────────────────────────────────────────────────────────────────┤
│  STAGE 2: Attack Type Classification (Hierarchical)                │
│  ┌─────────────────┐    ┌──────────────────┐    ┌───────────────┐  │
│  │  Supervised     │ ─► │  128-dim         │ ─► │  Multi-class  │  │
│  │  Contrastive    │    │  Embeddings      │    │  Classifier   │  │
│  └─────────────────┘    └──────────────────┘    └───────────────┘  │
└─────────────────────────────────────────────────────────────────────┘

Key Innovations:

• Contrastive Learning in BOTH stages for superior class separation
• Focal Loss for hard example mining on imbalanced attack data
• Hierarchical attack categorization (TCP-Flood, TCP-Flag, TCP-Control)
• Model Interpretability with feature attribution explanations

---

🔐 Military-Grade Security Stack

🔒 Cryptographic Layer Technology Implementation Purpose AES-256-GCM 256-bit key, 96-bit IV, 128-bit auth tag Authenticated encryption with tamper detection RSA-2048 OAEP SHA-256 hash Secure session key exchange RSA-2048 PKCS1 Digital signatures Non-repudiation & origin proof HMAC-SHA256 HKDF-derived keys Payload integrity verification SHA-256 Payload hashing Content integrity fingerprinting Zstandard Compression before encryption Large payload optimization (50MB+)

🛡️ Defense Layer Technology Implementation Purpose Sliding Window Rate Limiting Per-IP + Per-Endpoint Granular request throttling Token Bucket Algorithm Burst detection window Flash crowd protection Priority Lanes Critical endpoint multipliers Business continuity assurance Temp Blocking Auto-expiring bans Automatic attacker isolation Auth Failure Tracking Consecutive fail detection Brute-force prevention ML Attack Detection Real-time classification Zero-day threat detection

---

🏗️ System Architecture

      ┌──────────────────────────────────────────────────────────────────────────────────┐
      │                              PLANT LAYER (15+ Plants)                            │
      │  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐         ┌─────────────┐      │
      │  │   Mumbai    │  │   Delhi     │  │  Bangalore  │  ....   │  Vadodara   │      │
      │  │   Plant     │  │   Plant     │  │    Plant    │         │    Plant    │      │
      │  │  ┌───────┐  │  │  ┌───────┐  │  │  ┌───────┐  │         │  ┌───────┐  │      │
      │  │  │ RSA   │  │  │  │ RSA   │  │  │  │ RSA   │  │         │  │ RSA   │  │      │
      │  │  │ Keys  │  │  │  │ Keys  │  │  │  │ Keys  │  │         │  │ Keys  │  │      │
      │  │  └───────┘  │  │  └───────┘  │  │  └───────┘  │         │  └───────┘  │      │
      │  └──────┬──────┘  └──────┬──────┘  └──────┬──────┘         └──────┬──────┘      │
      └─────────┼────────────────┼────────────────┼──────────────────────┼──────────────┘
                │                │                │                      │
                ▼                ▼                ▼                      ▼
      ┌──────────────────────────────────────────────────────────────────────────────────┐
      │                                SECURITY LAYER                                    │
      │  ┌──────────────────────────────────────────────────────────────────────────┐   │
      │  │                        🔐 ENCRYPTED PAYLOADS                              │   │
      │  │   ┌─────────────┐   ┌─────────────┐   ┌─────────────┐   ┌─────────────┐  │   │
      │  │   │ AES-256-GCM │ + │ RSA-2048    │ + │ HMAC-SHA256 │ + │ Digital Sig │  │   │
      │  │   │ Encryption  │   │ Key Wrap    │   │ Integrity   │   │ Non-Repud.  │  │   │
      │  │   └─────────────┘   └─────────────┘   └─────────────┘   └─────────────┘  │   │
      │  └──────────────────────────────────────────────────────────────────────────┘   │
      └──────────────────────────────────────────────────────────────────────────────────┘
                                              │
                                              ▼
      ┌──────────────────────────────────────────────────────────────────────────────────┐
      │                             🛡️ DEFENSE PROXY                                     │
      │  ┌────────────────────────────────────────────────────────────────────────────┐ │
      │  │  ┌───────────────┐  ┌───────────────┐  ┌───────────────┐  ┌─────────────┐ │ │
      │  │  │ IP Whitelist  │  │ Rate Limiter  │  │ ML Attack     │  │ Temp Block  │ │ │
      │  │  │ Manager       │  │ (Sliding Win) │  │ Detector      │  │ Engine      │ │ │
      │  │  └───────────────┘  └───────────────┘  └───────────────┘  └─────────────┘ │ │
      │  └────────────────────────────────────────────────────────────────────────────┘ │
      │  ┌────────────────────────────────────────────────────────────────────────────┐ │
      │  │                    📊 PACKET METRICS & FEATURE EXTRACTION                  │ │
      │  │   duration | packets | payload_bytes | header_bytes | SYN/ACK/FIN flags   │ │
      │  └────────────────────────────────────────────────────────────────────────────┘ │
      └──────────────────────────────────────────────────────────────────────────────────┘
                                              │
                                              ▼
      ┌──────────────────────────────────────────────────────────────────────────────────┐
      │                           ☁️ CENTRAL ANALYTICS PLATFORM                          │
      │  ┌────────────────┐  ┌────────────────┐  ┌────────────────┐  ┌────────────────┐ │
      │  │ 🔍 Signature   │  │ 🔓 AES Key     │  │ ✅ HMAC        │  │ 🔐 Payload     │ │
      │  │    Verify      │─▶│    Decrypt     │─▶│    Verify      │─▶│    Decrypt     │ │
      │  └────────────────┘  └────────────────┘  └────────────────┘  └────────────────┘ │
      │                                              │                                   │
      │                                              ▼                                   │
      │  ┌────────────────────────────────────────────────────────────────────────────┐ │
      │  │                          📋 AUDIT LOG & STORAGE                            │ │
      │  │  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐  ┌─────────────────┐   │ │
      │  │  │ Production  │  │ Inventory   │  │ Quality     │  │ Non-Repudiation │   │ │
      │  │  │ Orders      │  │ Items       │  │ Reports     │  │ Audit Trail     │   │ │
      │  │  └─────────────┘  └─────────────┘  └─────────────┘  └─────────────────┘   │ │
      │  └────────────────────────────────────────────────────────────────────────────┘ │
      └──────────────────────────────────────────────────────────────────────────────────┘

---

📊 Management Dashboard Suite

🎛️ Admin Control Panel

Dynamic IP whitelist management with real-time CIDR range support and one-click network segment authorization.

📜 Audit Log Viewer

Comprehensive searchable interface proving "Plant A sent Data X at Timestamp Y" with cryptographic proof:

• SHA-256 payload fingerprints
• Digital signature verification status
• HMAC integrity validation
• Operator attribution

🚨 Attack Monitor

Real-time security threat visualization with:

• Live blocked attempt streams
• Per-IP threat scoring
• Attack type classification (ML-powered)
• Automatic threat isolation

📈 Analytics Dashboard

• Plant connectivity status (Online/Offline)
• Sync event statistics (24h trends)
• Security verification rates
• Data volume metrics

---

💪 Performance & Reliability

Metric	Target	Achievement
Security check latency	< 100ms	✅ < 50ms avg
Large payload support	50MB	✅ Zstd compressed
DDoS resilience	1000+ rapid requests	✅ Tested & passed
Signature verification	Every payload	✅ 100% coverage
Tampered payload rejection	100%	✅ Zero false negatives

---

🔬 Technical Deep Dive

End-to-End Encryption Flow

// CLIENT SIDE (Plant)
1. user_data = { productId, quantity, ... }
2. payload_hash = SHA256(JSON.stringify(user_data))
3. aes_key = crypto.randomBytes(32)
4. { ciphertext, iv, authTag } = AES-256-GCM.encrypt(user_data, aes_key)
5. encrypted_key = RSA_OAEP.encrypt(aes_key, server_public_key)
6. hmac = HMAC-SHA256(ciphertext, HKDF(aes_key))
7. signature = RSA_PKCS1.sign({ plantId, timestamp, payload_hash }, plant_private_key)
8. send({ ciphertext, iv, authTag, encrypted_key, hmac, signature, payload_hash })

// SERVER SIDE (Central)
1. verify_signature(signature, plant_public_key) || REJECT("Tampered")
2. aes_key = RSA_OAEP.decrypt(encrypted_key, server_private_key)
3. verify_hmac(ciphertext, hmac, HKDF(aes_key)) || REJECT("Integrity failure")
4. plaintext = AES-256-GCM.decrypt({ ciphertext, iv, authTag }, aes_key)
5. verify_hash(plaintext, payload_hash) || REJECT("Hash mismatch")
6. store(plaintext) + create_audit_log()
7. return SIGNED_ACK(server_private_key)

Rate Limiting Algorithm

# Sliding Window + Burst Detection + Priority Lanes
def check_rate_limit(ip, endpoint, timestamp):
    # Priority endpoints get 2x limit multiplier
    multiplier = 2.0 if is_critical_endpoint(endpoint) else 1.0
    
    # Sliding window: per-IP limit
    ip_window = get_sliding_window(ip, WINDOW_SECONDS)
    if len(ip_window) > PER_IP_LIMIT * multiplier:
        return BLOCK("Per-IP limit exceeded")
    
    # Burst detection: sub-second spike detection
    burst_window = get_burst_window(ip, BURST_WINDOW_SECONDS)
    if len(burst_window) > BURST_LIMIT:
        return BLOCK("Burst detected")
    
    # Per-endpoint granularity
    endpoint_window = get_sliding_window((ip, endpoint), WINDOW_SECONDS)
    if len(endpoint_window) > PER_ENDPOINT_LIMIT * multiplier:
        return BLOCK("Per-endpoint limit exceeded")
    
    return ALLOW()

---

🏭 Supported Plant Locations

SecureSync supports 15+ manufacturing plants across India with unique cryptographic identities:

Region	Plants	Status
West	Mumbai, Pune, Ahmedabad, Vadodara	🟢 Online
South	Bangalore, Chennai, Hyderabad, Coimbatore	🟢 Online
North	Delhi, Jaipur, Lucknow, Chandigarh	🟢 Online
Central	Bhopal, Nagpur	🟢 Online
East	Kolkata	🟢 Online

Each plant has:

• Unique RSA-2048 key pair
• X.509 certificate with SHA-256 fingerprint
• Geolocation metadata for validation
• Individual audit trail

---

🎨 UI/UX Excellence

• 3D Interactive Landing Page with Three.js WebGL animations
• Glassmorphic Design Language with subtle transparency effects
• Real-time Data Visualization with live sync status
• Dark Mode Optimized for 24/7 operations center deployment
• Responsive Grid Layouts for desktop and tablet
• Security-First Visual Indicators (shield icons, verification badges)

---

🔮 Future-Ready Innovations

Innovation	Status	Description
mTLS Ready	🟡 Prepared	Mutual certificate authentication infrastructure
Geolocation Validation	🟢 Implemented	Flag if IP country doesn't match plant location
Anomaly Model Explainability	🟢 Implemented	Feature attribution for ML decisions
Priority Data Lanes	🟢 Implemented	Critical vs non-critical traffic prioritization

---

📜 Compliance & Non-Repudiation

Every data sync generates cryptographic proof of origin:

{
  "auditId": "sync_2026-01-25T06:54:17Z_mumbai",
  "plantId": "plant-mumbai",
  "plantName": "Plant Mumbai",
  "timestamp": "2026-01-25T06:54:17.000Z",
  "payloadHash": "a3f2d8c9e5b7...64 chars",
  "signatureValid": true,
  "hmacValid": true,
  "decryptionSuccess": true,
  "status": "success",
  "operatorId": "op-12345",
  "proofStatement": "Plant Mumbai (Mumbai, Maharashtra) sent production_order data at 2026-01-25T06:54:17Z. Submitted by operator Rajesh Kumar."
}

Legal standing: This audit trail provides irrefutable proof that a specific plant sent specific data at a specific timestamp, enabling:

• Regulatory compliance (ISO 27001, SOC 2)
• Dispute resolution
• Supply chain transparency
• Quality traceability

---

Checks //

Criteria	Our Solution
End-to-End Encryption	✅ AES-256-GCM with RSA key exchange, 50MB+ payload support
Non-Repudiation	✅ RSA-2048 digital signatures, complete audit trail, tamper rejection
IP Whitelisting	✅ Dynamic management, CIDR support, geolocation validation
Rate Limiting & DDoS	✅ Sliding window + token bucket, priority lanes, ML detection
Management Dashboard	✅ Admin panel, audit viewer, real-time attack monitor
Innovation	✅ 2-stage ML attack classification, contrastive learning, explainability
Performance	✅ < 100ms security overhead, tested with 1000+ rapid requests

---

SecureSync
Because critical manufacturing data deserves military-grade protection.

---

© 2026 Team RopGadgets