In [None]:
import pandas as pd
import numpy as np
from sklearn.model_selection import train_test_split
from sklearn.preprocessing import StandardScaler, LabelEncoder
from sklearn.ensemble import RandomForestClassifier, IsolationForest
from sklearn.metrics import classification_report
import tensorflow as tf
from tensorflow.keras.models import Sequential, load_model
from tensorflow.keras.layers import Dense, Dropout
import os
import pickle
import json

# --- 0. Setup and File Management ---
def clear_stale_model_files():
    """Deletes old model and preprocessing files to force retraining."""
    print("--- Clearing stale model files ---")
    files_to_delete = [
        'ann_model.keras', 'rf_model.pkl', 'iso_forest_model.pkl', 
        'scaler.pkl', 'feature_columns.pkl', 'label_encoders.pkl'
    ]
    for f in files_to_delete:
        if os.path.exists(f):
            os.remove(f)

def create_default_policy():
    """Creates a default policy.json file if one doesn't exist."""
    if not os.path.exists('policy.json'):
        default_policy = {
          "LowConfidenceThreat": { "confidence_threshold": 0.50, "priority_actions": ["MONITOR", "LOG_EVENT"] },
          "MediumConfidenceThreat": { "confidence_threshold": 0.75, "priority_actions": ["FLAG_FOR_REVIEW", "MONITOR"] },
          "HighConfidenceThreat": { "confidence_threshold": 0.90, "priority_actions": ["BLOCK_IP", "ISOLATE_HOST"] },
          "KnownThreatIoC": { "confidence_threshold": 0.99, "priority_actions": ["BLOCK_IP", "ISOLATE_HOST", "RUN_SCAN"] }
        }
        with open('policy.json', 'w') as f:
            json.dump(default_policy, f, indent=2)
        print("--- Created default policy.json ---")

# --- 1. Data Loading and Preprocessing ---
def preprocess_data(net_path='network_traffic_logs.csv', sys_path='system_event_logs.csv', intel_path='threat_intelligence.csv'):
    """Loads, combines, and preprocesses all data sources including threat intelligence."""
    print("--- Starting Data Preprocessing ---")
    df_net = pd.read_csv(net_path)
    df_sys = pd.read_csv(sys_path)
    df_intel = pd.read_csv(intel_path)

    known_threat_ips = set(df_intel[df_intel['Threat Type'] != 'Phishing']['IOC'])
    
    # Feature: Check if IP is in the threat intel feed
    df_net['is_known_threat_ip'] = df_net.apply(
        lambda row: 1 if row['Source IP'] in known_threat_ips or row['Destination IP'] in known_threat_ips else 0, axis=1
    )
    
    df_net['Timestamp'] = pd.to_datetime(df_net['Timestamp'])
    df_sys['Timestamp'] = pd.to_datetime(df_sys['Timestamp'])
    df_sys.sort_values('Timestamp', inplace=True)
    
    lookback_window = pd.Timedelta(hours=10)
    aggregated_features = []

    for index, net_row in df_net.iterrows():
        end_time = net_row['Timestamp']
        start_time = end_time - lookback_window
        recent_sys_events = df_sys[(df_sys['Timestamp'] > start_time) & (df_sys['Timestamp'] <= end_time)]
        
        features = {
            'timestamp': end_time,
            'recent_failed_logins': (recent_sys_events['Event Type'] == 'Failed Login').sum(),
            'recent_priv_escalations': (recent_sys_events['Event Type'] == 'Privilege Escalation').sum(),
            'is_system_threat_present': 1 if 'Yes' in recent_sys_events['Threat'].unique() else 0
        }
        aggregated_features.append(features)

    df_agg_sys = pd.DataFrame(aggregated_features)
    df = pd.merge(df_net, df_agg_sys, left_on='Timestamp', right_on='timestamp', how='left').fillna(0)
    
    original_df = df.copy()

    df['Threat'] = LabelEncoder().fit_transform(df['Threat'])
    df['Combined_Threat'] = (df['Threat'] | df['is_system_threat_present'] | df['is_known_threat_ip']).astype(int)

    df_features = df.drop(['Timestamp', 'Source IP', 'Destination IP', 'Threat Type', 'Threat', 'timestamp', 'is_system_threat_present', 'Combined_Threat'], axis=1)
    
    encoders = {}
    for col in ['Protocol']:
        le = LabelEncoder()
        df_features[col] = le.fit_transform(df_features[col].astype(str))
        encoders[col] = le
        
    X = df_features
    y = df['Combined_Threat']
    
    scaler = StandardScaler()
    X_scaled = scaler.fit_transform(X)
    
    print("--- Data Preprocessing Complete ---\n")
    return X_scaled, y.values, original_df, scaler, X.columns, encoders

# --- 2. Model Training ---
def train_models(X, y, scaler, encoders):
    """Trains and saves the hybrid detection models."""
    print("\n--- Training Hybrid Detection Models ---")
    # FIX: Use stratify=y to ensure proportional representation of classes in splits
    X_train, X_test, y_train, y_test = train_test_split(X, y, test_size=0.3, random_state=42, shuffle=True, stratify=y)

    # a) Supervised: Random Forest
    rf_model = RandomForestClassifier(n_estimators=100, random_state=42)
    rf_model.fit(X_train, y_train)
    print(f"Random Forest Test Accuracy: {rf_model.score(X_test, y_test)*100:.2f}%")

    # b) Supervised: ANN
    ann_model = Sequential([Dense(128, input_dim=X_train.shape[1], activation='relu'), Dropout(0.5), Dense(64, activation='relu'), Dense(1, activation='sigmoid')])
    ann_model.compile(optimizer='adam', loss='binary_crossentropy', metrics=['accuracy'])
    ann_model.fit(X_train, y_train, epochs=50, batch_size=32, verbose=0)
    loss, accuracy = ann_model.evaluate(X_test, y_test, verbose=0)
    print(f"ANN Model Test Accuracy: {accuracy*100:.2f}%")
    
    # c) Unsupervised: Isolation Forest
    iso_forest_model = IsolationForest(contamination='auto', random_state=42)
    iso_forest_model.fit(X_train) # Unsupervised, doesn't need y

    # Save models and preprocessing objects
    ann_model.save('ann_model.keras')
    with open('rf_model.pkl', 'wb') as f: pickle.dump(rf_model, f)
    with open('iso_forest_model.pkl', 'wb') as f: pickle.dump(iso_forest_model, f)
    with open('scaler.pkl', 'wb') as f: pickle.dump(scaler, f)
    with open('label_encoders.pkl', 'wb') as f: pickle.dump(encoders, f)
    print("--- All Models and Preprocessing Objects Saved ---")

# --- 3. Multi-Agent System ---
class DetectionAgent:
    """Uses a hybrid model approach for threat detection."""
    def __init__(self, feature_columns):
        print("--- Initializing Detection Agent ---")
        self.ann_model = load_model('ann_model.keras')
        with open('rf_model.pkl', 'rb') as f: self.rf_model = pickle.load(f)
        with open('iso_forest_model.pkl', 'rb') as f: self.iso_forest_model = pickle.load(f)
        with open('scaler.pkl', 'rb') as f: self.scaler = pickle.load(f)
        with open('label_encoders.pkl', 'rb') as f: self.encoders = pickle.load(f)
        self.feature_columns = feature_columns

    def analyze(self, new_data):
        print("\n>>> [Detection Agent] Analyzing new data with hybrid model...")
        data_df = pd.DataFrame([new_data])
        
        # Preprocess the data point
        data_processed = data_df.copy()
        for col, encoder in self.encoders.items():
            data_processed[col] = encoder.transform(data_processed[col].astype(str))
        
        data_processed = data_processed[self.feature_columns]
        data_scaled = self.scaler.transform(data_processed)
        
        # Get predictions from all models
        ann_pred_prob = self.ann_model.predict(data_scaled, verbose=0)[0][0]
        
        # FIX: Robustly handle predict_proba output in case of single-class training
        rf_probs = self.rf_model.predict_proba(data_scaled)
        if rf_probs.shape[1] > 1:
            rf_pred_prob = rf_probs[0][1] # Probability of class 1 (Threat)
        else:
            # This case should be rare with stratified splitting, but it's good practice
            rf_pred_prob = 1.0 if self.rf_model.classes_[0] == 1 else 0.0

        iso_pred = self.iso_forest_model.predict(data_scaled)[0] # -1 for anomaly, 1 for normal
        
        # Combine predictions into a final confidence score
        anomaly_score = 1 if iso_pred == -1 else 0
        final_confidence = (ann_pred_prob + rf_pred_prob + anomaly_score) / 3.0
        
        alert = {
            'is_threat': bool(final_confidence > 0.5),
            'is_known_threat': bool(data_processed['is_known_threat_ip'].iloc[0] == 1),
            'confidence': f"{final_confidence:.2%}",
            'details': data_df.to_dict('records')[0]
        }
        print(f">>> [Detection Agent] Analysis complete. Threat Detected: {alert['is_threat']} (Confidence: {alert['confidence']})")
        return alert

class ResponseAgent:
    """Acts based on a dynamic, file-based policy."""
    def __init__(self, policy_file='policy.json'):
        print("--- Initializing Response Agent ---")
        with open(policy_file, 'r') as f:
            self.policy = json.load(f)

    def formulate_response(self, alert):
        print(">>> [Response Agent] Consulting policy...")
        confidence = float(alert['confidence'].strip('%')) / 100
        
        if alert['is_known_threat']:
            threat_level = "KnownThreatIoC"
        elif confidence > self.policy['HighConfidenceThreat']['confidence_threshold']:
            threat_level = "HighConfidenceThreat"
        elif confidence > self.policy['MediumConfidenceThreat']['confidence_threshold']:
            threat_level = "MediumConfidenceThreat"
        elif confidence > self.policy['LowConfidenceThreat']['confidence_threshold']:
            threat_level = "LowConfidenceThreat"
        else:
            return "No action required. Continue monitoring."
        
        actions = self.policy[threat_level]['priority_actions']
        print(f">>> [Response Agent] Threat Level '{threat_level}'. Executing actions: {actions}")
        return actions

class LearningAgent:
    """RL-based agent to adapt and improve the system."""
    def __init__(self, log_file='incident_log.csv'):
        print("--- Initializing Learning Agent (RL Core) ---")
        self.log_file = log_file

    def get_feedback_and_reward(self, alert, action):
        """Simulates getting feedback and calculating a reward."""
        print(">>> [Learning Agent] Analyzing action results...")
        # In a real system, this would check if the threat was actually neutralized.
        # Simulation: High confidence + Block/Isolate = high reward
        confidence = float(alert['confidence'].strip('%')) / 100
        is_correct_action = ('BLOCK_IP' in action and confidence > 0.8) or ('MONITOR' in action and confidence < 0.8)
        
        reward = 1 if is_correct_action else -1
        print(f">>> [Learning Agent] Action effectiveness assessed. Reward: {reward}")
        return reward

    def update_policy(self, reward):
        """Placeholder for the DQN logic to update the Response Agent's policy."""
        print(">>> [Learning Agent] Policy refinement signal sent (Reward: {}).".format(reward))
        # In a real system: agent.train(state, action, reward, next_state)
        # Then, the updated policy would be written to policy.json
        pass
        
    def update_models(self, alert, action):
        """Placeholder for updating Detection Agent models."""
        print(">>> [Learning Agent] Model update signal sent.")
        # This would trigger a retraining pipeline using the incident log data.
        pass

# --- 4. Main Execution ---
def main():
    """Main function to run the full multi-agent system simulation."""
    clear_stale_model_files()
    create_default_policy()
    
    # --- Training Phase ---
    X_scaled, y, original_df, scaler, feature_columns, encoders = preprocess_data()
    with open('feature_columns.pkl', 'wb') as f: pickle.dump(feature_columns, f)
    train_models(X_scaled, y, scaler, encoders)
    
    # --- Operational Phase ---
    print("\n" + "="*50)
    print("--- Initializing Multi-Agent Cybersecurity Watchdog ---")
    detection_agent = DetectionAgent(feature_columns)
    response_agent = ResponseAgent()
    learning_agent = LearningAgent()

    # --- Simulation Loop ---
    print("\n" + "="*50)
    print("--- Simulating New Incoming Data Event ---")
    
    # A highly suspicious event
    new_event_data = {
        'Packet Size (bytes)': 1490.0, 'Flow Duration (s)': 0.2, 'Protocol': 'TCP',
        'is_known_threat_ip': 0, 'recent_failed_logins': 8, 'recent_priv_escalations': 2,
        'Source IP': '198.51.100.23', 'Destination IP': '10.0.0.5'
    }
    
    # Execute the workflow
    alert = detection_agent.analyze(new_event_data)
    actions = response_agent.formulate_response(alert)
    reward = learning_agent.get_feedback_and_reward(alert, actions)
    learning_agent.update_policy(reward)
    learning_agent.update_models(alert, actions)
    
    print("\n--- System Cycle Complete ---")


if __name__ == "__main__":
    tf.random.set_seed(42)
    np.random.seed(42)
    main()
