# Imports

In [1]:
import pandas as pd
import numpy as np
import matplotlib.pyplot as plt

from sklearn.model_selection import train_test_split, GridSearchCV
from sklearn.metrics import classification_report, accuracy_score, precision_score, recall_score, f1_score, roc_auc_score, confusion_matrix, mean_squared_error

from tqdm import tqdm
import time
import joblib

In [2]:
X_train = np.load('/home/jovyan/ssl-ids/dataset/preprocessed/CIC-IDS-2017/FRI/Botnet/X_train.npy', allow_pickle=True)
y_train = np.load('/home/jovyan/ssl-ids/dataset/preprocessed/CIC-IDS-2017/FRI/Botnet/y_train.npy', allow_pickle=True)

X_test = np.load('/home/jovyan/ssl-ids/dataset/preprocessed/CIC-IDS-2017/FRI/Botnet/X_test.npy', allow_pickle=True)
y_test = np.load('/home/jovyan/ssl-ids/dataset/preprocessed/CIC-IDS-2017/FRI/Botnet/y_test.npy', allow_pickle=True)

#X_val = np.load('data/x_val.npy')
#y_val = np.load('data/y_val.npy')

In [38]:
X_train = np.load('/home/jovyan/ssl-ids/dataset/preprocessed/CIC-IDS-2017/FRI/PortScan/X_train.npy', allow_pickle=True)
y_train = np.load('/home/jovyan/ssl-ids/dataset/preprocessed/CIC-IDS-2017/FRI/PortScan/y_train.npy', allow_pickle=True)

X_test = np.load('/home/jovyan/ssl-ids/dataset/preprocessed/CIC-IDS-2017/FRI/PortScan/X_test.npy', allow_pickle=True)
y_test = np.load('/home/jovyan/ssl-ids/dataset/preprocessed/CIC-IDS-2017/FRI/PortScan/y_test.npy', allow_pickle=True)

In [73]:
X_train = np.load('/home/jovyan/ssl-ids/dataset/preprocessed/CIC-IDS-2017/FRI/DDoS/X_train.npy', allow_pickle=True)
y_train = np.load('/home/jovyan/ssl-ids/dataset/preprocessed/CIC-IDS-2017/FRI/DDoS/y_train.npy', allow_pickle=True)

X_test = np.load('/home/jovyan/ssl-ids/dataset/preprocessed/CIC-IDS-2017/FRI/DDoS/X_test.npy', allow_pickle=True)
y_test = np.load('/home/jovyan/ssl-ids/dataset/preprocessed/CIC-IDS-2017/FRI/DDoS/y_test.npy', allow_pickle=True)

In [29]:
#X_train = np.concatenate((X_train, X_val), axis=0)
#y_train = np.concatenate((y_train, y_val), axis=0)

# Playground

In [74]:
np.unique(y_train, return_counts=True)

(array(['BENIGN', 'DDoS'], dtype=object), array([68377, 89620]))

In [75]:
normal_data = X_train[y_train == 'BENIGN'] # normal class

# Helpers

In [76]:
def evaluate_model(model, y_test, y_pred):
    positive_class = 'normal'
    
    accuracy = accuracy_score(y_test, y_pred)
    
    precision = precision_score(y_test, y_pred, pos_label=positive_class, zero_division=True)
    recall = recall_score(y_test, y_pred, pos_label=positive_class, zero_division=True)
    f1 = f1_score(y_test, y_pred, pos_label=positive_class, zero_division=True)
    
    metrics = {
        'model': [model],
        'accuracy': [accuracy],
        'precision': [precision],
        'recall': [recall],
        'f1': [f1],
    }
    
    return metrics

# OCSVM

In [77]:
from sklearn.svm import OneClassSVM

In [78]:
ocsvm = OneClassSVM(kernel='rbf', gamma='auto')

batch_size = 100
n_batches = int(np.ceil(len(normal_data) / batch_size))

for i in tqdm(range(n_batches), desc="Training OCSVM"):
    start = i * batch_size
    end = min((i + 1) * batch_size, len(normal_data))
    batch_data = normal_data[start:end]
    
    if i == 0:
        ocsvm.fit(batch_data)
    else:
        ocsvm.fit(np.vstack((ocsvm.support_vectors_, batch_data)))

Training OCSVM: 100%|██████████| 684/684 [00:07<00:00, 96.67it/s] 


In [None]:
ocsvm = OneClassSVM(kernel='linear', gamma='auto')

start_time = time.time()

ocsvm.fit(normal_data)

training_time = time.time() - start_time
print(f"Training Time: {training_time}")

In [79]:
y_pred_test_ocsvm = ocsvm.predict(X_test)
y_pred_test_ocsvm = np.where(y_pred_test_ocsvm == 1, 'normal', 'anomaly')
y_test_converted_ocsvm = np.where(y_test == 'BENIGN', 'normal', 'anomaly')

In [80]:
evaluate_model("ocsvm", y_test_converted_ocsvm, y_pred_test_ocsvm)

{'model': ['ocsvm'],
 'accuracy': [0.6064141376849048],
 'precision': [0.5237852123250646],
 'recall': [0.992375533428165],
 'f1': [0.6856682326577949]}

In [81]:
ocsvm_df = pd.DataFrame(evaluate_model("ocsvm", y_test_converted_ocsvm, y_pred_test_ocsvm)) 
ocsvm_df

Unnamed: 0,model,accuracy,precision,recall,f1
0,ocsvm,0.606414,0.523785,0.992376,0.685668


# SGDOCSVM

In [82]:
from sklearn.linear_model import SGDOneClassSVM

In [83]:
sgdocsvm = SGDOneClassSVM()

start_time = time.time()

sgdocsvm.fit(normal_data)

training_time = time.time() - start_time
print(f"Training Time: {training_time}")

Training Time: 0.10964226722717285


In [84]:
y_pred_test_sgdocsvm = sgdocsvm.predict(X_test)
y_pred_test_sgdocsvm = np.where(y_pred_test_sgdocsvm == 1, 'normal', 'anomaly')
y_test_converted_sgdocsvm = np.where(y_test == 'BENIGN', 'normal', 'anomaly')

In [85]:
evaluate_model("sgdocsvm", y_test_converted_sgdocsvm, y_pred_test_sgdocsvm)

{'model': ['sgdocsvm'],
 'accuracy': [0.8085850008614537],
 'precision': [0.9994902120717781],
 'recall': [0.5577809388335704],
 'f1': [0.7159916736661432]}

In [86]:
sgdocsvm_df = pd.DataFrame(evaluate_model("sgdocsvm", y_test_converted_sgdocsvm, y_pred_test_sgdocsvm)) 
sgdocsvm_df

Unnamed: 0,model,accuracy,precision,recall,f1
0,sgdocsvm,0.808585,0.99949,0.557781,0.715992


# LOF

In [87]:
from sklearn.neighbors import LocalOutlierFactor

In [89]:
start_time = time.time()

lof = LocalOutlierFactor(n_neighbors=50, contamination=0.001, novelty=True)
lof.fit(normal_data)

training_time = time.time() - start_time
print(f"Training Time: {training_time}")

Training Time: 1.4697179794311523


In [90]:
y_pred_test_lof = lof.predict(X_test)
y_pred_test_lof = np.where(y_pred_test_lof == 1, 'normal', 'anomaly')
y_test_converted_lof = np.where(y_test == 'BENIGN', 'normal', 'anomaly')

In [91]:
evaluate_model("lof", y_test_converted_lof, y_pred_test_lof)

{'model': ['lof'],
 'accuracy': [0.4320066947254424],
 'precision': [0.4322513914199872],
 'recall': [0.9986913229018493],
 'f1': [0.6033584847286915]}

In [92]:
lof_df = pd.DataFrame(evaluate_model("lof", y_test_converted_lof, y_pred_test_lof)) 
lof_df

Unnamed: 0,model,accuracy,precision,recall,f1
0,lof,0.432007,0.432251,0.998691,0.603358


# IF

In [93]:
from sklearn.ensemble import IsolationForest

In [94]:
start_time = time.time()

iforest = IsolationForest(n_estimators=200, max_samples=128, contamination=0.001, random_state=21)
iforest.fit(normal_data)

training_time = time.time() - start_time
print(f"Training Time: {training_time}")

Training Time: 8.55631422996521


In [95]:
y_pred_test_if = iforest.predict(X_test)
y_pred_test_if = np.where(y_pred_test_if == 1, 'normal', 'anomaly')
y_test_converted_if = np.where(y_test == "BENIGN", 'normal', 'anomaly')

In [96]:
evaluate_model("if", y_test_converted_if, y_pred_test_if)

{'model': ['if'],
 'accuracy': [0.43222821137611067],
 'precision': [0.4323772005416718],
 'recall': [0.999203413940256],
 'f1': [0.603574497336312]}

In [97]:
if_df = pd.DataFrame(evaluate_model("if", y_test_converted_if, y_pred_test_if)) 
if_df

Unnamed: 0,model,accuracy,precision,recall,f1
0,if,0.432228,0.432377,0.999203,0.603574


# PCA Reconstruction

In [98]:
from sklearn.decomposition import PCA

In [99]:
start_time = time.time()

pca = PCA(n_components=10)
pca.fit(normal_data)

training_time = time.time() - start_time
print(f"Training Time: {training_time}")

Training Time: 0.24779200553894043


In [100]:
normal_data_pca = pca.transform(normal_data)
normal_data_reconstructed = pca.inverse_transform(normal_data_pca)

train_reconstruction_error = np.mean((normal_data - normal_data_reconstructed) ** 2, axis=1)

In [101]:
threshold = np.percentile(train_reconstruction_error, 95)

In [102]:
X_test_pca = pca.transform(X_test)
X_test_reconstructed = pca.inverse_transform(X_test_pca)

test_reconstruction_error = np.mean((X_test - X_test_reconstructed) ** 2, axis=1)

In [103]:
test_reconstruction_error

array([0.09395284, 0.26812416, 0.09062704, ..., 0.10261925, 0.09344061,
       0.58428197])

In [104]:
y_pred_test_pca = (test_reconstruction_error > threshold).astype(int)
y_pred_test_pca = np.where(y_pred_test_pca == 1, 'normal', 'anomaly')
y_test_converted_pca = np.where(y_test == "BENIGN", 'normal', 'anomaly')

In [105]:
evaluate_model("pca", y_test_converted_pca, y_pred_test_pca)

{'model': ['pca'],
 'accuracy': [0.39961603780550836],
 'precision': [0.10323556797020485],
 'recall': [0.05046941678520626],
 'f1': [0.06779531470936676]}

In [106]:
pca_df = pd.DataFrame(evaluate_model("pca", y_test_converted_pca, y_pred_test_pca)) 
pca_df

Unnamed: 0,model,accuracy,precision,recall,f1
0,pca,0.399616,0.103236,0.050469,0.067795


# Results

In [None]:
results_df = pd.concat([ocsvm_df, sgdocsvm_df, lof_df, if_df, pca_df], ignore_index=True)
results_df.to_csv('/home/jovyan/ssl-ids/result/CIC-IDS-2017/results_cic_ids_2017_fri_botnet.csv', index=False)

results_df

In [71]:
results_df = pd.concat([ocsvm_df, sgdocsvm_df, lof_df, if_df, pca_df], ignore_index=True)
results_df.to_csv('/home/jovyan/ssl-ids/result/CIC-IDS-2017/results_cic_ids_2017_fri_portscan.csv', index=False)

results_df

Unnamed: 0,model,accuracy,precision,recall,f1
0,ocsvm,0.443105,0.444124,0.986247,0.612451
1,sgdocsvm,0.787798,0.998593,0.525134,0.688306
2,lof,0.445823,0.445979,0.999217,0.616705
3,if,0.445687,0.445904,0.998912,0.616575
4,pca,0.573673,0.918852,0.048788,0.092656


In [107]:
results_df = pd.concat([ocsvm_df, sgdocsvm_df, lof_df, if_df, pca_df], ignore_index=True)
results_df.to_csv('/home/jovyan/ssl-ids/result/CIC-IDS-2017/results_cic_ids_2017_fri_ddos.csv', index=False)

results_df

Unnamed: 0,model,accuracy,precision,recall,f1
0,ocsvm,0.606414,0.523785,0.992376,0.685668
1,sgdocsvm,0.808585,0.99949,0.557781,0.715992
2,lof,0.432007,0.432251,0.998691,0.603358
3,if,0.432228,0.432377,0.999203,0.603574
4,pca,0.399616,0.103236,0.050469,0.067795


In [37]:
joblib.dump(ocsvm, '/home/jovyan/ssl-ids/model/CIC-IDS-2017/FRI/Botnet/ocsvm.pkl')
joblib.dump(sgdocsvm, '/home/jovyan/ssl-ids/model/CIC-IDS-2017/FRI/Botnet/sgdocsvm.pkl')
joblib.dump(lof, '/home/jovyan/ssl-ids/model/CIC-IDS-2017/FRI/Botnet/lof.pkl')
joblib.dump(iforest, '/home/jovyan/ssl-ids/model/CIC-IDS-2017/FRI/Botnet/iforest.pkl')
joblib.dump(pca, '/home/jovyan/ssl-ids/model/CIC-IDS-2017/FRI/Botnet/pca.pkl')

['/home/jovyan/ssl-ids/model/CIC-IDS-2017/FRI/Botnet/pca.pkl']

In [72]:
joblib.dump(ocsvm, '/home/jovyan/ssl-ids/model/CIC-IDS-2017/FRI/PortScan/ocsvm.pkl')
joblib.dump(sgdocsvm, '/home/jovyan/ssl-ids/model/CIC-IDS-2017/FRI/PortScan/sgdocsvm.pkl')
joblib.dump(lof, '/home/jovyan/ssl-ids/model/CIC-IDS-2017/FRI/PortScan/lof.pkl')
joblib.dump(iforest, '/home/jovyan/ssl-ids/model/CIC-IDS-2017/FRI/PortScan/iforest.pkl')
joblib.dump(pca, '/home/jovyan/ssl-ids/model/CIC-IDS-2017/FRI/PortScan/pca.pkl')

['/home/jovyan/ssl-ids/model/CIC-IDS-2017/FRI/PortScan/pca.pkl']

In [108]:
joblib.dump(ocsvm, '/home/jovyan/ssl-ids/model/CIC-IDS-2017/FRI/DDoS/ocsvm.pkl')
joblib.dump(sgdocsvm, '/home/jovyan/ssl-ids/model/CIC-IDS-2017/FRI/DDoS/sgdocsvm.pkl')
joblib.dump(lof, '/home/jovyan/ssl-ids/model/CIC-IDS-2017/FRI/DDoS/lof.pkl')
joblib.dump(iforest, '/home/jovyan/ssl-ids/model/CIC-IDS-2017/FRI/DDoS/iforest.pkl')
joblib.dump(pca, '/home/jovyan/ssl-ids/model/CIC-IDS-2017/FRI/DDoS/pca.pkl')

['/home/jovyan/ssl-ids/model/CIC-IDS-2017/FRI/DDoS/pca.pkl']