# CICIDS

### **random_forest.ipynb**

The CICIDS2017 dataset is a comprehensive dataset for network intrusion detection, created by the Canadian Institute for Cybersecurity. It includes a diverse set of attack scenarios and normal traffic, making it suitable for training and evaluating intrusion detection systems.

The dataset includes various types of attacks such as Brute Force, Heartbleed, Botnet, DoS (Denial of Service), DDoS (Distributed Denial of Service), Web attacks, and Infiltration of the network from inside.

In [1]:
model_name = "random_forest_(BINARY)"

In [2]:
import warnings
from sklearn.exceptions import UndefinedMetricWarning
warnings.filterwarnings("ignore", category=UndefinedMetricWarning)

## Step 1. Read data and import necessary libraries

In [3]:
import pandas as pd
df_train = pd.read_csv("../data/concatenated/concat.csv")

In [4]:
df_train.head(5)

Unnamed: 0,Destination Port,Flow Duration,Total Fwd Packets,Total Backward Packets,Total Length of Fwd Packets,Total Length of Bwd Packets,Fwd Packet Length Max,Fwd Packet Length Min,Fwd Packet Length Mean,Fwd Packet Length Std,...,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min,Label
0,49188,4,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
1,49188,1,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
2,49188,1,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
3,49188,1,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
4,49486,3,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN


In [None]:
df_train.shape

(2830743, 79)

In [None]:
# df_train.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 2830743 entries, 0 to 2830742
Data columns (total 79 columns):
 #   Column                        Dtype  
---  ------                        -----  
 0    Destination Port             int64  
 1    Flow Duration                int64  
 2    Total Fwd Packets            int64  
 3    Total Backward Packets       int64  
 4   Total Length of Fwd Packets   int64  
 5    Total Length of Bwd Packets  int64  
 6    Fwd Packet Length Max        int64  
 7    Fwd Packet Length Min        int64  
 8    Fwd Packet Length Mean       float64
 9    Fwd Packet Length Std        float64
 10  Bwd Packet Length Max         int64  
 11   Bwd Packet Length Min        int64  
 12   Bwd Packet Length Mean       float64
 13   Bwd Packet Length Std        float64
 14  Flow Bytes/s                  float64
 15   Flow Packets/s               float64
 16   Flow IAT Mean                float64
 17   Flow IAT Std                 float64
 18   Flow IAT Max         

In [None]:
# df_train.describe()

  sqr = _ensure_numeric((avg - values) ** 2)
  sqr = _ensure_numeric((avg - values) ** 2)


Unnamed: 0,Destination Port,Flow Duration,Total Fwd Packets,Total Backward Packets,Total Length of Fwd Packets,Total Length of Bwd Packets,Fwd Packet Length Max,Fwd Packet Length Min,Fwd Packet Length Mean,Fwd Packet Length Std,...,act_data_pkt_fwd,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min
count,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,...,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0
mean,8071.483,14785660.0,9.36116,10.39377,549.3024,16162.64,207.5999,18.71366,58.20194,68.91013,...,5.418218,-2741.688,81551.32,41134.12,153182.5,58295.82,8316037.0,503843.9,8695752.0,7920031.0
std,18283.63,33653740.0,749.6728,997.3883,9993.589,2263088.0,717.1848,60.33935,186.0912,281.1871,...,636.4257,1084989.0,648599.9,393381.5,1025825.0,577092.3,23630080.0,4602984.0,24366890.0,23363420.0
min,0.0,-13.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,...,0.0,-536870700.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
25%,53.0,155.0,2.0,1.0,12.0,0.0,6.0,0.0,6.0,0.0,...,0.0,20.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
50%,80.0,31316.0,2.0,2.0,62.0,123.0,37.0,2.0,34.0,0.0,...,1.0,24.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
75%,443.0,3204828.0,5.0,4.0,187.0,482.0,81.0,36.0,50.0,26.16295,...,2.0,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
max,65535.0,120000000.0,219759.0,291922.0,12900000.0,655453000.0,24820.0,2325.0,5940.857,7125.597,...,213557.0,138.0,110000000.0,74200000.0,110000000.0,110000000.0,120000000.0,76900000.0,120000000.0,120000000.0


In [8]:
# Remove leading and trailing whitespaces from column names
df_train.columns = df_train.columns.str.strip()

In [None]:
# df_train.columns

Index(['Destination Port', 'Flow Duration', 'Total Fwd Packets',
       'Total Backward Packets', 'Total Length of Fwd Packets',
       'Total Length of Bwd Packets', 'Fwd Packet Length Max',
       'Fwd Packet Length Min', 'Fwd Packet Length Mean',
       'Fwd Packet Length Std', 'Bwd Packet Length Max',
       'Bwd Packet Length Min', 'Bwd Packet Length Mean',
       'Bwd Packet Length Std', 'Flow Bytes/s', 'Flow Packets/s',
       'Flow IAT Mean', 'Flow IAT Std', 'Flow IAT Max', 'Flow IAT Min',
       'Fwd IAT Total', 'Fwd IAT Mean', 'Fwd IAT Std', 'Fwd IAT Max',
       'Fwd IAT Min', 'Bwd IAT Total', 'Bwd IAT Mean', 'Bwd IAT Std',
       'Bwd IAT Max', 'Bwd IAT Min', 'Fwd PSH Flags', 'Bwd PSH Flags',
       'Fwd URG Flags', 'Bwd URG Flags', 'Fwd Header Length',
       'Bwd Header Length', 'Fwd Packets/s', 'Bwd Packets/s',
       'Min Packet Length', 'Max Packet Length', 'Packet Length Mean',
       'Packet Length Std', 'Packet Length Variance', 'FIN Flag Count',
       'SYN Flag Co

## Step 2. Data Cleaning

### A. Missing values

In [10]:
print(df_train.isna().sum().sum())

1358


In [11]:
df_train.dropna(subset=["Flow Bytes/s"], inplace=True)

In [12]:
print(df_train.isna().sum().sum())

0


### Inf. values

In [13]:
import numpy as np
df_train = df_train.replace([np.inf, -np.inf], np.nan).dropna()

## Step 3. Data Preparation

### A. Normalise numeric features

In [14]:
# Get all numerical columns
numerical_columns = df_train.select_dtypes(include="number").columns

In [15]:
from sklearn.preprocessing import MinMaxScaler
scaler = MinMaxScaler()
df_train[numerical_columns] = scaler.fit_transform(df_train[numerical_columns])

### B. Map Labels to Multi-class

In [16]:
df_train["Label"].value_counts()

Label
BENIGN                        2271320
DoS Hulk                       230124
PortScan                       158804
DDoS                           128025
DoS GoldenEye                   10293
FTP-Patator                      7935
SSH-Patator                      5897
DoS slowloris                    5796
DoS Slowhttptest                 5499
Bot                              1956
Web Attack � Brute Force         1507
Web Attack � XSS                  652
Infiltration                       36
Web Attack � Sql Injection         21
Heartbleed                         11
Name: count, dtype: int64

In [17]:
# Change values in the column "Label" to 0 if BENIGN and 1 if not
df_train["Label"] = df_train["Label"].apply(lambda x: 0 if x == "BENIGN" else 1)

In [18]:
df_train["Label"].value_counts()

Label
0    2271320
1     556556
Name: count, dtype: int64

### C. Data Splitting

In [19]:
X = df_train.drop(columns="Label")
y = df_train["Label"]

In [20]:
from sklearn.model_selection import train_test_split
X_train, X_test, y_train, y_test = train_test_split(X, y, test_size=0.2, random_state=42)

### D. Apply SMOTE to balance the training data

In [35]:
from imblearn.over_sampling import SMOTE
from imblearn.under_sampling import RandomUnderSampler

# 1. Undersample the majority class
undersampling_strategy = {
    0: 1_000,
    1: 1_000,
}
rus = RandomUnderSampler(random_state=42, sampling_strategy=undersampling_strategy)
X_train_undersampled, y_train_undersampled = rus.fit_resample(X_train, y_train)

# 2. Oversample the minority class
smote = SMOTE(random_state=42, sampling_strategy="auto")
X_train_balanced, y_train_balanced = smote.fit_resample(X_train_undersampled, y_train_undersampled)

In [36]:
# Check class distribution after SMOTE
from collections import Counter

print(f"Class distribution before SMOTE: {Counter(y_train)}")
print(f"Class distribution after SMOTE: {Counter(y_train_balanced)}")

Class distribution before SMOTE: Counter({0: 1817112, 1: 445188})
Class distribution after SMOTE: Counter({0: 1000, 1: 1000})


## Step 4. Model

#### A. Defining the model

In [37]:
from sklearn.metrics import classification_report, accuracy_score, f1_score
from sklearn.model_selection import RandomizedSearchCV, GridSearchCV
from sklearn.ensemble import RandomForestClassifier
from tqdm import tqdm
import numpy as np

In [None]:
param_dist = {
	"n_estimators": np.arange(200, 400, 25),
	"max_depth": [10, 20, 30, 40, 50],
	"min_samples_split": [2, 5, 10],
	"min_samples_leaf": [1, 2, 4],
	"max_features": ["sqrt", "log2"],
	"bootstrap": [True, False]
}

# Best parameters found:  {
    # 'n_estimators': 300, 
    # 'min_samples_split': 2, 
    # 'min_samples_leaf': 2, 
    # 'max_features': 'log2', 
    # 'max_depth': 20, 
    # 'bootstrap': False
# }

rf = RandomForestClassifier(random_state=42)

random_search = RandomizedSearchCV(
	rf, param_distributions=param_dist,
	n_iter=200, cv=5,
	n_jobs=-1, verbose=3,
	random_state=42, return_train_score=True)

random_search.fit(X_train_balanced, y_train_balanced)

# BINARY: 1_000 - 1_000
# 10 fits 	->    5s
# 1000 fits -> 1m 37s

# MULTI-CLASS
# 4000 fits -> 31m 14s
# 1250 fits -> 14m 18s		12m 59s
#  105 fits ->  1m 31s

Fitting 5 folds for each of 200 candidates, totalling 1000 fits


  _data = np.array(data, dtype=dtype, copy=copy,


### B. Training the model

In [None]:
best_params = random_search.best_params_
print("Best parameters found: ", best_params)

param_grid = {
	"n_estimators": [best_params["n_estimators"] - 10, best_params["n_estimators"], best_params["n_estimators"] + 10],
	"max_depth": [best_params["max_depth"] - 5 if best_params["max_depth"] is not None else None, best_params["max_depth"], best_params["max_depth"] + 5 if best_params["max_depth"] is not None else None],
	"min_samples_split": [max(2, best_params["min_samples_split"] - 1), best_params["min_samples_split"], best_params["min_samples_split"] + 1],
	"min_samples_leaf": [max(1, best_params["min_samples_leaf"] - 1), best_params["min_samples_leaf"], best_params["min_samples_leaf"] + 1],
	"max_features": [best_params["max_features"]],
	"bootstrap": [best_params["bootstrap"]],
}

rf = RandomForestClassifier(random_state=42)

grid_search = GridSearchCV(rf, param_grid=param_grid, cv=5, n_jobs=-1, verbose=2)
grid_search.fit(X_train_balanced, y_train_balanced)

# BINARY
# 405 fits ->    42s

Best parameters found:  {'n_estimators': 300, 'min_samples_split': 2, 'min_samples_leaf': 2, 'max_features': 'log2', 'max_depth': 20, 'bootstrap': False}
Fitting 5 folds for each of 81 candidates, totalling 405 fits


In [41]:
print("Best parameters found by GridSearchCV: ", grid_search.best_params_)

Best parameters found by GridSearchCV:  {'bootstrap': False, 'max_depth': 15, 'max_features': 'log2', 'min_samples_leaf': 2, 'min_samples_split': 2, 'n_estimators': 310}


### G. Evaluating the model

In [43]:
# Balance the test set
# 1. Undersample the majority classes, and keep the values for the minority classes

SAMPLE_TARGET = 100_000
undersampling_strategy_test_set = {
    0: SAMPLE_TARGET if y_test.value_counts().get(0) > SAMPLE_TARGET else y_test.value_counts().get(0),	# BENIGN
	1: SAMPLE_TARGET if y_test.value_counts().get(1) > SAMPLE_TARGET else y_test.value_counts().get(1),	# Attack
}

rus_test = RandomUnderSampler(random_state=42, sampling_strategy=undersampling_strategy_test_set)
X_test_balanced, y_test_balanced = rus_test.fit_resample(X_test, y_test)


In [44]:
best_rf = grid_search.best_estimator_
y_pred = best_rf.predict(X_test_balanced)

In [45]:
print("Accuracy: ", accuracy_score(y_test_balanced, y_pred))
print("F1 Score: ", f1_score(y_test_balanced, y_pred, average="weighted"))

Accuracy:  0.98935
F1 Score:  0.9893499153062665


In [47]:
print(classification_report(y_test_balanced, y_pred, target_names=["BENIGN", "Attack"]))

              precision    recall  f1-score   support

      BENIGN       0.99      0.99      0.99    100000
      Attack       0.99      0.99      0.99    100000

    accuracy                           0.99    200000
   macro avg       0.99      0.99      0.99    200000
weighted avg       0.99      0.99      0.99    200000



### **Previous results:**

| Metric          | Regular, multi-class | CV, multi-class | CV, binary  | does the binary model perform better than multi-class? |
| --------------- | -------------------- | --------------- | ----------- | ------------------------------------------------------ |
| Accuracy        | 0.95                 | 0.98            | 0.99        | <span style="color:#20ff20;">yes</span>                |
| MA Range        | 0.95 - 0.95          | 0.89 - 0.91     | 0.99 - 0.99 | <span style="color:#20ff20;">yes</span>                |
| WA Range        | 0.95 - 0.95          | 0.98 - 0.98     | 0.99 - 0.99 | <span style="color:#20ff20;">yes</span>                |
| Precision range | 0.66 - 1.00          | 0.36 - 1.00     | 0.99 - 0.99 | <span style="color:#20ff20;">yes</span>                |
| Recall range    | 0.57 - 1.00          | 0.57 - 1.00     | 0.99 - 0.99 | <span style="color:#20ff20;">yes</span>                |
| F1 range        | 0.63 - 1.00          | 0.44 - 1.00     | 0.99 - 0.99 | <span style="color:#20ff20;">yes</span>                |

In [53]:
# Get feature importances
feature_importances = best_rf.feature_importances_
features = X.columns

feature_importances_df = pd.DataFrame({
    "Feature": features,
	"Importance": feature_importances
})

feature_importances_df = feature_importances_df.sort_values(by="Importance", ascending=False)
feature_importances_df["Importance"] = round((feature_importances_df["Importance"] * 100), 4)
feature_importances_df

Unnamed: 0,Feature,Importance
52,Average Packet Size,6.3211
0,Destination Port,5.3929
66,Init_Win_bytes_forward,4.5823
42,Packet Length Variance,4.2629
41,Packet Length Std,4.2016
...,...,...
56,Fwd Avg Bytes/Bulk,0.0000
31,Bwd PSH Flags,0.0000
50,ECE Flag Count,0.0000
49,CWE Flag Count,0.0000
