# CICIDS - Hybrid Model CNN-GAN

The CICIDS2017 dataset is a comprehensive dataset for network intrusion detection, created by the Canadian Institute for Cybersecurity. It includes a diverse set of attack scenarios and normal traffic, making it suitable for training and evaluating intrusion detection systems.

The dataset includes various types of attacks such as Brute Force, Heartbleed, Botnet, DoS (Denial of Service), DDoS (Distributed Denial of Service), Web attacks, and Infiltration of the network from inside.

I aim to replicate this study: <https://www.jait.us/articles/2024/JAIT-V15N7-886.pdf>

In [1]:
import warnings
from sklearn.exceptions import UndefinedMetricWarning
warnings.filterwarnings("ignore", category=UndefinedMetricWarning)

## Step 1. EDA

In [2]:
import pandas as pd
import numpy as np
import matplotlib.pyplot as plt
import seaborn as sns

sns.set(style="whitegrid")

In [3]:
df = pd.read_csv("../data/sampled/sampled_10000_10000.csv")

# Remove leading and trailing whitespaces from column names
df.columns = df.columns.str.strip()

In [4]:
df.head(5)

Unnamed: 0,Destination Port,Flow Duration,Total Fwd Packets,Total Backward Packets,Total Length of Fwd Packets,Total Length of Bwd Packets,Fwd Packet Length Max,Fwd Packet Length Min,Fwd Packet Length Mean,Fwd Packet Length Std,...,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min,Label
0,443,514645,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
1,53,339,2,2,62,748,31,31,31.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
2,39394,51,1,1,0,0,0,0,0.0,0.0,...,32,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
3,53,61777,1,1,45,151,45,45,45.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
4,53,23351,1,1,43,59,43,43,43.0,0.0,...,32,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN


In [5]:
df.shape

(20000, 79)

In [6]:
df.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 20000 entries, 0 to 19999
Data columns (total 79 columns):
 #   Column                       Non-Null Count  Dtype  
---  ------                       --------------  -----  
 0   Destination Port             20000 non-null  int64  
 1   Flow Duration                20000 non-null  int64  
 2   Total Fwd Packets            20000 non-null  int64  
 3   Total Backward Packets       20000 non-null  int64  
 4   Total Length of Fwd Packets  20000 non-null  int64  
 5   Total Length of Bwd Packets  20000 non-null  int64  
 6   Fwd Packet Length Max        20000 non-null  int64  
 7   Fwd Packet Length Min        20000 non-null  int64  
 8   Fwd Packet Length Mean       20000 non-null  float64
 9   Fwd Packet Length Std        20000 non-null  float64
 10  Bwd Packet Length Max        20000 non-null  int64  
 11  Bwd Packet Length Min        20000 non-null  int64  
 12  Bwd Packet Length Mean       20000 non-null  float64
 13  Bwd Packet Lengt

In [7]:
df.describe()

  sqr = _ensure_numeric((avg - values) ** 2)
  sqr = _ensure_numeric((avg - values) ** 2)


Unnamed: 0,Destination Port,Flow Duration,Total Fwd Packets,Total Backward Packets,Total Length of Fwd Packets,Total Length of Bwd Packets,Fwd Packet Length Max,Fwd Packet Length Min,Fwd Packet Length Mean,Fwd Packet Length Std,...,act_data_pkt_fwd,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min
count,20000.0,20000.0,20000.0,20000.0,20000.0,20000.0,20000.0,20000.0,20000.0,20000.0,...,20000.0,20000.0,20000.0,20000.0,20000.0,20000.0,20000.0,20000.0,20000.0,20000.0
mean,5936.55595,16582230.0,9.29935,8.3368,1429.634,8780.229,197.4915,16.91885,57.821005,63.811307,...,4.71905,27.9072,323247.8,113844.2,431319.2,244420.9,8488926.0,1036975.0,9639811.0,7677699.0
std,15701.967114,33296410.0,102.350682,101.169224,35918.03,200729.5,787.346065,98.44432,222.373114,264.911494,...,78.839857,6.576317,1467275.0,763367.9,1824990.0,1355701.0,23525710.0,5304882.0,24928870.0,23181810.0
min,0.0,-1.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,...,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
25%,53.0,184.0,2.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,...,0.0,20.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
50%,80.0,101682.5,2.0,2.0,47.0,46.0,30.0,0.0,15.5,0.0,...,1.0,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
75%,443.0,9166827.0,6.0,4.0,210.0,345.75,195.0,6.0,50.5,67.803007,...,2.0,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
max,65502.0,119997200.0,5523.0,6509.0,2866110.0,11600000.0,23360.0,1983.0,5939.285714,5762.073497,...,5522.0,56.0,72400000.0,26100000.0,72400000.0,72400000.0,119920000.0,66500000.0,119920000.0,119920000.0


In [8]:
df.columns

Index(['Destination Port', 'Flow Duration', 'Total Fwd Packets',
       'Total Backward Packets', 'Total Length of Fwd Packets',
       'Total Length of Bwd Packets', 'Fwd Packet Length Max',
       'Fwd Packet Length Min', 'Fwd Packet Length Mean',
       'Fwd Packet Length Std', 'Bwd Packet Length Max',
       'Bwd Packet Length Min', 'Bwd Packet Length Mean',
       'Bwd Packet Length Std', 'Flow Bytes/s', 'Flow Packets/s',
       'Flow IAT Mean', 'Flow IAT Std', 'Flow IAT Max', 'Flow IAT Min',
       'Fwd IAT Total', 'Fwd IAT Mean', 'Fwd IAT Std', 'Fwd IAT Max',
       'Fwd IAT Min', 'Bwd IAT Total', 'Bwd IAT Mean', 'Bwd IAT Std',
       'Bwd IAT Max', 'Bwd IAT Min', 'Fwd PSH Flags', 'Bwd PSH Flags',
       'Fwd URG Flags', 'Bwd URG Flags', 'Fwd Header Length',
       'Bwd Header Length', 'Fwd Packets/s', 'Bwd Packets/s',
       'Min Packet Length', 'Max Packet Length', 'Packet Length Mean',
       'Packet Length Std', 'Packet Length Variance', 'FIN Flag Count',
       'SYN Flag Co

## Step 2. Data Cleaning

### A. Missing values

In [9]:
print(df.isna().sum().sum())

6


In [10]:
df.dropna(subset=["Flow Bytes/s"], inplace=True)

In [11]:
print(df.isna().sum().sum())

0


### Inf. values

In [12]:
df = df.replace([np.inf, -np.inf], np.nan).dropna()

## Step 3. Data Preparation

### A. Normalise numeric features

In [13]:
# Get all numerical columns
numerical_columns = df.select_dtypes(include="number").columns

In [14]:
from sklearn.preprocessing import MinMaxScaler
scaler = MinMaxScaler()
df[numerical_columns] = scaler.fit_transform(df[numerical_columns])

### B. Map Labels to binary

In [15]:
# Change values in the column "Label" to 0 if BENIGN and 1 if not
df["Label"] = df["Label"].apply(lambda x: 0 if x == "BENIGN" else 1)

df["Label"].value_counts()

Label
0    9994
1    9989
Name: count, dtype: int64

### C. Data Splitting

In [16]:
X = df.drop(columns="Label")
y = df["Label"]

In [17]:
from sklearn.model_selection import train_test_split
X_train, X_test, y_train, y_test = train_test_split(X, y, test_size=0.2, random_state=42)

### E. PyTorch Model Design

#### 1. CNN Feature Extractor

In [18]:
import torch
import torch.nn as nn
import torch.optim as optim

from torch.utils.data import DataLoader, TensorDataset

# Define CNN Feature Extractor
class CNNFeatureExtractor(nn.Module):
    def __init__(self, input_size, num_filters=32):
        super(CNNFeatureExtractor, self).__init__()
        self.conv1 = nn.Conv1d(in_channels=1, out_channels=num_filters, kernel_size=3, stride=1, padding=1)
        self.relu = nn.ReLU()
        self.pool = nn.MaxPool1d(kernel_size=2, stride=2)
        self.flatten = nn.Flatten()
        self.fc = nn.Linear((input_size // 2) * num_filters, 64)
    
    def forward(self, x):
        x = x.unsqueeze(1)  # Add channel dimension
        x = self.conv1(x)
        x = self.relu(x)
        x = self.pool(x)
        x = self.flatten(x)
        return self.fc(x)

#### 2. Generator-Discriminator

In [19]:
# Define Generator
class Generator(nn.Module):
    def __init__(self, noise_dim, output_dim):
        super(Generator, self).__init__()
        self.model = nn.Sequential(
            nn.Linear(noise_dim, 128),
            nn.ReLU(),
            nn.Linear(128, output_dim),
            nn.Tanh()
        )
    
    def forward(self, x):
        return self.model(x)


# Define Discriminator
class Discriminator(nn.Module):
    def __init__(self, input_dim):
        super(Discriminator, self).__init__()
        self.model = nn.Sequential(
            nn.Linear(input_dim, 128),
            nn.ReLU(),
            nn.Linear(128, 1),
            nn.Sigmoid()
        )
    
    def forward(self, x):
        return self.model(x)

#### 3. Define Hybrid Model

In [20]:
# Define Hybrid Model
class HybridCNNGAN(nn.Module):
    def __init__(self, input_size, output_size, noise_dim=32):
        super(HybridCNNGAN, self).__init__()
        self.feature_extractor = CNNFeatureExtractor(input_size)
        self.classifier = nn.Linear(64, output_size)
        self.generator = Generator(noise_dim, input_size)
        self.discriminator = Discriminator(input_size)
    
    def forward(self, x):
        features = self.feature_extractor(x)
        return self.classifier(features)

In [21]:
# Initialize model
input_size = X_train.shape[1]
output_size = len(y_train.unique())
device = torch.device("cuda" if torch.cuda.is_available() else "cpu")
model = HybridCNNGAN(input_size, output_size).to(device)

### F. Training the Model

In [None]:
import sys

# Training Setup
criterion = nn.CrossEntropyLoss()
optimizer = optim.Adam(model.parameters(), lr=0.001)
train_dataset = TensorDataset(torch.tensor(X_train.values, dtype=torch.float32).to(device),
                              torch.tensor(y_train.values, dtype=torch.long).to(device))
train_loader = DataLoader(train_dataset, batch_size=64, shuffle=True)

# Training Loop
epoch = 0
current_highest_accuracy = 0.0
patience = 50
epochs_without_improvement = 0

while True:
    epoch += 1
    model.train()
    total_loss, correct, total = 0, 0, 0
    
    for i, (data, labels) in enumerate(train_loader):
        optimizer.zero_grad()
        outputs = model(data)
        loss = criterion(outputs, labels)
        loss.backward()
        optimizer.step()
        
        total_loss += loss.item()
        _, predicted = torch.max(outputs.data, 1)
        total += labels.size(0)
        correct += (predicted == labels).sum().item()
    
    epoch_loss = total_loss / len(train_loader)
    epoch_accuracy = correct / total
    
    # Print epoch statistics
    if epoch_accuracy > current_highest_accuracy:
        current_highest_accuracy = epoch_accuracy
        epochs_without_improvement = 0
        print(f"Epoch {epoch:<4} - Loss: {epoch_loss:.4f} - Accuracy: {epoch_accuracy:.4f}")
    else:
        epochs_without_improvement += 1
        print(f"Epoch {epoch:<4} - Loss: {epoch_loss:.4f} - Accuracy: {epoch_accuracy:.4f}", end="\r")
    
    if epochs_without_improvement >= patience:
        print(f"\nEarly stopping triggered at {epoch} epochs - No improvement in model accuracy in {patience} epochs")
        break

Epoch 1    - Loss: 0.4026 - Accuracy: 0.7992
Epoch 2    - Loss: 0.2795 - Accuracy: 0.8792
Epoch 3    - Loss: 0.2703 - Accuracy: 0.8853
Epoch 4    - Loss: 0.2595 - Accuracy: 0.8904
Epoch 5    - Loss: 0.2522 - Accuracy: 0.8945
Epoch 7    - Loss: 0.2437 - Accuracy: 0.8977
Epoch 10   - Loss: 0.2320 - Accuracy: 0.9043
Epoch 11   - Loss: 0.2321 - Accuracy: 0.9047
Epoch 12   - Loss: 0.2248 - Accuracy: 0.9067
Epoch 14   - Loss: 0.2195 - Accuracy: 0.9079
Epoch 16   - Loss: 0.2125 - Accuracy: 0.9105
Epoch 17   - Loss: 0.2102 - Accuracy: 0.9117
Epoch 20   - Loss: 0.2083 - Accuracy: 0.9119
Epoch 21   - Loss: 0.2054 - Accuracy: 0.9131
Epoch 22   - Loss: 0.2006 - Accuracy: 0.9170
Epoch 25   - Loss: 0.1952 - Accuracy: 0.9192
Epoch 27   - Loss: 0.1941 - Accuracy: 0.9204
Epoch 29   - Loss: 0.1849 - Accuracy: 0.9245
Epoch 34   - Loss: 0.1788 - Accuracy: 0.9264
Epoch 35   - Loss: 0.1787 - Accuracy: 0.9272
Epoch 36   - Loss: 0.1759 - Accuracy: 0.9291
Epoch 40   - Loss: 0.1693 - Accuracy: 0.9309
Epoch 42  

KeyboardInterrupt: 

In [24]:
torch.save(model.state_dict(), '../models/binary/hybrid_cnn_gan.pth')

### G. Evaluating both Models

In [25]:
model = HybridCNNGAN(input_size, output_size).to(device)
model.load_state_dict(torch.load('../models/binary/hybrid_cnn_gan.pth'))
model.eval()

  model.load_state_dict(torch.load('../models/binary/hybrid_cnn_gan.pth'))


HybridCNNGAN(
  (feature_extractor): CNNFeatureExtractor(
    (conv1): Conv1d(1, 32, kernel_size=(3,), stride=(1,), padding=(1,))
    (relu): ReLU()
    (pool): MaxPool1d(kernel_size=2, stride=2, padding=0, dilation=1, ceil_mode=False)
    (flatten): Flatten(start_dim=1, end_dim=-1)
    (fc): Linear(in_features=1248, out_features=64, bias=True)
  )
  (classifier): Linear(in_features=64, out_features=2, bias=True)
  (generator): Generator(
    (model): Sequential(
      (0): Linear(in_features=32, out_features=128, bias=True)
      (1): ReLU()
      (2): Linear(in_features=128, out_features=78, bias=True)
      (3): Tanh()
    )
  )
  (discriminator): Discriminator(
    (model): Sequential(
      (0): Linear(in_features=78, out_features=128, bias=True)
      (1): ReLU()
      (2): Linear(in_features=128, out_features=1, bias=True)
      (3): Sigmoid()
    )
  )
)

In [28]:
# Evaluation
from sklearn.metrics import accuracy_score, f1_score, classification_report

device = torch.device("cpu")
model.to(device)

X_test_tensor = torch.tensor(X_test.values, dtype=torch.float32).to(device)
y_test_tensor = torch.tensor(y_test.values, dtype=torch.long).to(device)


def evaluate_model(model, X, y):
    with torch.no_grad():
        outputs = model(X)
        _, predicted = torch.max(outputs.data, 1)
    acc = accuracy_score(y.cpu().numpy(), predicted.cpu().numpy())
    f1 = f1_score(y.cpu().numpy(), predicted.cpu().numpy(), average='weighted')
    report = classification_report(y.cpu().numpy(), predicted.cpu().numpy(), target_names=["BENIGN", "Malicious"])
    return acc, f1, report

model_acc, model_f1, model_report = evaluate_model(model, X_test_tensor, y_test_tensor)

print(f"Accuracy: {model_acc:.5f}\nF1 Score: {model_f1:.5f}\n\n{model_report}")

Accuracy: 0.98199
F1 Score: 0.98198

              precision    recall  f1-score   support

      BENIGN       0.99      0.97      0.98      1985
   Malicious       0.97      0.99      0.98      2012

    accuracy                           0.98      3997
   macro avg       0.98      0.98      0.98      3997
weighted avg       0.98      0.98      0.98      3997

