# CICIDS - Shallow Models (DT)

The CICIDS2017 dataset is a comprehensive dataset for network intrusion detection, created by the Canadian Institute for Cybersecurity. It includes a diverse set of attack scenarios and normal traffic, making it suitable for training and evaluating intrusion detection systems.

The dataset includes various types of attacks such as Brute Force, Heartbleed, Botnet, DoS (Denial of Service), DDoS (Distributed Denial of Service), Web attacks, and Infiltration of the network from inside.

In [4]:
model_name = "k-nearest_neighbors_(KNN)"

In [5]:
import warnings
from sklearn.exceptions import UndefinedMetricWarning
warnings.filterwarnings("ignore", category=UndefinedMetricWarning)

## Step 1. Read data and import necessary libraries

In [6]:
import pandas as pd
df_train = pd.read_csv("../data/concatenated/concat.csv")

In [7]:
df_train.head(5)

Unnamed: 0,Destination Port,Flow Duration,Total Fwd Packets,Total Backward Packets,Total Length of Fwd Packets,Total Length of Bwd Packets,Fwd Packet Length Max,Fwd Packet Length Min,Fwd Packet Length Mean,Fwd Packet Length Std,...,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min,Label
0,49188,4,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
1,49188,1,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
2,49188,1,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
3,49188,1,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
4,49486,3,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN


In [8]:
df_train.shape

(2830743, 79)

In [9]:
df_train.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 2830743 entries, 0 to 2830742
Data columns (total 79 columns):
 #   Column                        Dtype  
---  ------                        -----  
 0    Destination Port             int64  
 1    Flow Duration                int64  
 2    Total Fwd Packets            int64  
 3    Total Backward Packets       int64  
 4   Total Length of Fwd Packets   int64  
 5    Total Length of Bwd Packets  int64  
 6    Fwd Packet Length Max        int64  
 7    Fwd Packet Length Min        int64  
 8    Fwd Packet Length Mean       float64
 9    Fwd Packet Length Std        float64
 10  Bwd Packet Length Max         int64  
 11   Bwd Packet Length Min        int64  
 12   Bwd Packet Length Mean       float64
 13   Bwd Packet Length Std        float64
 14  Flow Bytes/s                  float64
 15   Flow Packets/s               float64
 16   Flow IAT Mean                float64
 17   Flow IAT Std                 float64
 18   Flow IAT Max         

In [10]:
df_train.describe()

  sqr = _ensure_numeric((avg - values) ** 2)
  sqr = _ensure_numeric((avg - values) ** 2)


Unnamed: 0,Destination Port,Flow Duration,Total Fwd Packets,Total Backward Packets,Total Length of Fwd Packets,Total Length of Bwd Packets,Fwd Packet Length Max,Fwd Packet Length Min,Fwd Packet Length Mean,Fwd Packet Length Std,...,act_data_pkt_fwd,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min
count,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,...,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0
mean,8071.483,14785660.0,9.36116,10.39377,549.3024,16162.64,207.5999,18.71366,58.20194,68.91013,...,5.418218,-2741.688,81551.32,41134.12,153182.5,58295.82,8316037.0,503843.9,8695752.0,7920031.0
std,18283.63,33653740.0,749.6728,997.3883,9993.589,2263088.0,717.1848,60.33935,186.0912,281.1871,...,636.4257,1084989.0,648599.9,393381.5,1025825.0,577092.3,23630080.0,4602984.0,24366890.0,23363420.0
min,0.0,-13.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,...,0.0,-536870700.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
25%,53.0,155.0,2.0,1.0,12.0,0.0,6.0,0.0,6.0,0.0,...,0.0,20.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
50%,80.0,31316.0,2.0,2.0,62.0,123.0,37.0,2.0,34.0,0.0,...,1.0,24.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
75%,443.0,3204828.0,5.0,4.0,187.0,482.0,81.0,36.0,50.0,26.16295,...,2.0,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
max,65535.0,120000000.0,219759.0,291922.0,12900000.0,655453000.0,24820.0,2325.0,5940.857,7125.597,...,213557.0,138.0,110000000.0,74200000.0,110000000.0,110000000.0,120000000.0,76900000.0,120000000.0,120000000.0


In [11]:
# Remove leading and trailing whitespaces from column names
df_train.columns = df_train.columns.str.strip()

In [12]:
df_train.columns

Index(['Destination Port', 'Flow Duration', 'Total Fwd Packets',
       'Total Backward Packets', 'Total Length of Fwd Packets',
       'Total Length of Bwd Packets', 'Fwd Packet Length Max',
       'Fwd Packet Length Min', 'Fwd Packet Length Mean',
       'Fwd Packet Length Std', 'Bwd Packet Length Max',
       'Bwd Packet Length Min', 'Bwd Packet Length Mean',
       'Bwd Packet Length Std', 'Flow Bytes/s', 'Flow Packets/s',
       'Flow IAT Mean', 'Flow IAT Std', 'Flow IAT Max', 'Flow IAT Min',
       'Fwd IAT Total', 'Fwd IAT Mean', 'Fwd IAT Std', 'Fwd IAT Max',
       'Fwd IAT Min', 'Bwd IAT Total', 'Bwd IAT Mean', 'Bwd IAT Std',
       'Bwd IAT Max', 'Bwd IAT Min', 'Fwd PSH Flags', 'Bwd PSH Flags',
       'Fwd URG Flags', 'Bwd URG Flags', 'Fwd Header Length',
       'Bwd Header Length', 'Fwd Packets/s', 'Bwd Packets/s',
       'Min Packet Length', 'Max Packet Length', 'Packet Length Mean',
       'Packet Length Std', 'Packet Length Variance', 'FIN Flag Count',
       'SYN Flag Co

## Step 2. Data Cleaning

### A. Missing values

In [13]:
print(df_train.isna().sum().sum())

1358


In [14]:
df_train.dropna(subset=["Flow Bytes/s"], inplace=True)

In [15]:
print(df_train.isna().sum().sum())

0


### Inf. values

In [16]:
import numpy as np
df_train = df_train.replace([np.inf, -np.inf], np.nan).dropna()

## Step 3. Data Preparation

### A. Normalise numeric features

In [17]:
# Get all numerical columns
numerical_columns = df_train.select_dtypes(include="number").columns

In [18]:
from sklearn.preprocessing import MinMaxScaler
scaler = MinMaxScaler()
df_train[numerical_columns] = scaler.fit_transform(df_train[numerical_columns])

### B. Map Labels to Multi-class

In [19]:
df_train["Label"].value_counts()

Label
BENIGN                        2271320
DoS Hulk                       230124
PortScan                       158804
DDoS                           128025
DoS GoldenEye                   10293
FTP-Patator                      7935
SSH-Patator                      5897
DoS slowloris                    5796
DoS Slowhttptest                 5499
Bot                              1956
Web Attack � Brute Force         1507
Web Attack � XSS                  652
Infiltration                       36
Web Attack � Sql Injection         21
Heartbleed                         11
Name: count, dtype: int64

In [20]:
attack_mapping = {
	"BENIGN": 0,
	"DoS Hulk": 1,
	"PortScan": 2,
	"DDoS": 3,
	"DoS GoldenEye": 4,
	"FTP-Patator": 5,
	"SSH-Patator": 6,
	"DoS slowloris": 7,
	"DoS Slowhttptest": 8,
	"Bot": 9,
	"Web Attack � Brute Force": 10,
	"Web Attack � XSS": 11,
	"Infiltration": 12,
	"Web Attack � Sql Injection": 13,
	"Heartbleed": 14,
}

df_train["Label"] = df_train["Label"].map(attack_mapping)

In [21]:
df_train["Label"].value_counts()

Label
0     2271320
1      230124
2      158804
3      128025
4       10293
5        7935
6        5897
7        5796
8        5499
9        1956
10       1507
11        652
12         36
13         21
14         11
Name: count, dtype: int64

### C. Data Splitting

In [22]:
X = df_train.drop(columns="Label")
y = df_train["Label"]

In [23]:
from sklearn.model_selection import train_test_split
X_train, X_test, y_train, y_test = train_test_split(X, y, test_size=0.2, random_state=42)

### D. Apply SMOTE to balance the training data

In [24]:
from imblearn.over_sampling import SMOTE
from imblearn.under_sampling import RandomUnderSampler

# 1. Undersample the majority class
undersampling_strategy = {
    0: 1000,
    1: 1000,
    2: 1000,
    3: 1000,
    4: 1000,
    5: 1000,
    6: 1000,
    7: 1000,
    8: 1000,
    9: 1000,
	10: 1000,
}
rus = RandomUnderSampler(random_state=42, sampling_strategy=undersampling_strategy)
X_train_undersampled, y_train_undersampled = rus.fit_resample(X_train, y_train)

# 2. Oversample the minority class
smote = SMOTE(random_state=42, sampling_strategy="auto")
X_train_balanced, y_train_balanced = smote.fit_resample(X_train_undersampled, y_train_undersampled)

In [25]:
# Check class distribution after SMOTE
from collections import Counter

print(f"Class distribution before SMOTE: {Counter(y_train)}")
print(f"Class distribution after SMOTE: {Counter(y_train_balanced)}")

Class distribution before SMOTE: Counter({0: 1817112, 1: 184342, 2: 126927, 3: 102239, 4: 8219, 5: 6363, 6: 4769, 7: 4630, 8: 4390, 9: 1515, 10: 1206, 11: 533, 12: 29, 13: 17, 14: 9})
Class distribution after SMOTE: Counter({0: 1000, 1: 1000, 2: 1000, 3: 1000, 4: 1000, 5: 1000, 6: 1000, 7: 1000, 8: 1000, 9: 1000, 10: 1000, 11: 1000, 12: 1000, 13: 1000, 14: 1000})


## Step 4. Model

#### A. Defining the model

In [26]:
from sklearn.metrics import classification_report, accuracy_score, f1_score
from sklearn.model_selection import cross_val_score, StratifiedKFold
from sklearn.neighbors import KNeighborsClassifier
from tqdm import tqdm
import numpy as np

In [28]:
model = KNeighborsClassifier()

### B. Training the model

In [None]:
cv = StratifiedKFold(n_splits=5, shuffle=True, random_state=42)

# Perform cross-validation
accuracies = []
f1_scores = []

for train_idx, val_idx in tqdm(cv.split(X_train_balanced, y_train_balanced), desc="Cross-validation folds", total=cv.get_n_splits()):
    # Split data into train/validation sets for this fold
    X_train_fold, X_val_fold = X_train_balanced.iloc[train_idx], X_train_balanced.iloc[val_idx]
    y_train_fold, y_val_fold = y_train_balanced.iloc[train_idx], y_train_balanced.iloc[val_idx]

    # Train model
    model.fit(X_train_fold, y_train_fold)

    # Make predictions on the validation set
    y_pred = model.predict(X_val_fold)

    # Compute accuracy and F1 score
    acc = accuracy_score(y_val_fold, y_pred)
    f1 = f1_score(y_val_fold, y_pred, average='weighted')

    accuracies.append(acc)
    f1_scores.append(f1)

# Calculate average accuracy and F1 score
mean_acc = np.mean(accuracies)
mean_f1 = np.mean(f1_scores)

print(f"Mean accuracy: {mean_acc}")
print(f"Mean F1 score: {mean_f1}")

Cross-validation folds: 100%|██████████| 5/5 [00:01<00:00,  4.90it/s]

Mean accuracy: 0.9334
Mean F1 score: 0.9325343493717732





### G. Evaluating the model

In [None]:
# Balance the test set
# 1. Undersample the majority classes, and keep the values for the minority classes

SAMPLE_TARGET = 1000
undersampling_strategy_test_set = {
    0: SAMPLE_TARGET if y_test.value_counts().get(0) > SAMPLE_TARGET else y_test.value_counts().get(0),	# BENIGN
	1: SAMPLE_TARGET if y_test.value_counts().get(1) > SAMPLE_TARGET else y_test.value_counts().get(1),	# DoS Hulk
	2: SAMPLE_TARGET if y_test.value_counts().get(2) > SAMPLE_TARGET else y_test.value_counts().get(2),	# PortScan
	3: SAMPLE_TARGET if y_test.value_counts().get(3) > SAMPLE_TARGET else y_test.value_counts().get(3),	# DDoS
	4: SAMPLE_TARGET if y_test.value_counts().get(4) > SAMPLE_TARGET else y_test.value_counts().get(4),	# DoS GoldenEye
	5: SAMPLE_TARGET if y_test.value_counts().get(5) > SAMPLE_TARGET else y_test.value_counts().get(5),	# FTP-Patator
	6: SAMPLE_TARGET if y_test.value_counts().get(6) > SAMPLE_TARGET else y_test.value_counts().get(6),	# SSH-Patator
	7: SAMPLE_TARGET if y_test.value_counts().get(7) > SAMPLE_TARGET else y_test.value_counts().get(7),	# DoS slowloris
	8: SAMPLE_TARGET if y_test.value_counts().get(8) > SAMPLE_TARGET else y_test.value_counts().get(8),	# DoS Slowhttptest
	9: SAMPLE_TARGET if y_test.value_counts().get(9) > SAMPLE_TARGET else y_test.value_counts().get(9),	# Bot
	10: SAMPLE_TARGET if y_test.value_counts().get(10) > SAMPLE_TARGET else y_test.value_counts().get(10),	# Web Attack - Brute Force
	11: SAMPLE_TARGET if y_test.value_counts().get(11) > SAMPLE_TARGET else y_test.value_counts().get(11),	# Web Attack - XSS
	12: SAMPLE_TARGET if y_test.value_counts().get(12) > SAMPLE_TARGET else y_test.value_counts().get(12),	# Infiltration
	13: SAMPLE_TARGET if y_test.value_counts().get(13) > SAMPLE_TARGET else y_test.value_counts().get(13),	# Web Attack - SQL Injection
	14: SAMPLE_TARGET if y_test.value_counts().get(14) > SAMPLE_TARGET else y_test.value_counts().get(14),	# Heartbleed
}

rus_test = RandomUnderSampler(random_state=42, sampling_strategy=undersampling_strategy_test_set)
X_test_balanced, y_test_balanced = rus_test.fit_resample(X_test, y_test)


In [34]:
# print(classification_report(y_test_balanced, y_pred, target_names=attack_mapping.keys()))

print(classification_report(y_val_fold, y_pred, target_names=attack_mapping.keys()))

                            precision    recall  f1-score   support

                    BENIGN       1.00      0.88      0.94       200
                  DoS Hulk       0.97      0.97      0.97       200
                  PortScan       0.96      1.00      0.98       200
                      DDoS       0.97      0.97      0.97       200
             DoS GoldenEye       1.00      1.00      1.00       200
               FTP-Patator       0.99      1.00      1.00       200
               SSH-Patator       0.98      0.99      0.98       200
             DoS slowloris       0.98      0.98      0.98       200
          DoS Slowhttptest       0.98      0.98      0.98       200
                       Bot       0.97      0.99      0.98       200
  Web Attack � Brute Force       0.64      0.51      0.57       200
          Web Attack � XSS       0.61      0.70      0.65       200
              Infiltration       0.98      1.00      0.99       200
Web Attack � Sql Injection       0.96      0.99