# NIDS based on a Neural Network

### Machine Learning for network intrusion detecion
As opposed to traditional approaches, such as using regular expressions, Machine Learning (ML)-based network intrusion detection provides a new approach to detecting attacks. Rather than having a security expert hardcoding security rules and using those to stop attacks, ML offers an attractive alternative: Run some algorithm on a dataset, let it decide for itself what traffic is anomalous or malicious, and use that functionality to protect a network. No more need for manual rule definitions, or even expert network knowledge to some extent. However, this new approach introduces new problems that need to be solved:

- High-quality datasets are used for training and evaluating model;
- ML introduces new challengs with regards to false positives and negatives;
- How to keep a model up-to-date with changing traffic environments;
- ML computations are compute-and/or memory-intensive, which complicates their scalability for high throughput data streams;
- ...

The advent of Deep Learning (DL) offers new opportunities with more complex and powerful learning models, but does not solve all problems. Mostly, DL provides neural networks that better model a dataset, yielding detection results with fewer errors. In this workshop, we will explore a small part of this field, trying to detect attacks in the provided dataset. We will introduce some models while trying to keep track of the hardware perspective. 

For this purpose, we will the [PyTorch](https://pytorch.org/) framework. This exercise will introduce you some basics that are necessary in this exercise.

### Neural networks in PyTorch

In PyTorch, a neural network is defined as a class that inherits from the torch.nn.Module class.

In [1]:
import torch
import torch.nn as nn

class ExampleNN(nn.Module):
    
    def __init__(self, num_classes):
        super(ExampleNN, self).__init__()
        
        self.num_classes = num_classes
        self.layer1 = nn.Linear(in_features= 64, out_features=100, bias=True)
        self.relu1 = nn.ReLU()
        
        self.layer2 = nn.Linear(in_features= 100, out_features=100, bias=True)
        self.relu2 = nn.ReLU()
        
        self.layer3 = nn.Linear(in_features= 100, out_features=self.num_classes, bias=True)

    def forward(self, x):
        x = self.layer1(x)
        x = self.relu1(x)
        x = self.layer2(x)
        x = self.relu2(x)
        x = self.layer3(x)
        
        return x


ModuleNotFoundError: No module named 'torch'

The above network, *ExampleNN*, is a dummy example with an input layer with 64 neurons, two hidden layers with 100 neurons and an output layer with *num_classes* outputs. The two hidden layers are followed by a Rectified Linear Unit (ReLU) that serves as the nonlinear activation fuction.

Interfacing with this neural network is as simple as generating an input sample and providing it at the input of the neural network:

In [6]:
# Generate a random 64-sized input tensor:
x = torch.randn(1, 64)
x

tensor([[-1.0998, -0.0186, -0.3195, -0.5058,  0.4509,  0.3454, -0.6073,  0.4325,
          0.5345,  0.6547,  2.3460, -0.2233,  0.7465,  0.0529, -1.2621, -0.8823,
          0.7075, -0.1546,  0.5815,  0.3936, -0.9759,  0.7646,  1.2548, -1.8848,
          0.3669,  1.1147,  1.8127,  1.9427,  1.2748, -0.9963,  0.4521, -1.5941,
          0.8702,  0.3257, -0.3275,  0.3519, -0.0509,  0.3846,  0.0783, -0.7513,
         -0.4391, -1.5458, -0.2681, -0.5479,  0.2987,  0.4221,  0.1181, -1.1920,
          0.8267,  0.6238,  0.3716,  1.0232, -0.9450, -1.8257, -0.0172,  0.4054,
          0.3393,  0.5125, -0.9881, -1.0161,  1.5061,  0.2318, -2.5841,  0.6397]])

In [9]:
# Instantiate a neural network with 13 output units:
net = ExampleNN(13)

# Run the input tensor through the network to receive 3 outputs:
y = net(x)
y

tensor([[ 0.0246,  0.0573,  0.0803,  0.1455, -0.1184, -0.3049,  0.1403,  0.1088,
         -0.3098, -0.2272,  0.0676, -0.3516, -0.0196]],
       grad_fn=<AddmmBackward0>)

The resulting output should then be used to make some prediction, or to evaluate the performance of the learning model. Of course, the model should first be trained on a dataset. However, due to the limited time for this workshop, we will only consider the extraction of input features as well as the evaluation of output values for models that have already been trained. Proceed with the next notebook.

<hr/>
<center>
Continue with the <a href="31_machine_learning.ipynb">next notebook</a> in a new browser tab.<br/><br/>
<img src="images/footer.png"/>
</center>