# **Project Title: Machine Learning-Based Intrusion Detection**

#### **Team Members**: Haifa Muhammad, Raghad Alamoudi, Amani Albarazi & Maram Alhusami

##### **Course**: CS 4082- Machine Learning

##### **Supervised by**: Dr.Naila Marir

# **Project Description:**
- In this project, we aim to develop an intelligent machine learning-based Intrusion Detection System (IDS) specifically designed for IoT network environments. IoT devices are increasingly targeted by cyberattacks due to their limited computational resources and widespread deployment. This project focuses on building a complete ML pipeline that can process raw network telemetry data, extract meaningful features, and accurately classify normal versus malicious network behaviors.

- We explore both traditional machine learning models (such as Random Forests, Support Vector Machines, and XGBoost) and deep learning-based approaches (such as Multilayer Perceptron (MLP)). Additionally, we investigate unsupervised anomaly detection techniques like Isolation Forests to detect unknown attack patterns.

- The project involves comprehensive steps including data preprocessing, feature engineering, model training, evaluation, and comparison between different approaches based on key performance metrics.

### **Task (Machine Learning-Based Intrusion Detection):**
The task focuses on building, training, and evaluating multiple supervised learning models to detect malicious network activities. The specific steps include:

##### **Supervised Learning:**
Train and test traditional machine learning models such as Random Forest, Support Vector Machine (SVM), Logistic Regression, and XGBoost. Evaluate their performance using Precision, Recall, F1-Score, and Confusion Matrix metrics.

##### **Deep Learning Models:**
Implement neural network models including Multilayer Perceptron (MLP) to compare against traditional methods.

##### **Performance Analysis:**
Compare and analyze model performance to determine which techniques are most effective for IoT-based intrusion detection.

The final objective is to determine the best-performing models and to understand their strengths and limitations when applied to cybersecurity problems in IoT environments.

In [None]:
import pandas as pd
import numpy as np
from sklearn.model_selection import train_test_split
from sklearn.preprocessing import StandardScaler
from sklearn.ensemble import RandomForestClassifier
from sklearn.svm import SVC
from sklearn.neural_network import MLPClassifier
from sklearn.metrics import classification_report, confusion_matrix
import matplotlib.pyplot as plt

## Dataset Description

In this project, we utilized a combination of multiple datasets, each representing different types of network attacks:

- **Backdoor Malware Dataset** (`Backdoor_Malware.pcap.csv`):  
  Captures network traffic generated by backdoor malware, including detailed features like packet sizes, flow durations, and protocol usage.

- **DoS-TCP Flood Dataset** (`DoS-TCP_Flood.pcap.csv`):  
  Contains traffic patterns typical of TCP-based Denial of Service (DoS) attacks that aim to overwhelm services with massive TCP packet floods.

- **DoS-UDP Flood Dataset** (`DoS-UDP_Flood.pcap.csv`):  
  Focuses on UDP-based DoS attacks, which are more challenging to detect due to the connectionless nature of UDP traffic.

- **DDoS-TCP Flood Dataset** (`DDoS-TCP_Flood.pcap.csv`):  
  Represents distributed TCP-based attacks, originating from multiple sources simultaneously, simulating real-world DDoS scenarios.

These datasets were combined into a single comprehensive dataset named **`Merged_Attacks.csv`**. The merged dataset contains both benign (normal) traffic and different types of attack traffic, creating a diverse and challenging environment for machine learning models.

### Why We Chose These Datasets

We selected these datasets because:

- **Diversity of Attack Types:**  
  By covering different categories (backdoor malware, DoS, DDoS), we ensured that models are trained on various malicious behaviors, improving their generalization ability.

- **Realistic Network Scenarios:**  
  The data are extracted from real network captures (PCAPs), providing more realistic traffic patterns compared to synthetic datasets.

- **Feature Richness:**  
  Each dataset includes numerous continuous numerical features, such as flow duration, packet size statistics, and protocol flags, enabling robust feature learning.

- **Focus on Modern Threats:**  
  DDoS and backdoor malware attacks represent major current threats in cybersecurity. Evaluating models on such datasets ensures the relevance of our study to modern security challenges.

- **Balance Between Simplicity and Complexity:**  
  While the datasets are complex enough to challenge machine learning models, they remain manageable for training without requiring excessive computational resources.

By merging these datasets, we aimed to create a unified and challenging benchmark for intrusion detection systems that can handle a wide variety of modern cyber threats.

In [None]:
Backdoor_Malware_dataset = pd.read_csv('Backdoor_Malware.pcap.csv')
Backdoor_Malware_dataset.head()

Unnamed: 0,Header_Length,Protocol Type,Time_To_Live,Rate,fin_flag_number,syn_flag_number,rst_flag_number,psh_flag_number,ack_flag_number,ece_flag_number,...,LLC,Tot sum,Min,Max,AVG,Std,Tot size,IAT,Number,Variance
0,13.2,17,111.8,21.654112,0.0,0.0,0.0,0.0,0.3,0.0,...,0.9,2105,60,1392,210.5,415.549502,210.5,0.046181,10,172681.388889
1,11.2,17,63.5,134.621809,0.0,0.1,0.0,0.0,0.0,0.0,...,1.0,4736,60,1392,473.6,632.696206,473.6,0.008186,10,400304.488889
2,13.6,17,65.6,211.662495,0.0,0.1,0.0,0.0,0.2,0.0,...,1.0,3788,62,1392,378.8,508.763381,378.8,0.004735,10,258840.177778
3,24.8,6,84.4,155.707333,0.0,0.0,0.0,0.4,0.7,0.0,...,1.0,2917,62,833,291.7,308.737951,291.7,0.006422,10,95319.122222
4,10.4,17,118.3,105.440687,0.0,0.0,0.0,0.0,0.1,0.0,...,1.0,1163,62,230,116.3,75.052648,116.3,0.009484,10,5632.9


In [None]:
Backdoor_Malware_dataset.isnull().sum()

Unnamed: 0,0
Header_Length,0
Protocol Type,0
Time_To_Live,0
Rate,0
fin_flag_number,0
syn_flag_number,0
rst_flag_number,0
psh_flag_number,0
ack_flag_number,0
ece_flag_number,0


In [None]:
DDoS_TCP_dataset = pd.read_csv('DDoS-TCP_Flood.pcap.csv')
DDoS_TCP_dataset.head()

Unnamed: 0,Header_Length,Protocol Type,Time_To_Live,Rate,fin_flag_number,syn_flag_number,rst_flag_number,psh_flag_number,ack_flag_number,ece_flag_number,...,LLC,Tot sum,Min,Max,AVG,Std,Tot size,IAT,Number,Variance
0,20.0,6,64.0,19616.050884,0.0,0.0,0.0,0.0,0.0,0.0,...,1.0,6000,60,60,60.0,0.0,60.0,5.1e-05,100,0.0
1,20.0,6,64.0,24102.425009,0.0,0.0,0.0,0.0,0.0,0.0,...,1.0,6000,60,60,60.0,0.0,60.0,4.1e-05,100,0.0
2,20.0,6,64.0,109511.853786,0.0,0.0,0.0,0.0,0.0,0.0,...,1.0,6000,60,60,60.0,0.0,60.0,9e-06,100,0.0
3,20.36,6,63.54,15453.75631,0.01,0.0,0.0,0.01,0.03,0.0,...,1.0,6025,60,73,60.25,1.539874,60.25,6.5e-05,100,2.371212
4,20.0,6,64.0,87875.633773,0.0,0.0,0.0,0.0,0.0,0.0,...,1.0,6000,60,60,60.0,0.0,60.0,1.1e-05,100,0.0


In [None]:
DDoS_TCP_dataset.isnull().sum()

Unnamed: 0,0
Header_Length,0
Protocol Type,0
Time_To_Live,0
Rate,0
fin_flag_number,0
syn_flag_number,0
rst_flag_number,0
psh_flag_number,0
ack_flag_number,0
ece_flag_number,0


In [None]:
DoS_TCP_dataset = pd.read_csv('DoS-TCP_Flood.pcap.csv')
DoS_TCP_dataset.head()

Unnamed: 0,Header_Length,Protocol Type,Time_To_Live,Rate,fin_flag_number,syn_flag_number,rst_flag_number,psh_flag_number,ack_flag_number,ece_flag_number,...,LLC,Tot sum,Min,Max,AVG,Std,Tot size,IAT,Number,Variance
0,20.0,6,64.0,29155.456694,0.0,0.0,0.0,0.0,0.0,0.0,...,1.0,6000,60,60,60.0,0.0,60.0,3.4e-05,100,0.0
1,20.0,6,64.0,107436.065574,0.0,0.0,0.0,0.0,0.0,0.0,...,1.0,6000,60,60,60.0,0.0,60.0,9e-06,100,0.0
2,20.24,6,64.0,75573.045045,0.0,0.0,0.0,0.02,0.02,0.0,...,1.0,6310,60,215,63.1,21.809321,63.1,1.3e-05,100,475.646465
3,20.0,6,64.0,74804.77974,0.0,0.0,0.0,0.0,0.0,0.0,...,1.0,6000,60,60,60.0,0.0,60.0,1.3e-05,100,0.0
4,20.0,6,64.0,21190.845248,0.0,0.0,0.0,0.0,0.0,0.0,...,1.0,6000,60,60,60.0,0.0,60.0,4.7e-05,100,0.0


In [None]:
DoS_TCP_dataset.isnull().sum()

Unnamed: 0,0
Header_Length,0
Protocol Type,0
Time_To_Live,0
Rate,0
fin_flag_number,0
syn_flag_number,0
rst_flag_number,0
psh_flag_number,0
ack_flag_number,0
ece_flag_number,0


In [None]:
DoS_UDP_dataset = pd.read_csv('DoS-UDP_Flood.pcap.csv')
DoS_UDP_dataset.head()

Unnamed: 0,Header_Length,Protocol Type,Time_To_Live,Rate,fin_flag_number,syn_flag_number,rst_flag_number,psh_flag_number,ack_flag_number,ece_flag_number,...,LLC,Tot sum,Min,Max,AVG,Std,Tot size,IAT,Number,Variance
0,8.0,17,64.0,29036.372447,0.0,0.0,0.0,0.0,0.0,0.0,...,1.0,18200,182,182,182.0,0.0,182.0,3.4e-05,100,0.0
1,8.0,17,64.0,5697.002295,0.0,0.0,0.0,0.0,0.0,0.0,...,1.0,18200,182,182,182.0,0.0,182.0,0.000176,100,0.0
2,8.24,17,65.86,5720.155472,0.0,0.0,0.0,0.01,0.01,0.0,...,1.0,18230,182,212,182.3,3.0,182.3,0.000175,100,9.0
3,8.0,17,64.0,13883.366986,0.0,0.0,0.0,0.0,0.0,0.0,...,1.0,18200,182,182,182.0,0.0,182.0,7.2e-05,100,0.0
4,8.0,17,64.0,15051.150106,0.0,0.0,0.0,0.0,0.0,0.0,...,1.0,18200,182,182,182.0,0.0,182.0,6.6e-05,100,0.0


In [None]:
DoS_UDP_dataset.isnull().sum()

Unnamed: 0,0
Header_Length,0
Protocol Type,0
Time_To_Live,0
Rate,0
fin_flag_number,0
syn_flag_number,0
rst_flag_number,0
psh_flag_number,0
ack_flag_number,0
ece_flag_number,0


## Merge All datasets

In [None]:
Backdoor_Malware_dataset['Attack_Type'] = 'Backdoor-Malware'
DDoS_TCP_dataset['Attack_Type'] = 'DDoS-TCP'
DoS_TCP_dataset['Attack_Type'] = 'DoS-TCP'
DoS_UDP_dataset['Attack_Type'] = 'DoS-UDP'

In [None]:
merged_df = pd.concat([Backdoor_Malware_dataset, DDoS_TCP_dataset, DoS_TCP_dataset, DoS_UDP_dataset], axis=0).reset_index(drop=True)

In [None]:
merged_df = merged_df.reset_index(drop=True)

In [None]:
merged_df.head()

Unnamed: 0,Header_Length,Protocol Type,Time_To_Live,Rate,fin_flag_number,syn_flag_number,rst_flag_number,psh_flag_number,ack_flag_number,ece_flag_number,...,Tot sum,Min,Max,AVG,Std,Tot size,IAT,Number,Variance,Attack_Type
0,13.2,17,111.8,21.654112,0.0,0.0,0.0,0.0,0.3,0.0,...,2105,60,1392,210.5,415.549502,210.5,0.046181,10,172681.388889,Backdoor-Malware
1,11.2,17,63.5,134.621809,0.0,0.1,0.0,0.0,0.0,0.0,...,4736,60,1392,473.6,632.696206,473.6,0.008186,10,400304.488889,Backdoor-Malware
2,13.6,17,65.6,211.662495,0.0,0.1,0.0,0.0,0.2,0.0,...,3788,62,1392,378.8,508.763381,378.8,0.004735,10,258840.177778,Backdoor-Malware
3,24.8,6,84.4,155.707333,0.0,0.0,0.0,0.4,0.7,0.0,...,2917,62,833,291.7,308.737951,291.7,0.006422,10,95319.122222,Backdoor-Malware
4,10.4,17,118.3,105.440687,0.0,0.0,0.0,0.0,0.1,0.0,...,1163,62,230,116.3,75.052648,116.3,0.009484,10,5632.9,Backdoor-Malware


In [None]:
merged_df.to_csv('Merged_Attacks.csv', index=False)

In [None]:
merged_df.isnull().sum()

Unnamed: 0,0
Header_Length,0
Protocol Type,0
Time_To_Live,0
Rate,0
fin_flag_number,0
syn_flag_number,0
rst_flag_number,0
psh_flag_number,0
ack_flag_number,0
ece_flag_number,0


In [None]:
merged_df.describe()

Unnamed: 0,Header_Length,Protocol Type,Time_To_Live,Rate,fin_flag_number,syn_flag_number,rst_flag_number,psh_flag_number,ack_flag_number,ece_flag_number,...,LLC,Tot sum,Min,Max,AVG,Std,Tot size,IAT,Number,Variance
count,695961.0,695961.0,695961.0,695961.0,695961.0,695961.0,695961.0,695961.0,695961.0,695961.0,...,695961.0,695961.0,695961.0,695961.0,695961.0,695951.0,695961.0,695961.0,695961.0,695951.0
mean,17.159104,8.651743,64.450415,inf,0.000389,0.000741,0.01702,0.00212,0.023344,2e-06,...,0.999082,7248.728742,67.914264,138.224175,73.805944,10.064337,73.805944,0.001614,99.539672,3907.903
std,5.116112,4.705875,4.853391,,0.004261,0.005997,0.095634,0.02028,0.109126,0.00019,...,0.008466,4233.180247,36.581342,350.218214,54.300299,61.697796,54.300299,0.782537,6.337362,116869.4
min,3.56,0.0,29.67,0.001593358,0.0,0.0,0.0,0.0,0.0,0.0,...,0.26,60.0,60.0,60.0,60.0,0.0,60.0,-0.006466,1.0,0.0
25%,19.6,6.0,64.0,16586.14,0.0,0.0,0.0,0.0,0.0,0.0,...,1.0,6000.0,60.0,60.0,60.0,0.0,60.0,2.2e-05,100.0,0.0
50%,20.0,6.0,64.0,29275.52,0.0,0.0,0.0,0.0,0.0,0.0,...,1.0,6000.0,60.0,60.0,60.0,0.0,60.0,3.5e-05,100.0,0.0
75%,20.0,6.0,64.0,46000.26,0.0,0.0,0.0,0.0,0.0,0.0,...,1.0,6006.0,60.0,66.0,60.06,0.0,60.06,6.1e-05,100.0,0.0
max,43.44,17.0,248.6,inf,0.4,0.4,1.0,0.91,1.0,0.06,...,1.0,255274.0,1494.0,23234.0,4920.0,7613.456625,4920.0,627.605313,100.0,57964720.0


In [None]:
print(merged_df.columns)

Index(['Header_Length', 'Protocol Type', 'Time_To_Live', 'Rate',
       'fin_flag_number', 'syn_flag_number', 'rst_flag_number',
       'psh_flag_number', 'ack_flag_number', 'ece_flag_number',
       'cwr_flag_number', 'ack_count', 'syn_count', 'fin_count', 'rst_count',
       'HTTP', 'HTTPS', 'DNS', 'Telnet', 'SMTP', 'SSH', 'IRC', 'TCP', 'UDP',
       'DHCP', 'ARP', 'ICMP', 'IGMP', 'IPv', 'LLC', 'Tot sum', 'Min', 'Max',
       'AVG', 'Std', 'Tot size', 'IAT', 'Number', 'Variance', 'Attack_Type'],
      dtype='object')


## Prepare features (X) and target (y)

In [None]:
X = merged_df.select_dtypes(include=['int64', 'float64'])
y = merged_df['Attack_Type']

## Clean X FIRST

In [None]:
X = X.replace([np.inf, -np.inf], np.nan)
X = X.dropna()

## Align y

In [None]:
y = y.loc[X.index]

## Train/Test split

In [None]:
X_train, X_test, y_train, y_test = train_test_split(X, y, test_size=0.25, random_state=42, stratify=y)

## Standardize the features

In [None]:
scaler = StandardScaler()
X_train = scaler.fit_transform(X_train)
X_test = scaler.transform(X_test)

---------------------------------------------------------

In [None]:
from sklearn.ensemble import RandomForestClassifier, AdaBoostClassifier, GradientBoostingClassifier
from sklearn.tree import DecisionTreeClassifier
from sklearn.neighbors import KNeighborsClassifier
from sklearn.svm import SVC
from sklearn.naive_bayes import GaussianNB
from sklearn.metrics import precision_score, recall_score, f1_score, confusion_matrix

---------------------------------------------------------

# Traditional Methods

## Logistic Regression

In [None]:
from sklearn.linear_model import LogisticRegression
logreg = LogisticRegression(max_iter=500)
logreg.fit(X_train, y_train)
y_pred = logreg.predict(X_test)

In [None]:
from sklearn.metrics import precision_score, recall_score, f1_score, confusion_matrix
def evaluate_model(name, y_test, y_pred):
    print(f"\n--- {name} ---")
    print(f"Precision: {precision_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"Recall: {recall_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"F1-Score: {f1_score(y_test, y_pred, average='weighted'):.4f}")
    print("Confusion Matrix:")
    print(confusion_matrix(y_test, y_pred))

evaluate_model("Logistic Regression", y_test, y_pred)


--- Logistic Regression ---
Precision: 0.8330
Recall: 0.8145
F1-Score: 0.8099
Confusion Matrix:
[[  801     0     0     4]
 [    0 60175  6251    16]
 [    0 25969 39054     7]
 [    3     5    17 41683]]


## Random Forest

In [None]:
rf = RandomForestClassifier()
rf.fit(X_train, y_train)
y_pred = rf.predict(X_test)

In [None]:
from sklearn.metrics import precision_score, recall_score, f1_score, confusion_matrix
def evaluate_model(name, y_test, y_pred):
    print(f"\n--- {name} ---")
    print(f"Precision: {precision_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"Recall: {recall_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"F1-Score: {f1_score(y_test, y_pred, average='weighted'):.4f}")
    print("Confusion Matrix:")
    print(confusion_matrix(y_test, y_pred))

evaluate_model("Random Forest", y_test, y_pred)


--- Random Forest ---
Precision: 0.8308
Recall: 0.8294
F1-Score: 0.8290
Confusion Matrix:
[[  805     0     0     0]
 [    0 54413 12023     6]
 [    0 17630 47392     8]
 [    2    10     2 41694]]


## Decision Tree

In [None]:
dt = DecisionTreeClassifier()
dt.fit(X_train, y_train)
y_pred = dt.predict(X_test)

In [None]:
from sklearn.metrics import precision_score, recall_score, f1_score, confusion_matrix
def evaluate_model(name, y_test, y_pred):
    print(f"\n--- {name} ---")
    print(f"Precision: {precision_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"Recall: {recall_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"F1-Score: {f1_score(y_test, y_pred, average='weighted'):.4f}")
    print("Confusion Matrix:")
    print(confusion_matrix(y_test, y_pred))

evaluate_model("Decision Tree", y_test, y_pred)


--- Decision Tree ---
Precision: 0.8244
Recall: 0.8228
F1-Score: 0.8224
Confusion Matrix:
[[  803     0     1     1]
 [    0 54073 12359    10]
 [    1 18419 46600    10]
 [    2    15    10 41681]]


## K-Nearest Neighbors

In [None]:
from sklearn.neighbors import KNeighborsClassifier

# 1. Reduce train size (optional but recommended)
# Only use a subset of training data for KNN to speed it up
X_train_small = X_train[:20000]  # Take first 20,000 rows only
y_train_small = y_train[:20000]

# 2. KNN with multi-threading
knn = KNeighborsClassifier(n_jobs=-1)  # Use all CPU cores
knn.fit(X_train_small, y_train_small)

# 3. Predict
y_pred = knn.predict(X_test)

In [None]:
from sklearn.metrics import precision_score, recall_score, f1_score, confusion_matrix
def evaluate_model(name, y_test, y_pred):
    print(f"\n--- {name} ---")
    print(f"Precision: {precision_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"Recall: {recall_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"F1-Score: {f1_score(y_test, y_pred, average='weighted'):.4f}")
    print("Confusion Matrix:")
    print(confusion_matrix(y_test, y_pred))

evaluate_model("K-Nearest Neighbors", y_test, y_pred)


--- K-Nearest Neighbors ---
Precision: 0.8059
Recall: 0.8051
F1-Score: 0.8048
Confusion Matrix:
[[  776    15    11     3]
 [   15 51868 14511    48]
 [    2 19177 45794    57]
 [    4    26    33 41645]]


## Linear SVC

In [None]:
from sklearn.svm import LinearSVC

# 1. Reduce training size (optional, but safe)
X_train_small = X_train[:20000]
y_train_small = y_train[:20000]

# 2. LinearSVC is MUCH faster than SVC
svm = LinearSVC(max_iter=10000)  # allow enough iterations
svm.fit(X_train_small, y_train_small)

# 3. Predict
y_pred = svm.predict(X_test)

In [None]:
from sklearn.metrics import precision_score, recall_score, f1_score, confusion_matrix
def evaluate_model(name, y_test, y_pred):
    print(f"\n--- {name} ---")
    print(f"Precision: {precision_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"Recall: {recall_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"F1-Score: {f1_score(y_test, y_pred, average='weighted'):.4f}")
    print("Confusion Matrix:")
    print(confusion_matrix(y_test, y_pred))

evaluate_model("Linear SVC (Small Train)", y_test, y_pred)


--- Linear SVC (Small Train) ---
Precision: 0.8337
Recall: 0.8121
F1-Score: 0.8067
Confusion Matrix:
[[  777    14    11     3]
 [    3 60754  5670    15]
 [    2 26927 38084    17]
 [    4    11    20 41673]]


##  Naive Bayes

In [None]:
nb = GaussianNB()
nb.fit(X_train, y_train)
y_pred = nb.predict(X_test)

In [None]:
from sklearn.metrics import precision_score, recall_score, f1_score, confusion_matrix
def evaluate_model(name, y_test, y_pred):
    print(f"\n--- {name} ---")
    print(f"Precision: {precision_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"Recall: {recall_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"F1-Score: {f1_score(y_test, y_pred, average='weighted'):.4f}")
    print("Confusion Matrix:")
    print(confusion_matrix(y_test, y_pred))

evaluate_model("Naive Bayes", y_test, y_pred)


--- Naive Bayes ---
Precision: 0.8330
Recall: 0.7369
F1-Score: 0.7017
Confusion Matrix:
[[  805     0     0     0]
 [    3 65807   613    19]
 [    1 45069 19942    18]
 [    3    24    17 41664]]


## AdaBoost

In [None]:
ada = AdaBoostClassifier()
ada.fit(X_train, y_train)
y_pred = ada.predict(X_test)

In [None]:
from sklearn.metrics import precision_score, recall_score, f1_score, confusion_matrix
def evaluate_model(name, y_test, y_pred):
    print(f"\n--- {name} ---")
    print(f"Precision: {precision_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"Recall: {recall_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"F1-Score: {f1_score(y_test, y_pred, average='weighted'):.4f}")
    print("Confusion Matrix:")
    print(confusion_matrix(y_test, y_pred))

evaluate_model("AdaBoost", y_test, y_pred)


--- AdaBoost ---
Precision: 0.8190
Recall: 0.7350
F1-Score: 0.7019
Confusion Matrix:
[[  800     0     0     5]
 [    4 64935  1479    24]
 [    4 44542 20475     9]
 [    4    37     3 41664]]


## Gradient Boosting

In [None]:
gb = GradientBoostingClassifier()
gb.fit(X_train, y_train)
y_pred = gb.predict(X_test)

In [None]:
from sklearn.metrics import precision_score, recall_score, f1_score, confusion_matrix
def evaluate_model(name, y_test, y_pred):
    print(f"\n--- {name} ---")
    print(f"Precision: {precision_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"Recall: {recall_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"F1-Score: {f1_score(y_test, y_pred, average='weighted'):.4f}")
    print("Confusion Matrix:")
    print(confusion_matrix(y_test, y_pred))

evaluate_model("Gradient Boosting", y_test, y_pred)


--- Gradient Boosting ---
Precision: 0.8404
Recall: 0.8365
F1-Score: 0.8356
Confusion Matrix:
[[  804     0     1     0]
 [    0 56759  9678     5]
 [    1 18737 46289     3]
 [    2    18     7 41681]]


----------------------------------------------------------

In [None]:
from sklearn.ensemble import ExtraTreesClassifier
from sklearn.linear_model import RidgeClassifier
from sklearn.discriminant_analysis import LinearDiscriminantAnalysis, QuadraticDiscriminantAnalysis
import xgboost as xgb
import lightgbm as lgb

-----------------------------------------------------------

## Extra Trees Classifier

In [None]:
et = ExtraTreesClassifier()
et.fit(X_train, y_train)
y_pred = et.predict(X_test)

In [None]:
from sklearn.metrics import precision_score, recall_score, f1_score, confusion_matrix
def evaluate_model(name, y_test, y_pred):
    print(f"\n--- {name} ---")
    print(f"Precision: {precision_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"Recall: {recall_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"F1-Score: {f1_score(y_test, y_pred, average='weighted'):.4f}")
    print("Confusion Matrix:")
    print(confusion_matrix(y_test, y_pred))

evaluate_model("Extra Trees Classifier", y_test, y_pred)


--- Extra Trees Classifier ---
Precision: 0.8312
Recall: 0.8292
F1-Score: 0.8286
Confusion Matrix:
[[  805     0     0     0]
 [    0 54949 11489     4]
 [    0 18201 46822     7]
 [    3    14     1 41690]]


## Ridge Classifier

In [None]:
ridge = RidgeClassifier()
ridge.fit(X_train, y_train)
y_pred = ridge.predict(X_test)

In [None]:
from sklearn.metrics import precision_score, recall_score, f1_score, confusion_matrix
def evaluate_model(name, y_test, y_pred):
    print(f"\n--- {name} ---")
    print(f"Precision: {precision_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"Recall: {recall_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"F1-Score: {f1_score(y_test, y_pred, average='weighted'):.4f}")
    print("Confusion Matrix:")
    print(confusion_matrix(y_test, y_pred))

evaluate_model("Ridge Classifier", y_test, y_pred)


--- Ridge Classifier ---
Precision: 0.8153
Recall: 0.7622
F1-Score: 0.7435
Confusion Matrix:
[[  802     0     3     0]
 [    0 63138  3298     6]
 [    2 38011 27005    12]
 [    7     7    31 41663]]


## Linear Discriminant Analysis (LDA)

In [None]:
lda = LinearDiscriminantAnalysis()
lda.fit(X_train, y_train)
y_pred = lda.predict(X_test)

In [None]:
from sklearn.metrics import precision_score, recall_score, f1_score, confusion_matrix
def evaluate_model(name, y_test, y_pred):
    print(f"\n--- {name} ---")
    print(f"Precision: {precision_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"Recall: {recall_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"F1-Score: {f1_score(y_test, y_pred, average='weighted'):.4f}")
    print("Confusion Matrix:")
    print(confusion_matrix(y_test, y_pred))

evaluate_model("Linear Discriminant Analysis (LDA)", y_test, y_pred)


--- Linear Discriminant Analysis (LDA) ---
Precision: 0.8155
Recall: 0.7637
F1-Score: 0.7457
Confusion Matrix:
[[  805     0     0     0]
 [    1 63051  3385     5]
 [    2 37651 27366    11]
 [   17     5    35 41651]]


##  Quadratic Discriminant Analysis (QDA)

In [None]:
qda = QuadraticDiscriminantAnalysis()
qda.fit(X_train, y_train)
y_pred = qda.predict(X_test)



In [None]:
from sklearn.metrics import precision_score, recall_score, f1_score, confusion_matrix
def evaluate_model(name, y_test, y_pred):
    print(f"\n--- {name} ---")
    print(f"Precision: {precision_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"Recall: {recall_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"F1-Score: {f1_score(y_test, y_pred, average='weighted'):.4f}")
    print("Confusion Matrix:")
    print(confusion_matrix(y_test, y_pred))

evaluate_model("Quadratic Discriminant Analysis (QDA)", y_test, y_pred)


--- Quadratic Discriminant Analysis (QDA) ---
Precision: 0.8393
Recall: 0.7364
F1-Score: 0.6995
Confusion Matrix:
[[  805     0     0     0]
 [    1 66187   232    22]
 [    1 45558 19461    10]
 [    1    11    20 41676]]


## XGBoost Classifier

In [None]:
from sklearn.preprocessing import LabelEncoder

# Label Encoding
le = LabelEncoder()
y_train_enc = le.fit_transform(y_train)
y_test_enc = le.transform(y_test)


In [None]:
import xgboost as xgb

xgb_model = xgb.XGBClassifier(use_label_encoder=False, eval_metric='mlogloss')
xgb_model.fit(X_train, y_train_enc)

y_pred = xgb_model.predict(X_test)

Parameters: { "use_label_encoder" } are not used.



In [None]:
from sklearn.metrics import precision_score, recall_score, f1_score, confusion_matrix

# 1. Evaluation function
def evaluate_model(name, y_test, y_pred):
    print(f"\n--- {name} ---")
    print(f"Precision: {precision_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"Recall: {recall_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"F1-Score: {f1_score(y_test, y_pred, average='weighted'):.4f}")
    print("Confusion Matrix:")
    print(confusion_matrix(y_test, y_pred))

# 2. Evaluate XGBoost using encoded y_test
evaluate_model("XGBoost Classifier", y_test_enc, y_pred)


--- XGBoost Classifier ---
Precision: 0.8456
Recall: 0.8419
F1-Score: 0.8411
Confusion Matrix:
[[  805     0     0     0]
 [    0 57056  9381     5]
 [    1 18093 46927     9]
 [    1    13     6 41688]]


## LightGBM Classifier

In [None]:
lgb_model = lgb.LGBMClassifier()
lgb_model.fit(X_train, y_train)
y_pred = lgb_model.predict(X_test)



[LightGBM] [Info] Auto-choosing row-wise multi-threading, the overhead of testing was 0.143988 seconds.
You can set `force_row_wise=true` to remove the overhead.
And if memory is not enough, you can set `force_col_wise=true`.
[LightGBM] [Info] Total Bins 3599
[LightGBM] [Info] Number of data points in the train set: 521952, number of used features: 39
[LightGBM] [Info] Start training from score -5.376705
[LightGBM] [Info] Start training from score -0.962639
[LightGBM] [Info] Start training from score -0.984120
[LightGBM] [Info] Start training from score -1.428262




In [None]:
from sklearn.metrics import precision_score, recall_score, f1_score, confusion_matrix
def evaluate_model(name, y_test, y_pred):
    print(f"\n--- {name} ---")
    print(f"Precision: {precision_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"Recall: {recall_score(y_test, y_pred, average='weighted'):.4f}")
    print(f"F1-Score: {f1_score(y_test, y_pred, average='weighted'):.4f}")
    print("Confusion Matrix:")
    print(confusion_matrix(y_test, y_pred))

evaluate_model("LightGBM Classifier", y_test, y_pred)


--- LightGBM Classifier ---
Precision: 0.8451
Recall: 0.8415
F1-Score: 0.8407
Confusion Matrix:
[[  803     0     1     1]
 [    1 56970  9465     6]
 [    1 18070 46950     9]
 [    3    12     4 41689]]


--------------------------------------------------------

## **Findings**

In this study, multiple traditional machine learning models, a neural network model, and an unsupervised clustering method were evaluated on the merged attacks dataset.

The results indicate several key insights:
- **Traditional models** like **Logistic Regression (LR)**, **K-Nearest Neighbors (KNN)**, and **Decision Trees (DT)** produced decent results (accuracy between **82–86\%**), but were slightly less effective compared to ensemble and deep learning methods.

Overall, the findings suggest that using advanced supervised learning methods, particularly ensemble techniques and deep neural networks, leads to the highest detection performance for network attacks. Simpler models still offer valuable insights but may not be sufficient for high-security requirements.
