# Model Card for Cybersecurity Intrusion Detection Model

## 1. Model Details

 **Model Type:**  
  Random Forest classifier with hyperparameter tuning and probability calibration.

 **Model Version:**  
  1.0

 **Date:**  
  2025-02-07

 **Frameworks and Libraries:**  
  - Python 3.13.2 
  - scikit-learn
  - pandas
  - numpy 
  - XGBoost (alternative explored)  
  - LightGBM (alternative explored)  
  - TensorFlow/Keras (MLP alternative explored)

 **Key Hyperparameters (Best Configuration):**  
  - `n_estimators`: 300  
  - `max_depth`: None (unlimited)  
  - `min_samples_split`: 2  
  - `min_samples_leaf`: 1  
  - `max_features`: None  
  - `class_weight`: None  
  - **Probability Calibration:** Platt scaling (sigmoid) using CalibratedClassifierCV  
  - **Decision Threshold (Post-calibration):** Adjusted to an optimal value (≈0.00167 before calibration; post-calibration threshold re-evaluated)

## 2. Intended Use

 **Primary Use Case:**  
  - Detection of network intrusions and malicious activity within network traffic.
  - Research and development for cybersecurity applications and intrusion detection systems.

 **Target Users:**  
  - Cybersecurity researchers and practitioners.
  - Organizations looking to enhance their network security through machine learning.

 **Out-of-Scope Uses:**  
  - General anomaly detection outside of network traffic.
  - Deployment in production without further validation on modern and diverse datasets.

## 3. Performance

### Evaluation Metrics (on NSL-KDD Test Set):

 **Accuracy:**  
  - Baseline (pre-threshold adjustment): ~80.0%
  - Post-threshold adjustment (calibrated model): ~89%

 **Class-Specific Metrics:**

  | Class           | Precision | Recall | F1-Score | Support |
  |-----------------|-----------|--------|----------|---------|
  | **Normal (0)**  | ~0.87     | ~0.89  | ~0.88    | 9,710   |
  | **Attack (1)**  | ~0.92     | ~0.90  | ~0.91    | 12,833  |

 **Confusion Matrix (Post-threshold adjustment):**

[[TP: 9417, FP: 293], [FN: 4209, TP: 8624]]


 **Additional Metrics:**  
- ROC and precision-recall curves were analyzed to select an optimal decision threshold.
- The calibration process improved the reliability of predicted probabilities.

## 4. Training Data

 **Dataset:**  
- NSL-KDD dataset (a refined version of the KDD Cup 99 dataset).

 **Data Composition:**  
- **Features:** 122 features after preprocessing (including one-hot encoded categorical features for `protocol_type`, `service`, and `flag`, plus numerical features).
- **Labels:** Binary labels where `0` represents normal (benign) connections and `1` represents attacks.

 **Preprocessing Steps:**  
- Dropped the extra "difficulty" column from the training set.
- Cleaned and aligned the training and test datasets.
- Applied one-hot encoding to categorical features.
- Scaled numeric features using StandardScaler.
- Calibrated predicted probabilities using Platt scaling.
- Adjusted the decision threshold based on ROC analysis.

 **Known Limitations of the Data:**  
- The dataset is based on network traffic data from the 1990s and may not fully represent modern network behavior or attack vectors.
- Class imbalance is present, with fewer normal instances than attack instances (or vice versa, depending on the split).

## 5. Ethical Considerations and Limitations

 **Bias and Fairness:**  
- The NSL-KDD dataset may reflect biases inherent in its era and simulation process. Models trained on this data might not generalize perfectly to current real-world scenarios.
- Care should be taken to supplement this dataset with more recent data when deploying in a live environment.

 **Privacy:**  
- The dataset does not contain personally identifiable information (PII) and is based on simulated network traffic.

 **Limitations:**  
- While the calibrated and threshold-adjusted model shows promising performance on this dataset, further validation on contemporary and diverse datasets is required.
- The extremely low decision threshold indicates that the raw predicted probabilities may be skewed; thus, calibration is critical.

## 6. Usage Instructions

 **How to Use the Model:**  
- Load the preprocessed and scaled data.
- Use the provided pipeline (including scaling and probability calibration) to generate predictions.
- Adjust the decision threshold if needed based on your specific application’s tolerance for false positives versus false negatives.

 **Deployment Considerations:**  
- Regularly monitor model performance and recalibrate if the underlying data distribution changes.
- Consider integrating the model into a larger ensemble or system that combines multiple detection methods for enhanced reliability.

 **Maintenance and Updates:**  
- The model card and associated documentation should be updated as new data becomes available or if the model is retrained.
- Continuous evaluation on recent network traffic data is recommended.

## 7. Contact and Further Information

- **Further Documentation:**  
- Refer to the `datasheet.ipynb` for details on the NSL-KDD dataset used in this project.
---

