# Artificial Intelligence Lab 4

### **TASK 1: AI Agent Task**

**AI Lab Task: Intrusion Detection AI Agent**

**Objective:**
In this task, students will implement a **Simple Reflex AI Agent** to monitor network traffic and detect potential intrusions. The agent will perceive traffic data, classify it as normal or suspicious, and take appropriate actions based on predefined rules.


**Task Description:**
You are tasked with designing and implementing an **Intrusion Detection AI Agent** that can analyze network traffic for signs of potential cyber threats. Your agent will:
1. **Perceive** network traffic data (e.g., request rate, anomalies, source IPs, packet size, and protocol type).
2. **Classify** traffic as "normal" or "suspicious" based on predefined rules.
3. **Take action** by logging alerts for suspicious traffic.
4. **Simulate traffic data** for testing your agent.


#### **Step 1: Define the Agent Class**
- Create a Python class `IntrusionDetectionAgent`.

- Implement a `perceive()` method that analyzes network traffic attributes:
  - **Source IP Address**: The IP address of the incoming connection.
  - **Request Rate**: The number of requests per second from a given source.
  - **Anomalies Count**: A count of unusual behaviors detected (e.g., repeated failed login attempts, unusual access times).
  - **Packet Size**: The size of data packets being transmitted.
  - **Protocol Type**: The type of protocol used (e.g., TCP, UDP, ICMP).

- Implement an `act()` method that generates alerts when suspicious activity is detected.

#### **Step 2: Generate Simulated Traffic Data**
- Create a function to simulate network traffic.
- Each traffic sample should include:
  - **Source IP Address** (randomized IPs)
  - **Request Rate** (random values within a realistic range of 10 to 200 requests per second)
  - **Anomalies Count** (randomized values indicating unusual behavior between 0 to 10)
  - **Packet Size** (random values between 100 to 5000 bytes)
  - **Protocol Type** (randomly selected from TCP, UDP, ICMP)

#### **Step 3: Implement Intrusion Detection Logic**
- Define a threshold for detecting suspicious traffic:
  - If `request_rate > 100`, classify as **suspicious**.
  - If `anomalies > 5`, classify as **suspicious**.
  - If `packet_size > 4000`, classify as **suspicious**.
  - If the **protocol type is ICMP** with a high request rate, classify as **potential DDoS attack**.
- Store alerts for suspicious traffic.

#### **Step 4: Test the Agent**
- Run your agent on generated traffic data.
- Observe whether it correctly detects suspicious activity.
- Print or log alerts for review.

### **Example Output:**
```
Traffic from 192.168.1.45 is normal.
ALERT! Suspicious activity detected from 192.168.1.88 - High Request Rate
Traffic from 192.168.1.12 is normal.
ALERT! Suspicious activity detected from 192.168.1.150 - Large Packet Size
ALERT! Potential DDoS attack detected from 192.168.1.200 - High ICMP traffic
```


In [1]:
import random
import logging

# Configure logging
logging.basicConfig(level=logging.INFO, format='%(message)s')


class IntrusionDetectionAgent:
    def __init__(self):
        self.alerts = []

    def perceive(self, traffic_sample):
        """
        Analyze the network traffic attributes.
        """
        source_ip = traffic_sample['source_ip']
        request_rate = traffic_sample['request_rate']
        anomalies = traffic_sample['anomalies']
        packet_size = traffic_sample['packet_size']
        protocol_type = traffic_sample['protocol_type']

        # Classify traffic based on predefined rules
        if request_rate > 100:
            self.act(source_ip, "High Request Rate")
        if anomalies > 5:
            self.act(source_ip, "High Anomalies Count")
        if packet_size > 4000:
            self.act(source_ip, "Large Packet Size")
        if protocol_type == "ICMP" and request_rate > 100:
            self.act(source_ip, "Potential DDoS attack - High ICMP traffic")
        else:
            logging.info(f"Traffic from {source_ip} is normal.")

    def act(self, source_ip, alert_message):
        """
        Log alerts for suspicious activity.
        """
        alert = f"ALERT! Suspicious activity detected from {source_ip} - {alert_message}"
        logging.warning(alert)
        self.alerts.append(alert)


def generate_traffic_sample():
    """
    Generate a random traffic sample for testing.
    """
    traffic_sample = {
        'source_ip': f"192.168.{random.randint(1, 255)}.{random.randint(1, 255)}",
        'request_rate': random.randint(10, 200),
        'anomalies': random.randint(0, 10),
        'packet_size': random.randint(100, 5000),
        'protocol_type': random.choice(['TCP', 'UDP', 'ICMP'])
    }
    return traffic_sample


# Main testing logic
if __name__ == "__main__":
    agent = IntrusionDetectionAgent()

    # Simulate network traffic
    for _ in range(10):  # Generate 10 traffic samples
        traffic_sample = generate_traffic_sample()
        agent.perceive(traffic_sample)

    # Output alerts
    if agent.alerts:
        print("\nLogged Alerts:")
        for alert in agent.alerts:
            print(alert)
    else:
        print("\nNo suspicious activity detected.")


ALERT! Suspicious activity detected from 192.168.144.216 - High Anomalies Count
Traffic from 192.168.144.216 is normal.
ALERT! Suspicious activity detected from 192.168.13.249 - Large Packet Size
Traffic from 192.168.13.249 is normal.
ALERT! Suspicious activity detected from 192.168.109.42 - High Request Rate
ALERT! Suspicious activity detected from 192.168.109.42 - High Anomalies Count
Traffic from 192.168.109.42 is normal.
Traffic from 192.168.144.135 is normal.
ALERT! Suspicious activity detected from 192.168.251.174 - High Anomalies Count
Traffic from 192.168.251.174 is normal.
ALERT! Suspicious activity detected from 192.168.192.94 - High Request Rate
Traffic from 192.168.192.94 is normal.
ALERT! Suspicious activity detected from 192.168.126.125 - High Request Rate
ALERT! Suspicious activity detected from 192.168.126.125 - High Anomalies Count
Traffic from 192.168.126.125 is normal.
ALERT! Suspicious activity detected from 192.168.157.166 - High Request Rate
Traffic from 192.168.1


Logged Alerts:
ALERT! Suspicious activity detected from 192.168.144.216 - High Anomalies Count
ALERT! Suspicious activity detected from 192.168.13.249 - Large Packet Size
ALERT! Suspicious activity detected from 192.168.109.42 - High Request Rate
ALERT! Suspicious activity detected from 192.168.109.42 - High Anomalies Count
ALERT! Suspicious activity detected from 192.168.251.174 - High Anomalies Count
ALERT! Suspicious activity detected from 192.168.192.94 - High Request Rate
ALERT! Suspicious activity detected from 192.168.126.125 - High Request Rate
ALERT! Suspicious activity detected from 192.168.126.125 - High Anomalies Count
ALERT! Suspicious activity detected from 192.168.157.166 - High Request Rate
ALERT! Suspicious activity detected from 192.168.165.171 - High Anomalies Count
ALERT! Suspicious activity detected from 192.168.165.171 - Large Packet Size
ALERT! Suspicious activity detected from 192.168.5.238 - High Request Rate
