# Live network threat detection

### Import necessary libraries

In [62]:
import os
import pandas as pd
import joblib
import time
from watchdog.observers import Observer
from watchdog.events import FileSystemEventHandler

### Define the directory to watch

In [63]:
# Define the path to the traffic file
traffic_file_path = '../traffic_data/flows.csv'
# Define the path to the file where the last processed position or timestamp is stored
checkpoint_file_path = '../traffic_data/last_processed_checkpoint.ckpt'
# Define the path to the anomaly history file
anomaly_history_file = '../traffic_data/anomaly_history.csv'

### Load the trained model

In [64]:
model = joblib.load('../models/rf_classifier.pkl')  # Change 'your_trained_model.pkl' to the path of your trained model file

### Function to read the last processed position or timestamp from the checkpoint file

In [65]:
def read_checkpoint():
    """
    Read the last processed position or timestamp from the checkpoint file.

    Returns:
        int: Last processed position or timestamp.
    """
    if os.path.exists(checkpoint_file_path):
        with open(checkpoint_file_path, 'r') as f:
            try:
                return int(f.read())
            except ValueError:
                return 1104
    else:
        return 1104  # Start from the beginning of the file if checkpoint file doesn't exist

### Function to write the last processed position or timestamp to the checkpoint file

In [66]:
def write_checkpoint(position):
    """
    Write the last processed position or timestamp to the checkpoint file.

    Args:
        position (int): Last processed position or timestamp.
    """
    with open(checkpoint_file_path, 'w') as f:
        f.write(str(position))

### Function to write anomalies to the anomaly history CSV file

In [67]:
def write_anomalies_to_csv(anomalies):
    """
    Write anomalies to the anomaly history CSV file.

    Args:
        anomalies (list): List of anomaly information dictionaries.
    """
    if not os.path.exists(anomaly_history_file):
        with open(anomaly_history_file, 'w') as f:
            f.write("Timestamp,Anomaly\n")  # Write header if file doesn't exist
    df = pd.DataFrame(anomalies)
    df.to_csv(anomaly_history_file, mode='a', index=False, header=False)  # Append to file without writing header again

### Define function to preprocess data and make predictions

In [68]:
def predict_anomalies(new_data):
    """
    Predict anomalies in the new data.

    Args:
        new_data (DataFrame): New data to be analyzed.

    Returns:
        list: List of anomaly information dictionaries.
    """
    # Preprocess the new data
    df = new_data.drop(columns=['dst_port', 'protocol', 'timestamp', 'src_ip', 'dst_ip', 'src_port', 'cwr_flag_count']).sort_index(axis=1)

    # Make predictions on the new data
    predictions = model.predict(df)  # Assuming 'label' is the target column and is not included in the features
    
    # Initialize list to store anomalies
    anomalies = []

    for i, prediction in enumerate(predictions):
        if prediction != 0:
            labelEncoder = joblib.load('../models/label_encoder.joblib')
            anomaly_info = {
                "timestamp": new_data.loc[i, 'timestamp'],
                "anomaly": labelEncoder.inverse_transform([prediction])[0]
            }
            anomalies.append(anomaly_info)
            print(f"🔴 Anomaly detected: {anomaly_info['anomaly']} at {anomaly_info['timestamp']}")
    if anomalies == []:
        print("🟢 No anomalies detected")

    return anomalies

### Define the event handler for the file system

In [69]:
class MyHandler(FileSystemEventHandler):
    """
    Handler class to detect file modifications and trigger anomaly detection.
    """
    def on_modified(self, event):
        """
        Method called when a file is modified.
        """
        if event.src_path == traffic_file_path:
            print("File modified. Detecting anomalies...")
            
            # Read the last processed position from the checkpoint file
            last_processed_position = read_checkpoint()
            
            # Read the new data from the traffic file, starting from the last processed position
            with open(traffic_file_path, 'r') as f:
                header = f.readline().strip('\n').split(',')

                # Move the file pointer to the last processed position
                f.seek(last_processed_position)

                # Read the data from the file, starting from the last processed position
                data = f.readlines()

                # Combine header with data
                combined_data = [row.strip('\n').split(',') for row in data]

                # Create a DataFrame from the combined data
                new_data = pd.DataFrame(combined_data, columns=header)

                # Retrieve the current file position
                current_position = f.tell()
            
            # Trigger prediction function
            try:
                anomalies = predict_anomalies(new_data)
                if anomalies:
                    write_anomalies_to_csv(anomalies)
            except Exception as e:
                pass
            
            # Update the last processed position in the checkpoint file
            write_checkpoint(current_position)

### Set up file system event observer

In [70]:

event_handler = MyHandler()
observer = Observer()
observer.schedule(event_handler, path=traffic_file_path, recursive=False)
observer.start()

In [71]:
try:
    while True:
        time.sleep(1)
except KeyboardInterrupt:
    observer.stop()
observer.join()

File modified. Detecting anomalies...
🔴 Anomaly detected: DDOS attack-LOIC-UDP at 2024-02-12 02:16:27
🔴 Anomaly detected: DDOS attack-LOIC-UDP at 2024-02-12 02:18:04
🔴 Anomaly detected: DDOS attack-LOIC-UDP at 2024-02-12 02:19:37
🔴 Anomaly detected: DDOS attack-LOIC-UDP at 2024-02-12 02:21:15
🔴 Anomaly detected: DDOS attack-LOIC-UDP at 2024-02-12 02:22:49
🔴 Anomaly detected: DDOS attack-LOIC-UDP at 2024-02-12 02:24:24
🔴 Anomaly detected: DDOS attack-LOIC-UDP at 2024-02-12 02:25:57
🔴 Anomaly detected: DDOS attack-LOIC-UDP at 2024-02-12 02:27:31
🔴 Anomaly detected: Brute Force -Web at 2024-02-12 02:27:52
🔴 Anomaly detected: DDOS attack-LOIC-UDP at 2024-02-12 02:29:08
🔴 Anomaly detected: DDOS attack-LOIC-UDP at 2024-02-12 02:30:44
🔴 Anomaly detected: DDOS attack-LOIC-UDP at 2024-02-12 02:32:20
🔴 Anomaly detected: DDOS attack-LOIC-UDP at 2024-02-12 02:33:55
🔴 Anomaly detected: Brute Force -Web at 2024-02-12 02:33:58
🔴 Anomaly detected: DDOS attack-LOIC-UDP at 2024-02-12 02:35:31
🔴 Anomaly 