# Classifcation Report: Network Intrusion Detection System (NIDS) Implementation using Snort 

### By Group 7 - Aisha Patel, Enoch Ngan, Liam Chen, Amara Johnson, Diego Ramirez, Sofia Ahmed, Ethan Kim
Date: April 16, 2024

#### Introduction:

The classification report for this project evaluates the performance of the Snort Network Intrusion Detection System (NIDS) in distinguishing between malicious and legitimate traffic across various scenarios. The report highlights key metrics such as precision, recall, F1-score, and accuracy to quantify the effectiveness of predefined Snort rules in detecting simulated cyberattacks and normal user activities.

#### Goals:

Precision: Indicates Snort's ability to correctly identify malicious traffic without flagging legitimate activity. High precision reflects fewer false positives, ensuring that legitimate actions (e.g., normal SSH logins) are not incorrectly flagged as intrusions.

Recall: Measures Snort's success in detecting malicious traffic, even in complex scenarios like SQL injection or port scans. High recall suggests that most attack attempts were accurately identified.


F1-Score: Balances precision and recall, providing a comprehensive metric to evaluate rule performance.


Accuracy: Overall effectiveness of Snort in correctly classifying traffic.


The classification report further compares the results of multiple rule sets, demonstrating how rule tuning affects Snort's ability to minimize false positives (FPs) and false negatives (FNs). These findings are essential for improving rule specificity and balancing detection capabilities, ensuring robust protection against cyber threats while maintaining normal network functionality.

#### Purpose: 
This analysis provides actionable insights for refining intrusion detection rules to optimize the trade-off between sensitivity and specificity.

In [7]:
import pandas as pd

df = pd.read_csv('snort_results.csv')

df.head() # read and print the csv file

Unnamed: 0,Test Case,Attempt,Actual Type,Snort Prediction,Result
0,SSH Login,1,Legitimate,Legitimate,TN
1,SSH Login,2,Legitimate,Legitimate,TN
2,SSH Login,3,Legitimate,Malicious,FP
3,SSH Login,4,Legitimate,Legitimate,TN
4,SSH Login,5,Legitimate,Legitimate,TN


In [10]:
# Map categorical values into numerical values
df['Actual'] = df['Actual Type'].map({'Legitimate': 0, 'Malicious': 1})
df['Prediction'] = df['Snort Prediction'].map({'Legitimate': 0, 'Malicious': 1})

df.head()

Unnamed: 0,Test Case,Attempt,Actual Type,Snort Prediction,Result,Actual,Prediction
0,SSH Login,1,Legitimate,Legitimate,TN,0,0
1,SSH Login,2,Legitimate,Legitimate,TN,0,0
2,SSH Login,3,Legitimate,Malicious,FP,0,1
3,SSH Login,4,Legitimate,Legitimate,TN,0,0
4,SSH Login,5,Legitimate,Legitimate,TN,0,0


In [14]:
actual = df['Actual']
prediction = df['Prediction']

In [21]:
from sklearn.metrics import classification_report, confusion_matrix

# Generate classification report
print("Classification Report: \n")
print(classification_report(actual, prediction, target_names=["Legitimate", "Malicious"]))

# Confusion matrix for detailed analysis
print("Confusion Matrix: \n")
print(confusion_matrix(actual, prediction))

Classification Report: 

              precision    recall  f1-score   support

  Legitimate       0.86      0.83      0.85        30
   Malicious       0.76      0.80      0.78        20

    accuracy                           0.82        50
   macro avg       0.81      0.82      0.81        50
weighted avg       0.82      0.82      0.82        50

Confusion Matrix: 

[[25  5]
 [ 4 16]]


### Final Report: Key findings

Amount of attempts: 50 attempts (10 attempts per each 5 test case)

True Positives: 25, True Negatives: 16, False Postives: 4, False Negatives: 5

Our rule set was able to achieve was and 82% acccuracy at correctly classifying specific instances. 