# Artificial Intelligence Lab 4

### **TASK 1: AI Agent Task**

**AI Lab Task: Intrusion Detection AI Agent**

**Objective:**
In this task, students will implement a **Simple Reflex AI Agent** to monitor network traffic and detect potential intrusions. The agent will perceive traffic data, classify it as normal or suspicious, and take appropriate actions based on predefined rules.


**Task Description:**
You are tasked with designing and implementing an **Intrusion Detection AI Agent** that can analyze network traffic for signs of potential cyber threats. Your agent will:
1. **Perceive** network traffic data (e.g., request rate, anomalies, source IPs, packet size, and protocol type).
2. **Classify** traffic as "normal" or "suspicious" based on predefined rules.
3. **Take action** by logging alerts for suspicious traffic.
4. **Simulate traffic data** for testing your agent.


#### **Step 1: Define the Agent Class**
- Create a Python class `IntrusionDetectionAgent`.

- Implement a `perceive()` method that analyzes network traffic attributes:
  - **Source IP Address**: The IP address of the incoming connection.
  - **Request Rate**: The number of requests per second from a given source.
  - **Anomalies Count**: A count of unusual behaviors detected (e.g., repeated failed login attempts, unusual access times).
  - **Packet Size**: The size of data packets being transmitted.
  - **Protocol Type**: The type of protocol used (e.g., TCP, UDP, ICMP).

- Implement an `act()` method that generates alerts when suspicious activity is detected.

#### **Step 2: Generate Simulated Traffic Data**
- Create a function to simulate network traffic.
- Each traffic sample should include:
  - **Source IP Address** (randomized IPs)
  - **Request Rate** (random values within a realistic range of 10 to 200 requests per second)
  - **Anomalies Count** (randomized values indicating unusual behavior between 0 to 10)
  - **Packet Size** (random values between 100 to 5000 bytes)
  - **Protocol Type** (randomly selected from TCP, UDP, ICMP)

#### **Step 3: Implement Intrusion Detection Logic**
- Define a threshold for detecting suspicious traffic:
  - If `request_rate > 100`, classify as **suspicious**.
  - If `anomalies > 5`, classify as **suspicious**.
  - If `packet_size > 4000`, classify as **suspicious**.
  - If the **protocol type is ICMP** with a high request rate, classify as **potential DDoS attack**.
- Store alerts for suspicious traffic.

#### **Step 4: Test the Agent**
- Run your agent on generated traffic data.
- Observe whether it correctly detects suspicious activity.
- Print or log alerts for review.

### **Example Output:**
```
Traffic from 192.168.1.45 is normal.
ALERT! Suspicious activity detected from 192.168.1.88 - High Request Rate
Traffic from 192.168.1.12 is normal.
ALERT! Suspicious activity detected from 192.168.1.150 - Large Packet Size
ALERT! Potential DDoS attack detected from 192.168.1.200 - High ICMP traffic
```


In [1]:
import random

class IDSAgent:
    def __init__(self, ip='', rate=0, anomaly_count=0, packet_size=0, protocol=''):
        self.ip = ip
        self.rate = rate
        self.anomaly_count = anomaly_count
        self.packet_size = packet_size
        self.protocol = protocol

    def receive_data(self, ip, rate, anomaly_count, packet_size, protocol):
        self.ip = ip
        self.rate = rate
        self.anomaly_count = anomaly_count
        self.packet_size = packet_size
        self.protocol = protocol

    def analyze(self):
        if self.rate > 1000 or self.anomaly_count > 5 or self.packet_size > 4000:
            return "Suspicious Activity"
        return "Normal Traffic"

    def respond(self):
        status = self.analyze()
        if status == "Suspicious Activity":
            print(f"ALERT: {status} detected from IP {self.ip}")
        else:
            print("Traffic is Normal")

def run_simulation():
    detector = IDSAgent()
    for _ in range(5):
        detector.receive_data(
            f'192.168.1.{random.randint(1, 255)}',
            random.randint(100, 2000),
            random.randint(200, 300),
            random.randint(10, 50),
            'TCP'
        )
        detector.respond()

run_simulation()


ALERT: Suspicious Activity detected from IP 192.168.1.192
ALERT: Suspicious Activity detected from IP 192.168.1.222
ALERT: Suspicious Activity detected from IP 192.168.1.116
ALERT: Suspicious Activity detected from IP 192.168.1.203
ALERT: Suspicious Activity detected from IP 192.168.1.87
