In [36]:
import pandas as pd
import numpy as np
from openai import OpenAI
import matplotlib.pyplot as plt
import seaborn as sns
from datetime import datetime
import json
import os

In [37]:
# API Configuration
ATTACK_DETECTION_URL = "https://vmz596vt3lazdqj8.us-east-1.aws.endpoints.huggingface.cloud/v1/"
ATTACK_TYPE_URL = "https://cssjwosu0r80pfaw.us-east-1.aws.endpoints.huggingface.cloud/v1/"
API_KEY = "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"

In [38]:
# Create results directory
results_dir = "test_results"
os.makedirs(results_dir, exist_ok=True)

def format_network_data(row):
    """Format network data into a structured input format"""
    return f"""Network Traffic Analysis Request:

Protocol: {row['proto']}
Service: {row['service']}
State: {row['state']}
Duration: {row['dur']} seconds

Traffic Statistics:
Source packets: {row['spkts']}
Destination packets: {row['dpkts']}
Source bytes: {row['sbytes']}
Destination bytes: {row['dbytes']}
Source load: {row['sload']} bits/sec
Destination load: {row['dload']} bits/sec
Source TTL: {row['sttl']}
Destination TTL: {row['dttl']}

Connection Statistics:
TCP round-trip time: {row.get('smean', 0)}
SYN-ACK time: {row.get('dmean', 0)}
ACK data time: {row.get('smeansz', 0)}
Mean packet size (source): {row.get('dmeansz', 0)}
Mean packet size (destination): {row.get('ct_srv_src', 0)}"""

In [39]:
def generate_response(prompt, endpoint_url, model_name):
    try:
        client = OpenAI(
            base_url=endpoint_url,
            api_key=API_KEY
        )
        
        chat_completion = client.chat.completions.create(
            model="tgi",
            messages=[
                {
                    "role": "user",
                    "content": prompt
                }
            ],
            top_p=None,
            temperature=None,
            max_tokens=150,
            stream=True,
            seed=None,
            stop=None,
            frequency_penalty=None,
            presence_penalty=None
        )
        
        full_response = ""
        for message in chat_completion:
            if message.choices[0].delta.content:
                content = message.choices[0].delta.content
                full_response += content
        
        return full_response.strip()
        
    except Exception as e:
        print(f"Error generating response from {model_name}: {e}")
        return None

In [40]:
def analyze_responses(detection_responses, type_responses, true_labels, true_attack_types):
    """Analyze the responses and calculate statistics"""
    detection_stats = {
        'total': len(detection_responses),
        'attack_detected': 0,
        'false_positives': 0,
        'false_negatives': 0,
        'true_positives': 0,
        'true_negatives': 0
    }
    
    type_stats = {
        'total': len(type_responses),
        'attack_types': {},
        'correct_categorizations': 0,
        'incorrect_categorizations': 0,
        'categorization_matrix': {}
    }
    
    for i, (det_resp, type_resp, true_label, true_type) in enumerate(zip(detection_responses, type_responses, true_labels, true_attack_types)):
        # Detection analysis
        is_attack = any(keyword in det_resp.lower() for keyword in ['shows characteristics', 'investigation', 'suspicious'])
        
        if is_attack and true_label == 1:
            detection_stats['true_positives'] += 1
        elif not is_attack and true_label == 0:
            detection_stats['true_negatives'] += 1
        elif is_attack and true_label == 0:
            detection_stats['false_positives'] += 1
        elif not is_attack and true_label == 1:
            detection_stats['false_negatives'] += 1
            
        if is_attack:
            detection_stats['attack_detected'] += 1
            
        # Attack type analysis
        if is_attack and type_resp and true_label == 1:
            predicted_type = type_resp.split('.')[0].strip()  # Get first sentence as attack type
            type_stats['attack_types'][predicted_type] = type_stats['attack_types'].get(predicted_type, 0) + 1
            
            # Initialize categorization matrix for this true type if not exists
            if true_type not in type_stats['categorization_matrix']:
                type_stats['categorization_matrix'][true_type] = {}
            
            # Update categorization matrix
            type_stats['categorization_matrix'][true_type][predicted_type] = type_stats['categorization_matrix'][true_type].get(predicted_type, 0) + 1
            
            # Check if categorization is correct
            if predicted_type.lower() == true_type.lower():
                type_stats['correct_categorizations'] += 1
            else:
                type_stats['incorrect_categorizations'] += 1
    
    return detection_stats, type_stats

In [41]:
def visualize_results(detection_stats, type_stats, timestamp):
    """Create visualizations of the results"""
    # Create a figure with 3 subplots
    plt.figure(figsize=(18, 6))
    
    # Detection confusion matrix
    plt.subplot(1, 3, 1)
    confusion_matrix = np.array([
        [detection_stats['true_negatives'], detection_stats['false_positives']],
        [detection_stats['false_negatives'], detection_stats['true_positives']]
    ])
    sns.heatmap(confusion_matrix, annot=True, fmt='d', cmap='Blues',
                xticklabels=['Normal', 'Attack'],
                yticklabels=['Normal', 'Attack'])
    plt.title('Attack Detection Confusion Matrix')
    
    # Attack type distribution
    plt.subplot(1, 3, 2)
    attack_types = list(type_stats['attack_types'].keys())
    counts = list(type_stats['attack_types'].values())
    plt.bar(attack_types, counts)
    plt.title('Attack Type Distribution')
    plt.xticks(rotation=45, ha='right')
    
    # Attack type categorization accuracy
    plt.subplot(1, 3, 3)
    correct = type_stats['correct_categorizations']
    incorrect = type_stats['incorrect_categorizations']
    plt.bar(['Correct', 'Incorrect'], [correct, incorrect])
    plt.title('Attack Type Categorization Accuracy')
    
    plt.tight_layout()
    
    # Save the plot
    plt.savefig(os.path.join(results_dir, f'results_{timestamp}.png'))
    plt.close()

In [None]:
def main():
    # Load test data
    df = pd.read_csv('test-miniset.csv')
    #df = df.head(150)
    
    # Initialize lists to store responses
    detection_responses = []
    type_responses = []
    
    # Process each row
    for _, row in df.iterrows():
        # Format the data
        network_data = format_network_data(row)
        
        # Get detection response
        detection_prompt = f"Analyze the following network traffic data and determine if it shows signs of malicious activity.\n\n{network_data}"
        detection_response = generate_response(detection_prompt, ATTACK_DETECTION_URL, "Attack Detection")
        detection_responses.append(detection_response)
        
        # If attack detected, get attack type
        if detection_response and any(keyword in detection_response.lower() for keyword in ['shows characteristics', 'investigation', 'suspicious']):
            type_prompt = f"Analyze the following network traffic data and determine the specific type of attack being performed.\n\n{network_data}"
            type_response = generate_response(type_prompt, ATTACK_TYPE_URL, "Attack Type")
            type_responses.append(type_response)
        else:
            type_responses.append(None)
    
    # Generate timestamp for results
    timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
    
    # Analyze responses
    detection_stats, type_stats = analyze_responses(detection_responses, type_responses, df['label'].values, df['attack_cat'].values)
    
    # Save results
    results = {
        'detection_stats': detection_stats,
        'type_stats': type_stats,
        'responses': {
            'detection': detection_responses,
            'type': type_responses
        }
    }
    
    with open(os.path.join(results_dir, f'results_{timestamp}.json'), 'w') as f:
        json.dump(results, f, indent=2)
    
    # Visualize results
    visualize_results(detection_stats, type_stats, timestamp)
    
    # Print summary
    print("\nTest Results Summary:")
    print(f"Total samples: {detection_stats['total']}")
    print(f"Attacks detected: {detection_stats['attack_detected']}")
    print(f"True Positives: {detection_stats['true_positives']}")
    print(f"False Positives: {detection_stats['false_positives']}")
    print(f"True Negatives: {detection_stats['true_negatives']}")
    print(f"False Negatives: {detection_stats['false_negatives']}")

    # Add detection accuracy
    correct = detection_stats['true_positives'] + detection_stats['true_negatives']
    total = detection_stats['total']
    if total > 0:
        accuracy = (correct / total) * 100
        print(f"Attack Detection Accuracy: {accuracy:.2f}%")
    
    print("\nAttack Type Classification:")
    print(f"Correct categorizations: {type_stats['correct_categorizations']}")
    print(f"Incorrect categorizations: {type_stats['incorrect_categorizations']}")
    if type_stats['correct_categorizations'] + type_stats['incorrect_categorizations'] > 0:
        accuracy = (type_stats['correct_categorizations'] / 
                   (type_stats['correct_categorizations'] + type_stats['incorrect_categorizations'])) * 100
        print(f"Classification accuracy: {accuracy:.2f}%")
    
    print("\nAttack Type Distribution:")
    for attack_type, count in type_stats['attack_types'].items():
        print(f"{attack_type}: {count}")
    
    print("\nCategorization Matrix:")
    for true_type, predictions in type_stats['categorization_matrix'].items():
        print(f"\nTrue type: {true_type}")
        for pred_type, count in predictions.items():
            print(f"  Predicted as {pred_type}: {count}")

if __name__ == "__main__":
    main()


Test Results Summary:
Total samples: 119
Attacks detected: 71
True Positives: 38
False Positives: 33
True Negatives: 26
False Negatives: 22
Attack Detection Accuracy: 53.78%

Attack Type Classification:
Correct categorizations: 0
Incorrect categorizations: 38
Classification accuracy: 0.00%

Attack Type Distribution:
This network traffic shows characteristics of a Exploits attack: 22
This network traffic shows characteristics of a DoS attack: 5
This network traffic shows characteristics of a Reconnaissance attack: 3
This network traffic shows characteristics of a Backdoor attack: 3
This network traffic shows characteristics of a Fuzzers attack: 3
This network traffic shows characteristics of a'ın Fuzzers attack: 1
This network traffic shows characteristics of a Analysis attack: 1

Categorization Matrix:

True type: Exploits
  Predicted as This network traffic shows characteristics of a Exploits attack: 10
  Predicted as This network traffic shows characteristics of a Reconnaissance att