A deep learning-based Intrusion Detection System (IDS) trained on the NSL-KDD dataset. This project integrates PyTorch and the Adversarial Robustness Toolbox (ART) to evaluate model robustness against adversarial attacks (FGSM) and supports real-time packet detection with Scapy.
- Preprocessing of NSL-KDD dataset using
pandas,sklearn - Deep neural network classifier using PyTorch
- Adversarial attack evaluation using
art.attacks.evasion.FastGradientMethod - Real-time packet sniffing and prediction using Scapy
- Clean modular Python code and Jupyter Notebook demonstration
nslkdd-robust-ids/
βββ data/ # Dataset download instructions (KaggleHub)
βββ notebooks/ # kaggel notebooks for experimentation
βββ src/ # Core Python modules
βββ realtime/ # Real-time detection using Scapy
βββ utils/ # Helper utilities
βββ requirements.txt # Dependencies
βββ README.md # This file
This project uses the NSL-KDD Dataset.
You can download it using KaggleHub:
import kagglehub
path = kagglehub.dataset_download("hassan06/nslkdd")git clone https://github.com/Anton3090/nslkdd-robust-ids.git
cd nslkdd-robust-ids
pip install -r requirements.txtnumpy>=1.21.0
pandas>=1.3.0
scikit-learn>=1.0.0
torch>=1.10.0
torchvision>=0.11.0
matplotlib>=3.4.0
seaborn>=0.11.0
scapy>=2.4.5
tqdm>=4.62.0
adversarial-robustness-toolbox>=1.12.1
nn.Sequential(
nn.Linear(input_dim, 64),
nn.ReLU(),
nn.Linear(64, 32),
nn.ReLU(),
nn.Linear(32, 2)
)python src/train.pypython src/evaluate.pypython src/adversarial.pyDetect potential intrusions in real-time from live network packets.
sudo python realtime/detect.pyInside realtime/detect.py, we:
- Use Scapy to sniff live packets
- Extract basic features (protocol, ports, packet length, flags)
- Normalize and reshape into model input format
- Predict using the trained PyTorch model
Sample logic:
from scapy.all import sniff, IP, TCP, UDP
import torch
import torch.nn as nn
import numpy as np
import joblib
from datetime import datetime
# Define the model
class IDSModel(nn.Module):
def __init__(self, input_dim):
super(IDSModel, self).__init__()
self.layers = nn.Sequential(
nn.Linear(input_dim, 64),
nn.ReLU(),
nn.Dropout(0.3),
nn.Linear(64, 32),
nn.ReLU(),
nn.Linear(32, 2)
)
def forward(self, x):
return self.layers(x)
# Load model and scaler
model = IDSModel(input_dim=42)
model.load_state_dict(torch.load("ids_model.pth"))
model.eval()
scaler = joblib.load("scaler.save")
# Feature extraction function
def extract_features(pkt):
try:
length = len(pkt)
ttl = pkt[IP].ttl if IP in pkt else 0
dport = pkt[TCP].dport if TCP in pkt else (pkt[UDP].dport if UDP in pkt else 0)
features = [length, ttl, dport]
features += [0] * (42 - len(features)) # Pad to 42 features
return np.array(features).reshape(1, -1)
except:
return np.zeros((1, 42)) # Return dummy on failure
# Classify and log packet
def classify_packet(pkt):
features = extract_features(pkt)
scaled = scaler.transform(features)
tensor = torch.tensor(scaled, dtype=torch.float32)
output = model(tensor)
pred = torch.argmax(output).item()
label = "attack" if pred == 1 else "normal"
print(f"[{datetime.now()}] Packet classified as: {label}")
with open("log.txt", "a") as f:
f.write(f"{datetime.now()} | {pkt.summary()} | Result: {label}\n")
# Start sniffing for 10 seconds
print("Sniffing packets for 10 seconds...")
sniff(prn=classify_packet, timeout=10, store=0)
print("Sniffing finished.")Note: Ensure features extracted match the trained modelβs input structure.
| Dataset | Accuracy |
|---|---|
| Clean Test | 87.2% |
| FGSM Attack | 84.5% |
This project uses Fast Gradient Sign Method (FGSM) from Adversarial Robustness Toolbox (ART):
from art.attacks.evasion import FastGradientMethod
fgsm = FastGradientMethod(estimator=classifier, eps=0.1)
X_test_adv = fgsm.generate(X_test.astype(np.float32))- NSL-KDD dataset by Canadian Institute for Cybersecurity
- Adversarial Robustness Toolbox (ART)
- Scapy for real-time packet sniffing
- KaggleHub for dataset access
This project is licensed under the MIT License.
Feel free to fork the repo and submit pull requests. Issues and improvements welcome!