|
|
--- |
|
|
license: apache-2.0 |
|
|
language: en |
|
|
library_name: keras |
|
|
tags: |
|
|
- intrusion-detection |
|
|
- network-forensics |
|
|
- iot-security |
|
|
- cnn |
|
|
- lstm |
|
|
- multiclass-classification |
|
|
- cybersecurity |
|
|
datasets: |
|
|
- CICIoT2023 |
|
|
--- |
|
|
|
|
|
# Multiclass Network Forensic Intrusion Detection System |
|
|
|
|
|
A hybrid **CNN-LSTM** model for fine-grained, multiclass intrusion detection. |
|
|
It serves as a detailed forensic tool to classify network attacks into 25 distinct categories. |
|
|
|
|
|
## Model Description |
|
|
This model acts as a "second-stage" analysis tool. After an initial threat is detected (e.g., by a binary IDS), it identifies the specific nature of the attack. |
|
|
|
|
|
- **Architecture:** `Conv1D -> ... -> LSTM -> Dense -> Dense (Softmax)` |
|
|
- **Dataset:** CICIoT2023 curated subset |
|
|
- **Performance:** 97% accuracy on the 25-class classification task |
|
|
|
|
|
## Intended Use |
|
|
- **Primary Use:** Identify the type of network attack for forensic analysis. |
|
|
- **Input:** `(batch_size, 10, 46)` — 46 normalized network features |
|
|
- **Output:** Softmax probabilities over 25 classes; highest probability indicates the predicted class |
|
|
|
|
|
## How to Use |
|
|
```python |
|
|
import tensorflow as tf |
|
|
import numpy as np |
|
|
from huggingface_hub import hf_hub_download |
|
|
|
|
|
# Download the model |
|
|
MODEL_PATH = hf_hub_download("Codelord01/multiclass_model", "multiclass_model.keras") |
|
|
model = tf.keras.models.load_model(MODEL_PATH) |
|
|
model.summary() |
|
|
|
|
|
# Define class names in the order used during training |
|
|
CLASS_NAMES = [ |
|
|
'BenignTraffic', 'DDoS-ACK_Fragmentation', 'DDoS-HTTP_Flood', 'DDoS-ICMP_Flood', |
|
|
'DDoS-ICMP_Fragmentation', 'DDoS-PSHACK_Flood', 'DDoS-RSTFINFlood', 'DDoS-SYN_Flood', |
|
|
'DDoS-SlowLoris', 'DDoS-SynonymousIP_Flood', 'DDoS-TCP_Flood', 'DDoS-UDP_Flood', |
|
|
'DDoS-UDP_Fragmentation', 'DNS_Spoofing', 'DoS-HTTP_Flood', 'DoS-SYN_Flood', |
|
|
'DoS-TCP_Flood', 'DoS-UDP_Flood', 'MITM-ArpSpoofing', 'Mirai-greeth_flood', |
|
|
'Mirai-greip_flood', 'Mirai-udpplain', 'OtherAttack', 'Recon-HostDiscovery', |
|
|
'VulnerabilityScan' |
|
|
] |
|
|
|
|
|
# Sample input: 1 sample, 10 timesteps, 46 features |
|
|
sample_data = np.random.rand(1, 10, 46).astype(np.float32) |
|
|
|
|
|
# Make a prediction |
|
|
prediction_probs = model.predict(sample_data) |
|
|
predicted_index = np.argmax(prediction_probs) |
|
|
predicted_class = CLASS_NAMES[predicted_index] |
|
|
confidence = prediction_probs[predicted_index] |
|
|
|
|
|
print(f"Predicted Attack Type: {predicted_class}") |
|
|
print(f"Confidence: {confidence:.4f}") |
|
|
|
|
|
## Limitations |
|
|
- Validated only on CICIoT2023-like traffic |
|
|
- Input must be normalized |
|
|
- CLASS_NAMES must match training order |
|
|
|
|
|
## Training Information |
|
|
- Optimizer: Adam |
|
|
- Loss: Categorical Cross-Entropy |
|
|
- 25-class balanced dataset |
|
|
|
|
|
|
|
|
@mastersthesis{ababio2025multilayered, |
|
|
title={A Multi-Layered Hybrid Deep Learning Framework for Cyber-Physical Intrusion Detection in Climate-Monitoring IoT Systems}, |
|
|
author={Awuni David Ababio}, |
|
|
year={2025}, |
|
|
school={Kwame Nkrumah University of Science and Technology} |
|
|
} |
|
|
|
|
|
|
|
|
|
