---
license: apache-2.0
language: en
library_name: keras
tags:
- intrusion-detection
- network-forensics
- iot-security
- cnn
- lstm
- multiclass-classification
- cybersecurity
datasets:
- CICIoT2023
---

# Multiclass Network Forensic Intrusion Detection System

A hybrid **CNN-LSTM** model for fine-grained, multiclass intrusion detection.  
It serves as a detailed forensic tool to classify network attacks into 25 distinct categories.

## Model Description
This model acts as a "second-stage" analysis tool. After an initial threat is detected (e.g., by a binary IDS), it identifies the specific nature of the attack.  

- **Architecture:** `Conv1D -> ... -> LSTM -> Dense -> Dense (Softmax)`  
- **Dataset:** CICIoT2023 curated subset  
- **Performance:** 97% accuracy on the 25-class classification task  

## Intended Use
- **Primary Use:** Identify the type of network attack for forensic analysis.  
- **Input:** `(batch_size, 10, 46)` — 46 normalized network features  
- **Output:** Softmax probabilities over 25 classes; highest probability indicates the predicted class  

## How to Use
```python
import tensorflow as tf
import numpy as np
from huggingface_hub import hf_hub_download

# Download the model
MODEL_PATH = hf_hub_download("Codelord01/multiclass_model", "multiclass_model.keras")
model = tf.keras.models.load_model(MODEL_PATH)
model.summary()

# Define class names in the order used during training
CLASS_NAMES = [
    'BenignTraffic', 'DDoS-ACK_Fragmentation', 'DDoS-HTTP_Flood', 'DDoS-ICMP_Flood', 
    'DDoS-ICMP_Fragmentation', 'DDoS-PSHACK_Flood', 'DDoS-RSTFINFlood', 'DDoS-SYN_Flood', 
    'DDoS-SlowLoris', 'DDoS-SynonymousIP_Flood', 'DDoS-TCP_Flood', 'DDoS-UDP_Flood',
    'DDoS-UDP_Fragmentation', 'DNS_Spoofing', 'DoS-HTTP_Flood', 'DoS-SYN_Flood', 
    'DoS-TCP_Flood', 'DoS-UDP_Flood', 'MITM-ArpSpoofing', 'Mirai-greeth_flood', 
    'Mirai-greip_flood', 'Mirai-udpplain', 'OtherAttack', 'Recon-HostDiscovery', 
    'VulnerabilityScan'
]

# Sample input: 1 sample, 10 timesteps, 46 features
sample_data = np.random.rand(1, 10, 46).astype(np.float32)

# Make a prediction
prediction_probs = model.predict(sample_data)
predicted_index = np.argmax(prediction_probs)
predicted_class = CLASS_NAMES[predicted_index]
confidence = prediction_probs[predicted_index]

print(f"Predicted Attack Type: {predicted_class}")
print(f"Confidence: {confidence:.4f}")

## Limitations
- Validated only on CICIoT2023-like traffic
- Input must be normalized
- CLASS_NAMES must match training order

## Training Information
- Optimizer: Adam
- Loss: Categorical Cross-Entropy
- 25-class balanced dataset


@mastersthesis{ababio2025multilayered,
  title={A Multi-Layered Hybrid Deep Learning Framework for Cyber-Physical Intrusion Detection in Climate-Monitoring IoT Systems},
  author={Awuni David Ababio},
  year={2025},
  school={Kwame Nkrumah University of Science and Technology}
}