cycloevan commited on
Commit
8f467eb
Β·
verified Β·
1 Parent(s): a9f91c3

Upload 12 files

Browse files
README.md ADDED
@@ -0,0 +1,195 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ ---
2
+ language:
3
+ - en
4
+ tags:
5
+ - text-classification
6
+ - cybersecurity
7
+ - http-attack-detection
8
+ - intrusion-detection
9
+ - web-security
10
+ - tfidf
11
+ - xgboost
12
+ - lightgbm
13
+ - sklearn
14
+ - keras
15
+ license: mit
16
+ metrics:
17
+ - accuracy
18
+ - f1
19
+ ---
20
+
21
+ # HTTP Attack Classification Models
22
+
23
+ A collection of machine learning models for detecting and classifying HTTP-based cyber attacks from raw request logs.
24
+ Each model takes a raw HTTP request string as input and classifies it into one of 9 attack categories.
25
+
26
+ ---
27
+
28
+ ## Task
29
+
30
+ - **Task**: Multi-class Text Classification
31
+ - **Domain**: Network Security / Intrusion Detection
32
+ - **Input**: Raw HTTP request string (method, path, headers, body)
33
+ - **Output**: One of 9 attack type labels
34
+
35
+ ---
36
+
37
+ ## Attack Types
38
+
39
+ | Class | Description | Common Indicators |
40
+ |-------|-------------|-------------------|
41
+ | `Vulnerability_Scan` | Automated scanning for known vulnerabilities | sqlmap, nikto, nmap user-agents; repeated probing patterns |
42
+ | `System_Cmd_Execution` | OS command injection attempts | `\|`, `;`, `&&`, `wget`, `curl`, `/bin/sh`, `boot.ini` |
43
+ | `HOST_Scan` | Network host discovery and port scanning | Minimal headers, bare `GET /`, nmap scripting engine |
44
+ | `Path_Disclosure` | Directory traversal and file path exposure | `../`, `..%2F`, `/etc/passwd`, `/etc/shadow`, `/proc/` |
45
+ | `SQL_Injection` | SQL injection in query parameters | `UNION SELECT`, `OR 1=1`, `--`, `'`, boolean-based blind patterns |
46
+ | `Cross_Site_Scripting` | XSS payload injection | `<script>`, `onerror=`, `javascript:`, `alert()`, `prompt()` |
47
+ | `Automatically_Searching_Infor` | Automated information gathering | Crawlers, `/_vti_pvt/`, `robots.txt`, `sitemap.xml` probing |
48
+ | `Leakage_Through_NW` | Sensitive file access via network | Access to config files, logs, backups (`.ico`, `.conf`, `.bak`) |
49
+ | `Directory_Indexing` | Browsing exposed directory listings | Trailing `/` on directory paths, source/workspace/src paths |
50
+
51
+ ---
52
+
53
+ ## Models
54
+
55
+ | File | Model | Feature Extraction | Test Accuracy | Notes |
56
+ |------|-------|--------------------|:-------------:|-------|
57
+ | `tdidf-svc.joblib` | TF-IDF + LinearSVC | word, default | 87.4% | Best generalization |
58
+ | `xgb_char.joblib` | TF-IDF + XGBoost | char, ngram(1,2), max_features=1024 | **88.5%** | Best local accuracy |
59
+ | `xgb_word.joblib` | TF-IDF + XGBoost | word, NLTK tokenizer | 86.7% | |
60
+ | `lgb_model.joblib` | TF-IDF + LightGBM | word, NLTK tokenizer | 86.5% | |
61
+ | `rf_nltk.joblib` | TF-IDF + RandomForest | word, NLTK, n_estimators=1000 | 84.8% | |
62
+ | `rf_gridsearch.joblib` | TF-IDF + RandomForest | word, GridSearchCV best | 83.6% | best: max_depth=None, n_estimators=150 |
63
+ | `rf_basic.joblib` | TF-IDF + RandomForest | word, default | 83.3% | |
64
+ | `catboost.joblib` | TF-IDF + CatBoost | word, NLTK tokenizer | 83.0% | |
65
+ | `multinomial_nb.joblib` | CountVectorizer + MultinomialNB | word, default | 67.5% | Baseline |
66
+ | `lstm_bidirectional.h5` | BiLSTM | Keras Tokenizer, maxlen=216 | 85.2% | Requires Keras/TF |
67
+ | `textcnn_model.h5` | TextCNN | Keras Tokenizer, maxlen=256 | 86.1% | Requires Keras/TF |
68
+
69
+ ---
70
+
71
+ ## Usage
72
+
73
+ ### Preprocessing
74
+
75
+ ```python
76
+ import urllib.parse
77
+
78
+ def preprocess(payload: str) -> str:
79
+ return urllib.parse.unquote_plus(payload)
80
+ ```
81
+
82
+ ### sklearn-based models (joblib)
83
+
84
+ Applies to: `tdidf-svc.joblib`, `xgb_char.joblib`, `xgb_word.joblib`, `lgb_model.joblib`, `rf_*.joblib`, `catboost.joblib`, `multinomial_nb.joblib`
85
+
86
+ Each file is a scikit-learn Pipeline with the vectorizer and classifier bundled together β€” raw text can be passed directly.
87
+
88
+ ```python
89
+ import joblib
90
+
91
+ model = joblib.load("xgb_char.joblib")
92
+
93
+ payloads = [
94
+ "GET /../../../../etc/passwd HTTP/1.1\r\nHost: 10.0.0.1\r\n",
95
+ "GET /search?q=' OR 1=1-- HTTP/1.1\r\nHost: example.com\r\n",
96
+ ]
97
+ predictions = model.predict(payloads)
98
+ print(predictions)
99
+ # ['Path_Disclosure', 'SQL_Injection']
100
+ ```
101
+
102
+ ### Keras-based models (.h5)
103
+
104
+ ```python
105
+ import numpy as np
106
+ from tensorflow.keras.models import load_model
107
+ from tensorflow.keras.preprocessing.sequence import pad_sequences
108
+ import joblib
109
+
110
+ model = load_model("lstm_bidirectional.h5") # or textcnn_model.h5
111
+ tokenizer = joblib.load("tokenizer.joblib") # must be saved separately during training
112
+
113
+ payloads = ["GET /../../../../etc/passwd HTTP/1.1\r\nHost: 10.0.0.1"]
114
+ sequences = tokenizer.texts_to_sequences(payloads)
115
+ padded = pad_sequences(sequences, maxlen=216) # maxlen=256 for TextCNN
116
+
117
+ pred = model.predict(padded)
118
+ label_idx = np.argmax(pred, axis=1)
119
+ print(label_idx)
120
+ ```
121
+
122
+ ---
123
+
124
+ ## Evaluation
125
+
126
+ ### Per-model summary
127
+
128
+ | Model | Accuracy | Macro F1 | Weakest Class (F1) |
129
+ |-------|:--------:|:--------:|--------------------|
130
+ | TF-IDF + XGBoost (char) | 88.5% | 0.92 | System_Cmd_Execution (0.84) |
131
+ | TF-IDF + LinearSVC | 87.4% | β€” | System_Cmd_Execution |
132
+ | TF-IDF + XGBoost (word) | 86.7% | 0.90 | System_Cmd_Execution (0.83) |
133
+ | TF-IDF + LightGBM | 86.5% | 0.91 | System_Cmd_Execution (0.83) |
134
+ | TextCNN | 86.1% | 0.89 | System_Cmd_Execution (0.79) |
135
+ | BiLSTM | 85.2% | 0.89 | System_Cmd_Execution (0.78) |
136
+
137
+ ### Per-class observations
138
+
139
+ - **Easiest classes**: `Automatically_Searching_Infor` and `Leakage_Through_NW` achieve F1 β‰₯ 0.99 across all models β€” highly distinctive tool signatures (nmap, crawlers) and file access patterns make them trivial to separate.
140
+ - **Hardest class**: `System_Cmd_Execution` consistently scores the lowest F1 (0.75–0.84) due to pattern overlap with `Vulnerability_Scan`. Both classes involve probing behavior with similar HTTP structure.
141
+ - **char-level XGBoost advantage**: Sub-word character n-grams capture attack-specific tokens like `../`, `<script>`, `UNION` more robustly than word tokenization, especially for obfuscated payloads.
142
+
143
+ ---
144
+
145
+ ## Architecture Details
146
+
147
+ ### BiLSTM
148
+
149
+ ```
150
+ Embedding(22,883 vocab, dim=100, maxlen=216)
151
+ β†’ Bidirectional(LSTM(64)) β†’ LSTM(32) β†’ Dense(512) β†’ Dense(9, softmax)
152
+ ```
153
+
154
+ - EarlyStopping(monitor=val_accuracy, patience=3) β€” triggered at epoch 20
155
+ - Saved: `lstm_bidirectional.h5` (28 MB)
156
+
157
+ ### TextCNN
158
+
159
+ ```
160
+ Embedding(20,000 vocab, dim=128, maxlen=256)
161
+ β†’ Conv1D(128, kernel=3) ─┐
162
+ β†’ Conv1D(128, kernel=4) ──→ GlobalMaxPool β†’ Concat(384) β†’ Dense(256) β†’ Dropout(0.3) β†’ Dense(9, softmax)
163
+ β†’ Conv1D(128, kernel=5) β”€β”˜
164
+ Total params: 2.86M
165
+ ```
166
+
167
+ - EarlyStopping(monitor=val_loss, patience=3) β€” triggered at epoch 5
168
+ - Saved: `textcnn_model.h5` (33 MB)
169
+
170
+ ---
171
+
172
+ ## Key Findings
173
+
174
+ - **TF-IDF outperforms deep learning** on HTTP attack data: attack patterns rely on decisive keywords (`UNION SELECT`, `../`, `<script>`, `wget`). Bag-of-words representations capture these directly, while sequential models can be distracted by irrelevant header noise.
175
+ - **char-level features beat word-level**: Character n-grams handle URL encoding variations and partial token matches more effectively (e.g., `%3Cscript%3E` vs `<script>`).
176
+ - **Class imbalance effect**: `Vulnerability_Scan` dominates at 37.5% β€” models tend to over-predict this class for ambiguous samples.
177
+
178
+ ---
179
+
180
+ ## Environment
181
+
182
+ | Item | Value |
183
+ |------|-------|
184
+ | Python | 3.12 |
185
+ | scikit-learn | 1.x |
186
+ | XGBoost | 3.2.0 |
187
+ | LightGBM | 4.6.0 |
188
+ | CatBoost | 1.2.10 |
189
+ | TensorFlow / Keras | 2.x |
190
+
191
+ ---
192
+
193
+ ## License
194
+
195
+ MIT License
catboost.joblib ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:f0f127d164756f6c9621f3ce165eaca26006ca945d782d340a7c1fb6f4077065
3
+ size 3948333
lgb_model.joblib ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:6aaebbf1eaf85d1f7c2bf98cda725c5f28acb91d159fc14c8a730d7ca10c1317
3
+ size 17148844
lstm_bidirectional.h5 ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:a601f20e63cc378f7a4b67da8e8e7da681be4788c71b175eeaf7bdbd60d8cf22
3
+ size 29036848
multinomial_nb.joblib ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:260db5462fc57f98443317a0d8bc6c0431d165d53934dcad2672538d8f7293d2
3
+ size 2828655
rf_basic.joblib ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:fad53ec475bbf7393970a379a5a6dc7561f5822bf50e64462bd2fe5c2625be7c
3
+ size 152076897
rf_gridsearch.joblib ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:df3cb6212b3e6708d2bea9d89b76900eca65781e370b9f520b219da89e129b7a
3
+ size 228332049
rf_nltk.joblib ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:cf01be06c904a1a89aafe54e1e52db98cb3932c6901dc4c518db0f9f724060cd
3
+ size 1473269505
tdidf-svc.joblib ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:00bb97d77df10fcc2fdac74f4e1ecc28c4b5ce027225ba6b9f12b1fb110da0b0
3
+ size 46887692
textcnn_model.h5 ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:447b514d23f90a0be872d2296d180952a6966ee46d0b233098f2b1bb2c2626ed
3
+ size 34348792
xgb_char.joblib ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:8f7a3371ab9681bda9eec29759a922da686891807d1537737a102249da747bf1
3
+ size 15677296
xgb_word.joblib ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:a5d48bf8342e44b5fe6c6755c14557d0028d8c9a02d79873291c8565af05b6b0
3
+ size 13866421