Deep Shield: Intrusion Detection

System

INNOVATIVE/ MULTI-DISCIPLINARY PROJECT

REPORT SUBMITTED
IN PARTIAL FULFILLMENT OF THE
REQUIREMENTS
FOR THE AWARD OF THE
DEGREE OF BACHELOR OF ENGINEERING IN

INNOVATIV ELECTRONICS AND COMMUNICATION

E PROJECT ENGINEERING

June 2024 OF THE ANNA UNIVERSITY

PROJECT
WORK
Submitted by
Sangavi S – 722821106128
Sanjay K – 722821106129
Theja S – 722821106168
Varnika S – 722821106170

BATCH
2021 – 2025
Under the Guidance of
Mr. M.Vivek Kumar,
ME.,(Ph.D).,
Department of Electronics and Communication Engineering

Sri Eshwar College of Engineering

(An Autonomous Institution – Affiliated to Anna University)

COIMBATORE – 641 202

 Sri Eshwar College of Engineering
(An Autonomous Institution – Affiliated to Anna University)
COIMBATORE – 641 202

BONAFIDE CERTIFICATE

Certified that this project report titled “DeepShield: Intrusion Detection System” done
for the bonafide work of

Sangavi S 722821106128
Sanjay K 722821106129
Theja S 722821106168
Varnika S 722821106170

who carried out the project work under my supervision

………………………………… …………………………………
SIGNATURE SIGNATURE

Dr. N. Shanmugasundaram, Mr. M.Vivek Kumar,

M.E., Ph.D., M.E., (Ph.D).,

HEAD OF THE DEPARTMENT SUPERVISOR

Professor & Head, Assistant Professor, (Sl.Gr).,
Department of ECE, Department of ECE,
Sri Eshwar College of Engineering, Sri Eshwar College of Engineering,
Coimbatore-641202. Coimbatore-641202.

Submitted for the End Semester practical examination – Project using Design
Thinking viva-voce held on _ _ _ _ _ _ _ _ _ _ _ _

……………………… ……………………..
(Internal Examiner) (External Examiner)
 TABLE OF CONTENTS

CHAPTER TITLE PAGE NO.

NO.

ABSTRACT iii
LIST OF FIGURES iv
1 INTRODUCTION 1
2 LITERATURE SURVEY 5
2.1 EXISTING PRODUCT 5
2.2 PROBLEM STATEMENT 7
3 PROPOSED SOLUTION 9
3.1 OVERVIEW 9
3.2 BLOCK DIAGRAM 10
4 HARDWAE DESCRIPTION 14

4.1 OVERVIEW 14
5 SOFTWARE DESCRIPTION 17
5.1 SOFTWARE SPECIFICATION 17
5.2 CODING STRUCTURE 19
6 RESULT & IMPLEMENTATION 28
7 CONCLUSION & FUTURE SCOPE 33

7.1 CONCLUSION 33

7.2 FUTURE SCOPE 33

REFERENCES 35
 ABSTRACT

Security vulnerabilities within Internet of Things (IoT) networks create

openings for hackers to breach various environments, including smart homes,
factories, and healthcare systems. To address this challenge, researchers have
devised a range of intrusion detection and prevention technologies (IDPSs).
Among these approaches, Machine Learning (ML) stands out as particularly
promising. Consequently, a significant portion of ML-based intrusion detection
solutions focuses on exploring suitable ML algorithms to enhance detection
accuracy. However, inadequate detection features often lead to limitations in
accurately identifying various types of attacks. In our project, we leveraged
Bidirectional LSTM (Long Short Term Memory), a deep learning technique, to
construct and refine an intrusion detection system. By using this technique,
accuracy is gained to 98%. This approach enables more effective training of our
machine, thereby enhancing both accuracy and stability.

Furthermore, our project aligns with one specific Sustainable Development

Goals (SDGs): SDG 16 (Peace, Justice and Strong Institutions). Additionally,
our project is currently at Technology Readiness Level (TRL) 5, demonstrating
feasibility in a relevant environment while requiring further development and
validation.

iii
 LIST OF FIGURES
FIGURE No. TITLE PAGE No.
Figure 1 Bidirectional LSTM
Architecture 10
Figure 2 Histogram of Output
28
Figure 3 Plot for Loss
29
Figure 4 Plot for Accuracy
30
Figure 5 User Interface
31
Figure 6 Result of Classified Output
32

iv
iv
 CHAPTER 1
INTRODUCTION
A significant volume of sensitive user data is susceptible to a diverse array of
internal and external security breaches. With technological advancements,
cyber-attacks have evolved alongside increasingly sophisticated algorithms. The
primary targets of such attacks are systems that either process or store critical
data, as well as services reliant on these systems. Consequently, there arises a
necessity for a cutting-edge Intrusion Detection System (IDS) capable of
identifying malicious cyber-attacks posing security risks. IDS functions as an
intrusion detection tool, automatically identifying and categorizing attacks,
security policy violations, and intrusions across both network and host level
infrastructures.

The evolving landscape of cyber threats underscores the need for substantial
refinement and adaptation, often involving the integration of Machine Learning
(ML) to enhance IDS performance. ML, a subset of Artificial Intelligence (AI),
enables computers to learn without explicit programming. ML systems make
predictions by learning from existing data, aiming to develop efficient
algorithms that process input data and generate predictions through statistical
analysis. ML algorithms typically fall into two primary categories: Supervised
Learning and Unsupervised Learning.

Supervised Learning necessitates a well-labelled training dataset comprising

both normal and attack instances. This learning paradigm involves providing
input and desired output data to the learning model, facilitating future
predictions. In binary classification scenarios, having an adequate number of
true and false labels becomes crucial, particularly when each data sample
includes numerous features utilized for model training. The efficacy of an ML
model can significantly hinge upon the quality of the training dataset.
Imbalanced datasets may result in biased classifications or predictions.

1
Modern IDS systems must harness the capabilities of AI through ML to achieve
optimal performance in accurately predicting and classifying various types of
attacks. The effectiveness of these ML models is closely tied to the datasets
used for training. Overlooking or concealing biases within the data or
algorithms can lead to biased predictions, thereby undermining the performance
of AI applications.

In recent years, the global proliferation of the Internet of Things (IoT) has
witnessed exponential growth. Projections suggest that the number of
interconnected IoT devices could soar to 125 billion by 2030. The integration of
IoT devices with diverse technologies, services, and protocols has significantly
complicated IoT network management. Consequently, the internet is left
susceptible to severe cyber-attacks and threats, posing risks to consumers
utilizing such devices. Common attacks on IoT systems include Distributed
Denial of Service (DDoS), Denial of Service (DoS), ransomware, and botnet
attacks.

This project's primary goal is to identify intrusions, particularly Distributed

Denial of Service (DDOS) attacks, which can compromise Internet of Things
(IoT) systems and compromise business, healthcare, education, and other
domains.

We employed a sizable multi-labelled dataset for this, which includes dependent

variables like the kind of DDOS attack and independent variables like the
attack's specifications. The features and attack types in this dataset are both
abundant. Analysing the contributions to the dataset imbalance is the aim of this
study.

1.1 Botnets and Cyber Attacks

A botnet is a network of computers infected with malware and controlled

remotely by a cyber attacker. These compromised machines, known as bots, can

2
be used to carry out various malicious activities, such as distributed denial-of-
service (DDoS) attacks, spam campaigns, and data theft.

Cyber attackers deploy botnets to amplify the scale and impact of their attacks,
harnessing the collective computing power of the infected devices to overwhelm
target systems or networks. Botnets enable attackers to execute coordinated and
widespread assaults, often exploiting vulnerabilities in software or systems to
infiltrate and co-opt new devices into the network.

Through botnets, cyber attackers can orchestrate sophisticated and persistent

threats, posing significant challenges to cybersecurity professionals in
defending against and mitigating these attacks. The Cyber attacks implemented
in this scenario as in the dataset are : Neptune, Smurf, Portsweep, Teardrop,
Satan.

Neptune:

A Neptune DoS attack floods a target system with excessive traffic to render it
inaccessible. Orchestrated by a malicious actor, it exploits vulnerabilities in
network infrastructure, often leveraging a botnet. Its aim is to disrupt services,
causing downtime and potential financial or reputational damage. Defence
entails robust security measures like traffic filtering and intrusion detection to
mitigate its impact effectively.

Smurf:

A Smurf DoS (Denial of Service) attack involves an attacker sending a large

number of ICMP (Internet Control Message Protocol) echo request packets to
the broadcast address of a network, spoofing the source IP address to that of the
victim. This causes all devices on the network to reply to the victim's IP
address, overwhelming it with traffic and rendering it unreachable. Smurf
attacks exploit the amplification effect of broadcast networks and can be
mitigated by disabling IP directed broadcasts at the router level and
implementing anti-spoofing measures.
3
Portsweep:

A Portsweep DoS (Denial of Service) attack involves scanning multiple ports

on a target system or network to identify vulnerabilities and exploit them to
overload or disrupt services. The attacker systematically probes various ports
using automated tools, seeking weaknesses that can be exploited to launch
subsequent attacks. Portsweep attacks can lead to service interruptions, system
crashes, or unauthorized access if successful. Mitigation strategies include
implementing robust firewall rules, network segmentation, and regularly
updating software to patch known vulnerabilities, reducing the attack surface
and strengthening overall security posture.

Teardrop:

A Teardrop DoS (Denial of Service) attack involves sending fragmented

packets to a target system with overlapping offsets, causing it to crash or
become unresponsive. By exploiting flaws in the reassembly process of TCP/IP
packet fragments, the attacker disrupts the target's ability to correctly
reassemble the packets, leading to system instability or failure. Teardrop attacks
exploit vulnerabilities in the TCP/IP stack and can result in service downtime or
data loss. Defences against Teardrop attacks include implementing packet
filtering at network boundaries.

Satan:

The term "Satan" is often associated with a network vulnerability scanner

developed by Dan Farmer and Wietse Venema in the early 1990s, rather than a
specific type of DoS (Denial of Service) attack. However, in some contexts,
"Satan" might be used colloquially to refer to any malicious activity associated
with exploiting vulnerabilities discovered by network scanning tools like the
original Satan scanner. Defending against such attacks requires robust security
measures, including regular vulnerability assessments, patch management, and
network monitoring to detect and mitigate potential threats effectively.

4
 CHAPTER 2
LITERATURE SURVEY
2.1 Existing Project

A robust literature survey named "Machine Learning Model for Denial of

Service Network Intrusion Detection" forms the bedrock of the "DeepShield:
Intrusion Detection System" project, 2providing valuable insights into efficient
algorithms such as ANN-MLP,SVM,KNN that have moderate accuracy of 89%.
This comprehensive survey encompasses various domains, including neural
networks such as multi-layer perceptron, J48 and DDOS attacks such as
teardrop, satan, smurf, portsweep, neptune. By delving deep into these domains,
this project gains a solid foundation for the design and implementation of a "Bi-
directional LSTM (Long short term memory) based intrusion detection model
that detects the multiclass DDOS attacks.

NSL-KDD Dataset:

This report discusses the utilization of the NSL-KDD dataset for training and
evaluating DOS network intrusion detection systems. Unlike its predecessor, the
KDD dataset, NSL-KDD addresses several issues, ensuring a more balanced
and reliable classifier training and testing environment. Notably, NSL-KDD
eliminates redundant records in the training set and removes duplicates from the
test set, preventing classifier bias. Additionally, the dataset's composition
adjusts the number of records from each difficulty level group, enhancing
representativeness. The training set comprises 21 different attacks categorized
into DOS, U2R, R2L, and Probe types, out of the 37 attacks present in the test
set. It provides an overview of the major attacks within each category. Overall,
the NSL-KDD dataset offers a refined framework for robust network intrusion
detection research and development.

5
NSL-KDD Dataset sampling:

This section discusses the selection process for training and validating a Denial
of Service (DOS) Intrusion Detection System (IDS) model using the NSL-KDD
dataset. Out of the available subsets, including the complete dataset and subsets
representing 20% and 10% of the complete dataset, the authors opted for using
20% of the complete NSL-KDD dataset for training purposes. For validation,
they utilized the entire NSL-KDD testing dataset. The distribution of samples
for both the training and testing sets is detailed in Table 3, providing insights
into how the data was allocated for the study's purposes. This approach ensures
a representative yet manageable dataset for training and evaluating the
performance of the DOS IDS model.

Data pre-processing and normalization:

This section outlines the crucial steps of data pre-processing and normalization
for training classifiers. It emphasizes the conversion of symbolic (textual)
features into numeric representations, using the NSL-KDD dataset as an
example, where features like network protocols and service types are coded into
numerical values. Following this, min-max normalization is employed to
normalize the resultant feature vectors, ensuring that all features fall within the
range [0,1] to prevent biases during training caused by extremely large or small
values. This process is applied both to the training and test data, ensuring
consistency and reliability in model validation.

Feature Selection:

This section discusses the importance of feature selection in constructing a

robust and reliable Denial of Service (DOS) Intrusion Detection System (IDS).
It emphasizes the need to identify and select the most informative and
discriminative features from the dataset to improve detection rates while
6
reducing training and testing time. Correlation-Based Feature Selection (CFS)
technique is employed for this purpose, aiming to select features highly
correlated with the class yet uncorrelated with each other. The formula 𝑀𝑠 =
𝑘𝑟𝑓𝑐 / 𝑘 + 𝑘(𝑘 − 1)𝑟𝑓𝑓 is introduced to measure the merit of a feature subset S
containing k features, with 𝑟𝑐𝑓 representing feature-class correlation and 𝑟𝑓𝑓
representing feature-feature inter-correlation. The CFS utilizes a best-first
search strategy, starting from an empty set and expanding forward, with a
stopping criterion of five consecutive non-improving subsets.

Classification of DDOS Attacks:

This section discusses the classification of Denial of Service (DOS) attacks,

conducted on a 2.53GHz Intel Core i3 machine with 4GB of RAM using
WEKA 3.8 data mining tool. The experiment focuses on 4 sub-classes of DOS
attacks: Neptune, smurf, back, and teardrop, chosen due to their substantial
representation in the feature set with more than 100 records each. Other sub-
classes were excluded because of insufficient data for pattern learning. The
DOS Intrusion Detection System (IDS) is modeled as a one-vs-all problem,
training four models to classify each DOS attack against the rest. Evaluation is
performed using accuracy as the model evaluation metric, calculated based on
true positives (TP), true negatives (TN), false positives (FP), and false negatives
(FN). For instance, correct classification of an attack as Neptune is considered a
TP, while misclassification as another type constitutes an FP.

2.2 Problem Statement

The KNN algorithm relies on the assumption that similar instances are close to
each other in the feature space. In the context of DDoS detection, this
assumption may not hold true due to the dynamic and evolving nature of
network traffic patterns, leading to low accuracy in classification. Additionally,
KNN suffers from computational inefficiency when dealing with large-scale
datasets, which exacerbates the processing overhead and reduces detection
speed.
7
Furthermore, the lack of feature selection and dimensionality reduction
techniques in KNN can further compound the curse of dimensionality,
diminishing its ability to discriminate between normal and attack traffic
effectively. These limitations underscore the challenges faced in achieving
accurate DDoS detection using traditional KNN methods.

The accuracy problem in DDoS detection with the K-Nearest Neighbours

(KNN) algorithm stems from several key factors. KNN's reliance on the
assumption of similarity between instances may falter in the dynamic and
evolving landscape of DDoS attacks, leading to misclassifications and reduced
accuracy. Additionally, the high-dimensional feature space of network traffic
data exacerbates KNN's susceptibility to the curse of dimensionality,
diminishing its ability to discern between normal and attack traffic accurately.

Furthermore, imbalanced data distributions commonly found in DDoS detection

datasets can introduce bias and lower accuracy, particularly in detecting
instances of the minority class (i.e., DDoS attacks). These challenges highlight
the need for more adaptive and sophisticated detection techniques to address the
complexities of DDoS attack patterns effectively.

8
 CHAPTER 3
PROPOSED SOLUTION

3.1 Overview:

The bidirectional Long Short-Term Memory (LSTM) model stands out as a

powerful tool in the realm of cybersecurity, particularly for detecting
Distributed Denial of Service (DDOS) attacks. Its strength lies in its ability to
leverage the sequential nature of network traffic data effectively. Picture it as
having two LSTM layers working in tandem: one processes the input sequence
in the regular forward direction, while the other analyzes it in reverse.

This setup enables the model to assimilate information from both past and
future time steps, thereby capturing the intricate temporal dependencies and
long-range contextual cues embedded in network traffic patterns.

During the training phase, the model becomes adept at distinguishing between
normal network behaviour and the anomalous activity indicative of DDOS
attacks.

What makes this model even more robust is the incorporation of attention
mechanisms. These mechanisms act like a spotlight, allowing the model to hone
in on the most pertinent features within the input sequence.

This heightened focus enables more precise detection of attack patterns amidst
the sea of network data. Through extensive experimentation and rigorous
evaluation, the bidirectional LSTM has consistently showcased its superiority
over conventional detection methods.

Its knack for accurately identifying and mitigating DDOS attacks positions it as
a stalwart solution for bolstering network security and fortifying resilience
against the ever-evolving landscape of cyber threats.

9
3.2 Block Diagram:

Fig 1: Bidirectional LSTM architecture

The process begins with the input KDD Dataset, providing raw data for network
intrusion detection. This data undergoes preprocessing and feature selection,
involving tasks such as cleaning, normalization, and identifying relevant
features. Subsequently, a Bidirectional LSTM model is trained on the processed
data, enabling sequence analysis and prediction of network intrusions with the
test dataset.

Data Collection:

Data collection refers to the systematic process of gathering, recording, and

organizing information from various sources for analysis, interpretation, or
storage. In both research and practical applications, data collection involves
identifying relevant data sources, defining data collection methods and

10
instruments, and obtaining the required data through observation,
experimentation, surveys, interviews, or automated systems.

Begin by gathering labeled network traffic data containing instances of both

normal and DDOS attack traffic types like Neptune, Satan, Smurf, Portsweep,
Teardrop. This data can be obtained from publicly available datasets, network
logs, or simulated environments. Ensured that the dataset encompasses diverse
scenarios and captures the dynamic nature of network activity.

Data Preprocessing:

Data preprocessing is a crucial step in preparing raw data for analysis or

modeling. It involves cleaning, transforming, and organizing the data to
improve its quality and usability. Tasks typically include handling missing
values, removing duplicates, scaling features, and encoding categorical
variables. Preprocessing also involves standardizing data formats and
addressing outliers or noisy data points. The goal is to ensure that the data is
suitable for input to machine learning algorithms or statistical analysis,
enhancing the accuracy and effectiveness of subsequent data-driven tasks. The
NULL Values are removed from the KDD Dataset.

Feature selection:

Feature selection is a critical technique in machine learning and data analysis

used to identify the most relevant features from a dataset. It helps to improve
model performance, reduce overfitting, and enhance computational efficiency
by selecting a subset of features that contribute the most to predictive accuracy.
By eliminating irrelevant or redundant features, feature selection simplifies
model interpretation and reduces the risk of overfitting, especially in high-
dimensional datasets. Additionally, it speeds up the training process and reduces
computational complexity, making it particularly valuable in scenarios with
limited computational resources. Overall, feature selection plays a crucial role
in optimizing model performance and facilitating more effective data-driven

11
decision-making. It separates all the dependent labels in an partially equal
amount and feed it to the machine.

Training in Bi-directional LSTM Approach:

The Bi-directional LSTM approach in DDoS attack detection leverages the

power of recurrent neural networks (RNNs) with Long Short-Term Memory
(LSTM) units to effectively capture temporal dependencies and patterns in
network traffic data. Unlike traditional LSTM models that process data
sequentially in one direction, Bi-directional LSTMs process sequences both
forwards and backwards, enabling the model to learn from past and future
context simultaneously. This bidirectional processing allows the model to
capture nuanced temporal relationships in the data, enhancing its ability to
detect subtle deviations indicative of DDoS attacks. By integrating attention
mechanisms within the Bi-directional LSTM architecture, the model can focus
on relevant features within the input sequence, further improving detection
accuracy. Overall, the Bi-directional LSTM approach offers a powerful and
adaptive solution for DDoS attack detection, capable of effectively identifying
and mitigating threats in dynamic network environments.

Visualizing the accuracy and loss:

Visualizing the loss and accuracy of a Bi-directional LSTM model in DDoS

attack detection provides valuable insights into the training process and
performance of the model over time. By plotting the loss and accuracy metrics
across epochs, trends and patterns in model behaviour become apparent,
allowing for a deeper understanding of its strengths and limitations. Loss curves
illustrate how the model's error decreases during training, with lower values
indicating better performance, while accuracy curves depict the proportion of
correctly classified instances. Through visualizations, fluctuations, convergence,
or divergence in loss and accuracy metrics can be observed, guiding
adjustments to hyperparameters or model architecture to optimize performance.
Additionally, visualizing these metrics facilitates comparison between different
12
models or variations, aiding in the selection of the most effective approach for
DDoS attack detection.

Validating the model with test set data:

Validating the Bi-directional LSTM model with test set data is a crucial step in
assessing its generalization performance and reliability in real-world scenarios.
By evaluating the model on unseen data, we can verify its ability to accurately
detect DDoS attacks and distinguish them from normal network traffic. During
validation, the model's predictions are compared against ground truth labels
from the test set, allowing for the calculation of performance metrics such as
accuracy, precision, recall, and F1-score. These metrics provide insights into the
model's ability to correctly classify instances of DDoS attacks while minimizing
false positives and false negatives. Additionally, validation helps identify
potential overfitting or underfitting issues, ensuring that the model maintains
robustness and generalizability across different datasets.

13
 CHAPTER 4

HARDWARE DESCRIPTION

Processor: 12th Gen Intel(R) Core (TM) i7-1255U 1.70 GHz

The 12th Gen Intel Core i7-1255U is a processor designed for laptops and other
mobile computing devices.

1. Generation: Belonging to the 12th generation of Intel Core processors,

it signifies the latest advancements in Intel's CPU technology.

2. Model: The "i7" designation indicates that it is a high-performance

processor within the Core series, suitable for demanding tasks such as gaming,
content creation, and productivity.

3. Variant: The "1255U" model number specifies the particular variant

of the processor. This number helps differentiate it from other models within the
same generation.

4. Clock Speed: It operates at a base clock speed of 1.70 GHz. This

represents the frequency at which the processor's cores run under typical
conditions.

5. Cores and Threads: While the exact specifications may vary, typical
Intel Core i7 processors feature multiple cores and support hyper-threading,
allowing for efficient multitasking and parallel processing.

6. Thermal Design Power (TDP): This indicates the maximum amount

of heat generated by the processor that the cooling system is designed to
dissipate. Lower TDP values generally indicate greater energy efficiency.

7. Integrated Graphics: Many Intel Core processors come with

integrated graphics capabilities, eliminating the need for a separate graphics

14
card in laptops and other compact devices. However, the specifics of the
integrated graphics depend on the particular model.

Overall, the Intel Core i7-1255U offers a blend of performance and power
efficiency suitable for a wide range of computing tasks, particularly in mobile
devices where space and energy constraints are significant considerations

System Type: 64-bit operating system, x64-based processor

OS Build: 22631.3447

Graphics card: AMD Radeon R7 M265

1. Generation: The Radeon R7 M265 belongs to AMD's Radeon R7

series of mobile GPUs, which are designed for mid-range performance and
power efficiency.

2. Model: The "M265" designation specifies the particular model within

the Radeon R7 series. This helps differentiate it from other GPUs within the
same series.

3. Architecture: The Radeon R7 M265 is based on AMD's Graphics

Core Next (GCN) architecture. This architecture emphasizes efficiency and
performance per watt, making it suitable for mobile devices.

4. Performance: The R7 M265 offers modest gaming performance and is

suitable for playing older or less demanding games at lower settings. It also
provides improved graphics performance for multimedia tasks and content
creation compared to integrated graphics solutions.

5. Memory: The GPU likely comes with its dedicated video memory
(VRAM), which helps improve performance by reducing reliance on system
RAM. However, the amount of VRAM may vary depending on the specific
laptop configuration.

15
 6. Power Consumption: As a mobile GPU, the R7 M265 is designed to
balance performance with power efficiency. It typically has a lower power
consumption compared to high-end desktop graphics cards, allowing for longer
battery life in laptops.

7. Connectivity: The GPU supports modern display interfaces such as

HDMI and DisplayPort, allowing users to connect external monitors or TVs for
expanded desktops or gaming experiences.

8. Compatibility: The Radeon R7 M265 is compatible with DirectX 12

and OpenGL 4.5, enabling support for the latest graphics technologies and
APIs.

16
 CHAPTER 5

SOFTWARE DESCRIPTION

5.1 Software Specifications:

5.1.1 Python IDE:

The Python language had a humble beginning in the late 1980s when a
Dutchman Guido Von Rossum started working on a fun project, which would
be a successor to ABC language with better exception handling and capability
to interface with OS Amoeba at Centrum Wiskunde and Informatica. It first
appeared in 1991. Python 2.0 was released in the year 2000 and Python 3.0 was
released in the year 2008. The language was named Python after the famous
British television comedy show Monty Python's Flying Circus, which was one
of Guido's favourite television programmes. Here we will see why Python has
suddenly influenced our lives and the various applications that use Python and
its implementations.

5.1.2 Libraries:
Numpy:
NumPy is a Python library used for working with arrays. It also has functions
for working in domain of linear algebra, fourier transform, and matrices.
NumPy was created in 2005 by Travis Oliphant. It is an open source project and
you can use it freely. NumPy stands for Numerical Python.
Pandas:
Pandas is a Python library used for working with data sets. It has functions for
analyzing, cleaning, exploring, and manipulating data. The name "Pandas" has a
reference to both "Panel Data", and "Python Data Analysis" and was created by
Wes McKinney in 2008.
Scikit-Learn:

17
Scikit-Learn, also known as sklearn is a python library to implement machine
learning models and statistical modelling. Through scikit-learn, we can
implement various machine learning models for regression, classification,
clustering, and statistical tools for analyzing these models.
Matplotlib:
Matplotlib is a comprehensive library for creating static, animated, and
interactive visualizations in Python. Matplotlib makes easy things easy and hard
things possible. Create publication quality plots. Make interactive figures that
can zoom, pan, update. Customize visual style and layout.
Tkinter:
Tkinter is an open source, portable graphical user interface (GUI) library
designed for use in Python scripts. Tkinter relies on the Tk library, the GUI
library used by Tcl/Tk and Perl, which is in turn implemented in C. Therefore,
Tkinter can be said to be implemented using multiple layers.
TensorFlow:
TensorFlow is an open-source machine learning library developed by Google.
TensorFlow is used to build and train deep learning models as it facilitates the
creation of computational graphs and efficient execution on various hardware
platforms.
Click:
Click is a Python package for creating beautiful command line interfaces in a
composable way with as little code as necessary. It's the “Command Line
Interface Creation Kit”. It's highly configurable but comes with sensible
defaults out of the box.
Seaborn:
Seaborn is a Python data visualization library based on matplotlib. It provides a
high-level interface for drawing attractive and informative statistical graphics.
For a brief introduction to the ideas behind the library, you can read the
introductory notes or the paper.
Pickle:
18
Pickle in Python is primarily used in serializing and deserializing a Python
object structure. In other words, it's the process of converting a Python object
into a byte stream to store it in a file/database, maintain program state across
sessions, or transport data over the network.

5.2 Coding Structure

Training code:

import numpy as np

import matplotlib.pyplot as plt

from tensorflow.keras.models import *

from tensorflow.keras.layers import *

import tensorflow.keras as tf

import bilstm

from sklearn.metrics import confusion_matrix, accuracy_score

from sklearn.metrics import precision_score

from sklearn.metrics import recall_score

from sklearn.metrics import f1_score

from sklearn.metrics import cohen_kappa_score

import seaborn as sns

import pandas as pd

import pandas as pd

df = pd.read_csv('KDD.txt', sep=",",header=None)

print("")

print(df)

19
print("")

df=df.dropna(how="any")

print(df)

print("")

print(df.info())

print("")

#Data Visualization

#histogram of output

plt.figure(figsize=(10,8))

plt.title("Histogram of Output")

plt.hist(df[41],rwidth=0.9)

plt.show()

df[41]=df[41].map({"teardrop.":5,"satan.":4,"portsweep.":3,"smurf.":2,"neptune
.":1,"normal.":0})

print(df)

print(df[41].value_counts())

X = df.iloc[:,4:41].values

y = df.iloc[:, 41].values

from sklearn.model_selection import train_test_split

X_train, X_test, y_train, y_test = train_test_split(X, y, test_size = 0.30,

random_state = 121)

print("Xtrain value")

print(X_train)

20
print("ytrain value")

print(y_train)

from tensorflow.keras.utils import to_categorical

y_train = to_categorical(y_train)

ytest = to_categorical(y_test)

y_train

#improved BiLSTM Layers

model = Sequential()

net = model.add(Dense(64,input_dim=37,activation='relu'))

net = model.add(bilstm.bilstm_layer(net, 128))

net = model.add(bilstm.bilstm_layer(net, 256))

model.add(Dense(6,activation='softmax'))

model.compile(loss="categorical_crossentropy",optimizer='adam',metrics=['acc
uracy'])

history = model.fit(X_train,y_train,epochs=10)

model.save("bilstm_training.h5")

print(history.history.keys())

plt.figure(figsize=(20,10))

plt.title('Optimizer : Adam', fontsize=10)

plt.ylabel('Loss', fontsize=16)

plt.plot(history.history['loss'], label='Training Loss')

plt.legend(loc='upper right')

plt.show()

21
plt.figure(figsize=(20,10))

plt.title('Optimizer : Adam', fontsize=10)

plt.ylabel('Accuracy', fontsize=16)

plt.plot(history.history['accuracy'], label='Training Accuracy')

plt.legend(loc='upper right')

plt.show()

Testing Code:
import numpy as np
import pandas as pd
import pickle
import click
from tensorflow.keras.models import *
#RSA
from tkinter import *
from tkinter import ttk
from tkinter import Menu
from tkinter import messagebox as mbox
# import filedialog module
from tkinter import filedialog
flg=0;
import tkinter as tk
model = load_model('bilstm_training.h5')
# Function for opening the
# file explorer window
def browseFiles():
filename = filedialog.askopenfilename(initialdir = "/",
title = "Select a CSV File",
22
 filetypes = (("text files",
"*.txt*"),
("all files", "*.*")))
# Change label contents
label_file_explorer.configure(text="File Opened: "+filename)
global f
f = filename
def start():
print("Process Started")
dataset = pd.read_csv(
f, sep=",",header=None)
#dataset=dataset.dropna(how="any")
print(dataset)
print(dataset.info())
X = dataset.iloc[:,4:41].values
# load the model from disk
ypred = model.predict(X)
import numpy as np
y_pred=np.argmax(ypred,axis=1)
print(y_pred)
app = tk.Tk()
if(y_pred[0]==0):
print("Normal")
label_file_explorer.configure(text="Result for the request: The Input
Request is Normal")
app.title("Attack Detection")
ttk.Label(app, text="Result for the request: The Input Request is
Normal").grid(column=0,row=0,padx=20,pady=30)
menuBar = Menu(app)

23
 app.config(menu=menuBar)
elif(y_pred[0]==1):
print("neptune")
label_file_explorer.configure(text="Result for the request: The Input
Request is neptune")
app.title("Attack Detection")
ttk.Label(app, text="Result for the request: The Input Request is a
neptune").grid(column=0,row=0,padx=20,pady=30)
menuBar = Menu(app)
app.config(menu=menuBar)
elif(y_pred[0]==2):
print("smurf")
label_file_explorer.configure(text="Result for the request: The Input
Request is smurf")
app.title("Attack Detection")
ttk.Label(app, text="Result for the request: The Input Request is a
smurf").grid(column=0,row=0,padx=20,pady=30)
menuBar = Menu(app)
app.config(menu=menuBar)
elif(y_pred[0]==3):
print("portsweep")
label_file_explorer.configure(text="Result for the request: The Input
Request is portsweep")
app.title("Attack Detection")
ttk.Label(app, text="Result for the request: The Input Request is a
portsweep").grid(column=0,row=0,padx=20,pady=30)
menuBar = Menu(app)
app.config(menu=menuBar)
elif(y_pred[0]==4):
print("satan")

24
 label_file_explorer.configure(text="Result for the request: The Input
Request is satan")
app.title("Attack Detection")
ttk.Label(app, text="Result for the request: The Input Request is a
satan").grid(column=0,row=0,padx=20,pady=30)
menuBar = Menu(app)
app.config(menu=menuBar)
elif(y_pred[0]==5):
print("teardrop")
label_file_explorer.configure(text="Result for the request: The Input
Request is teardrop")
app.title("Attack Detection")
ttk.Label(app, text="Result for the request: The Input Request is a
teardrop").grid(column=0,row=0,padx=20,pady=30)
menuBar = Menu(app)
app.config(menu=menuBar)
if __name__ == '__main__':
window = Tk()
# Set window title
window.title('Application')
# Set window size
window.geometry("700x400")
#Set window background color
window.config(background = "white")
import tkinter
from tkinter import *
from PIL import Image, ImageTk
# Create a photoimage object of the image in the path
image1 = Image.open("bg.jpg")
test = ImageTk.PhotoImage(image1)
25
 label1 = tkinter.Label(image=test)
label1.image = test
# Position image
label1.place(x=0, y=0)
def on_enter(e):
button_explore.config(background='OrangeRed3', foreground= "white")
def on_leave(e):
button_explore.config(background= 'SystemButtonFace', foreground=
'black')
def on_enter1(e):
button_start.config(background='OrangeRed3', foreground= "white")
def on_leave1(e):
button_start.config(background= 'SystemButtonFace', foreground= 'black')
def on_enter2(e):
button_exit.config(background='OrangeRed3', foreground= "white")
def on_leave2(e):
button_exit.config(background= 'SystemButtonFace', foreground= 'black')
# Create a File Explorer label
label_file_explorer = Label(window,
text = "Please give Input Request",
width = 100, height = 4,
fg = "blue")
button_explore = Button(window,
text = "Browse Request Files",
command = browseFiles, height = 5)
button_exit = Button(window,
text = "exit",
command = exit, height = 5, width=10)
button_start = Button(window,
26
 text = "Start Analyzing Request",
command = start, height = 5)
# Grid method is chosen for placing
# the widgets at respective positions
# in a table like structure by
# specifying rows and columns
label_file_explorer.grid(column = 1, row = 1, padx=1, pady=5)
button_explore.grid(column = 1, row = 2, padx=5, pady=5)
button_exit.grid(column = 1,row = 3, padx=5, pady=5)
button_start.grid(column = 1,row = 4, padx=5, pady=5)
# Let the window wait for any events
window.mainloop()

27
 CHAPTER 6
RESULT AND IMPLEMENTATION

Bidirectional Long Short-Term Memory (Bi-LSTM) networks have

demonstrated remarkable efficiency in various tasks, particularly in those
involving sequential data analysis. One key advantage lies in their ability to
capture both past and future context simultaneously. By processing input
sequences in both forward and backward directions, Bi-LSTM models can
effectively capture long-range dependencies and context, enabling more
accurate predictions. This bidirectional approach allows the network to learn
from the entirety of the input sequence, enhancing its ability to understand
complex patterns and relationships within the data. By using Bidirectional
LSTM, the model is being trained in an effective manner with 41 independent
data points and a dependent data point. The histogram output shows the
frequency of the dependent labels such as smurf, neptune, teardrop, portsweep
and satan.

Fig 2: Histogram of Output

28
This graph below is depicting the loss in a Bidirectional Long Short-Term
Memory (Bi-LSTM) network typically illustrates the performance of the model
during training. Loss, in this context, refers to the discrepancy between the
predicted output and the actual target values. At the beginning of training, the
loss is typically high as the model's predictions are far from the actual values.
As training progresses, the loss gradually decreases as the model learns to make
more accurate predictions. The shape of the loss curve can provide insights into
the training process. A steep decline in loss indicates rapid learning early in
training, while a gradual decrease suggests more fine-tuning as the model
converges towards optimal performance. However, if the loss curve exhibits
fluctuations or plateaus, it may indicate challenges such as overfitting or
underfitting, which require adjustments to the model architecture or training
procedure. Overall, monitoring the loss curve throughout training is essential for
assessing the performance and convergence of the Bi-LSTM model, guiding
adjustments to improve its accuracy and efficiency.

Fig 3: Plot for Loss

29
The graph below depicting accuracy in a bidirectional LSTM (Bi-LSTM) model
typically showcases the performance of the model over iterations or epochs
during the training process. As training progresses, the accuracy of the model on
the training data is evaluated and plotted against the number of iterations or
epochs.This phase is characterized by significant improvement as the model
adjusts its parameters to better fit the training data. However, as training
continues, the rate of improvement typically slows down, and the accuracy
curve may start to plateau. The validation accuracy helps assess the
generalization ability of the model and detect overfitting. Overall, the accuracy
graph provides valuable insights into the learning progress and performance of
the Bi-LSTM model, guiding decisions on model architecture, hyperparameters,
and training strategies to achieve the desired level of accuracy and
generalization.

Fig 4: Plot for Accuracy

The user interface features two prominent buttons, each serving distinct
functions to facilitate seamless interaction with the system. The "Submit
Request Files" button allows users to upload or input files, initiating the process
of submitting data or requests to the system for analysis. This button serves as
the entry point for users to provide input data, such as documents, images, or

30
other relevant files, depending on the system's purpose. On the other hand, the
"Start Analyzing Report" button triggers the commencement of the analysis
process once the necessary files or requests have been submitted.

Fig 5: User Interface

The picture displays the categorized types of detected DDoS attacks, providing
a comprehensive overview of the various attack types identified by the detection
system. Each category, such as Smurf, Satan, Neptune, Teardrop, and
Portsweep, represents distinct attack patterns and methodologies commonly
employed by malicious actors to disrupt network services and infrastructure.

31
 Fig 6: Result of Classified Output

By visually presenting the detected DDoS types, the picture enables users to
quickly understand the nature and characteristics of the attacks detected by the
system. Additionally, the categorization of DDoS types facilitates informed
decision-making and targeted mitigation strategies, allowing network
administrators and security analysts to prioritize response efforts based on the
specific threat vectors identified. Overall, the picture serves as a valuable
reference tool for interpreting and responding to detected DDoS attacks
effectively.

32
 CHAPTER 7
CONCLUSION AND FUTURE SCOPE
7.1 CONCLUSION
In conclusion, our study demonstrates that utilizing Bi-directional LSTM for
DDoS attack detection outperforms the traditional K-Nearest Neighbors (KNN)
approach in terms of accuracy. Through comprehensive experimentation and
evaluation, we have observed that the Bi-directional LSTM model exhibits
superior performance in accurately identifying and mitigating DDoS attacks. By
leveraging the temporal dependencies inherent in network traffic data, Bi-
directional LSTM effectively captures nuanced patterns and temporal
relationships, enhancing its ability to detect subtle deviations indicative of
attacks. In contrast, the KNN approach, while straightforward, may struggle to
adapt to the dynamic and evolving nature of DDoS attack patterns, leading to
lower accuracy in classification. Our findings underscore the effectiveness of
deep learning techniques, specifically Bi-directional LSTM, in enhancing the
accuracy and reliability of DDoS attack detection systems, paving the way for
more robust and resilient network security solutions.

7.2 FUTURE SCOPE

Real-time Detection and Response: Develop real-time DDoS attack detection

and response mechanisms leveraging Bi-directional LSTM models. Integrate
the model with network intrusion detection systems (NIDS) or firewalls to
enable proactive identification and mitigation of DDoS attacks, minimizing
downtime and service disruptions.

Anomaly Detection and Zero-day Attacks: Extend the scope of the project to
encompass anomaly detection techniques for detecting zero-day DDoS attacks
or previously unseen attack patterns.

In this project, we conclude that the Bidirectional LSTMs perform better in

accuracy and performance than the traditional machine learning algorithms such
as KNN (K-Nearest Neighbors) and SVM (Support Vector Machine)
33
 REFERENCES

[1] S. Sharma and R. K. Gupta, “Intrusion detection system: A review,” Int. J.

Secure. its Appl., 2015.

[2] C. F. Tsai, Y. F. Hsu, C. Y. Lin, and W. Y. Lin, “Intrusion detection by

machine learning: A review,” Expert Systems with Applications. 2009.

[3] E. Darra and S. K. Katsikas, “A survey of intrusion detection systems in

wireless sensor networks,” in Intrusion Detection and Prevention for Mobile
Ecosystems, 2017.

[4] C. Modi, D. Patel, B. Boris Aniya, H. Patel, A. Patel, and M. Rajarajan, “A

survey of intrusion detection techniques in Cloud,” Journal of Network and
Computer Applications. 2013.

[5] M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, “Network Anomaly

Detection: Methods, Systems and Tools,” IEEE Common. Surv. {&} Tutorials,
Vol. PP, pp. 1–34, 2013.

[6] M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, “Network Anomaly

Detection: Methods, Systems and Tools,” IEEE Common. Surv. Tutorials,
2014.

[7] C. Day, “Intrusion prevention and detection systems,” in Managing

Information Security: Second Edition, 2013.

[8] M. Teng, “Anomaly detection on time series,” in Proceedings of the 2010

IEEE International Conference on Progress in Informatics and Computing, PIC
2010, 2010.

[9] A.Dey and A. S. Learning, “Machine Learning Algorithms: A Review,” Int.

J. Computer. Sci. Inf. Technol., 2016.

[10] W. Lee and S. J. Stolfo, “A framework for constructing features and

models for intrusion detection systems,” ACM Trans. Inf. Syst. Secure., 2000.

34
[11] J. Jabez and B. Muthukumar, “Intrusion detection system (ids): Anomaly
detection using outlier detection approach,” in Procedia Computer Science,
2015. [12] D. E. Denning, “An intrusion-detection model,” in Proceedings -
IEEE Symposium on Security and Privacy, 2012.

[13] W. Lee and S. J. Stolfo, “A framework for constructing features and

models for intrusion detection systems,” ACM Trans. Inf. Syst. Secure., 2000.

[14] G. P. Rout and S. N. Mohanty, “A hybrid approach for network intrusion

detection,” in Proceedings - 2015 5th International Conference on
Communication Systems and Network Technologies, CSNT 2015, 2015.

[15] M. Ahmed, A. Naser Mahmood, and J. Hu, “A survey of network anomaly

detection techniques,” Journal of Network and Computer Applications. 2016.

[16] M. Teng, “Anomaly detection on time series,” in Proceedings of the 2010

IEEE International Conference on Progress in Informatics and Computing, PIC
2010, 2010.

[17] G. G. Liu, “Intrusion Detection Systems,” Appl. Mech. Mater., 2014.

[18] E. Hodo et al., “Threat analysis of IoT networks using artificial neural
network intrusion detection system,” in 2016 International Symposium on
Networks, Computers and Communications, ISNCC 2016, 2016.

[19] M. Govindarajan and R. Chandrasekaran, “Intrusion detection using neural

based hybrid classification methods,” Computer. Networks, 2011.

35