{"id":27306310,"url":"https://github.com/lueasf/attacksdetector","last_synced_at":"2026-04-15T18:01:49.116Z","repository":{"id":287418869,"uuid":"963487204","full_name":"lueasf/AttacksDetector","owner":"lueasf","description":"ML-based IDS capable of distinguishing between normal connections \u0026 attacks, deployed on GCP and tested on an SDN topology.","archived":false,"fork":false,"pushed_at":"2025-05-11T16:05:21.000Z","size":6444,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-20T14:37:31.482Z","etag":null,"topics":["cybersecurity","ddos-attacks","docker","ml","network-analysis","side-project","topology"],"latest_commit_sha":null,"homepage":"https://attakx-service-507224908244.europe-west9.run.app/","language":"Jupyter Notebook","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lueasf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-04-09T18:54:23.000Z","updated_at":"2025-05-26T11:32:22.000Z","dependencies_parsed_at":"2025-07-20T14:39:52.198Z","dependency_job_id":null,"html_url":"https://github.com/lueasf/AttacksDetector","commit_stats":null,"previous_names":["lueasf/attacksdetector"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/lueasf/AttacksDetector","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lueasf%2FAttacksDetector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lueasf%2FAttacksDetector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lueasf%2FAttacksDetector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lueasf%2FAttacksDetector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lueasf","download_url":"https://codeload.github.com/lueasf/AttacksDetector/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lueasf%2FAttacksDetector/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31853279,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-15T15:24:51.572Z","status":"ssl_error","status_checked_at":"2026-04-15T15:24:39.138Z","response_time":63,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","ddos-attacks","docker","ml","network-analysis","side-project","topology"],"created_at":"2025-04-12T03:59:24.877Z","updated_at":"2026-04-15T18:01:49.082Z","avatar_url":"https://github.com/lueasf.png","language":"Jupyter Notebook","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ML-based Intrusion Detector\n\nMain goal: To build a ML-based intrusion detector (classifier) capable of\ndistinguishing between normal connections and intrusions (attacks).\n\nObjectives : \n* Retrieve training data from InfluxDB and build structured data frames.\n* Train intrusion detector following main ML steps:\n    - Data inspection and visualization\n    - Feature selection\n    - Model training (DT, SVM, ANN)\n    - Model evaluation and selection\n* Export trained model.\n* Deploy trained model in GCP with Docker and an API using Flask and FastAPI.\n* Test the model in a SDN topology with Mininet and Ryu controller.\n\n\n## Attacks \nThe attacks in the database are DDos, R2L, U2R and probing.\n\n**DDoS** (Distributed Denial of Service) is when a large number of requests are sent to a server in a short time.\n\n**R2L** (Remote to Local) is when an attacker tries to gain access to a remote system by exploiting vulnerabilities in the system (Ex: guessing passwords).\n\n**U2R** (User to Root) is when an attacker tries to gain access to a system by exploiting vulnerabilities in the system (Ex: Buffer Overflow).\n\n**Probing** is when an attacker tries to gain information about a system by sending requests to the system (Ex: Port scanning).\n\n\n## Dataset\nThe dataset is from the KDD Cup 1999, which is a benchmark dataset for network intrusion detection systems. It was created by the MIT Lincoln Laboratory, and contains a wide variety of intrusions simulated in a military network environment. \n\n\n## Tools\n- _Jupyter Notebook_\n- _Python Libs_ : Pandas, Sklearn, Keras, Tensorflow,...\n- _InfluxDB_ is used here to simulate a scenario where the data is stored in this database.\n- _Telegraf_ is used here to collect the data from the database and send it to the ML-based intrusion detector.\n- _Docker_ is used to create a container for the ML-based intrusion detector.\n- _GCP_ is used to deploy the ML-based intrusion detector in the cloud.\n\n\n## Installation\n```bash\npython3 -m venv venv\nsource venv/bin/activate\npip install -r requirements.txt\n```\n\n## Run the Flask App\n```bash\npython3 app_flask.py\n```\n## Run the FastAPI app (same app but different framework)\n```bash\npython3 -m uvicorn app_fastapi:app --reload --port 5000\n```\n\n## InfluxDB\nWe can either use the influx (-port 8089) command to connect to the database and write SQL queries or we can connect to the client using the influxdb python library.\n```sql\nSELECT COUNT(\"Attack Type\") AS total FROM traffic GROUP BY \"Attack Type\"\n```\n\n## Telegraf\nI use Telegraf to load the csv files into InfluxDB, to be able to do queries.\n\n\n## Test for the API on Docker/Flask or GCP\n```bash\npython3 test_request.py\n``` \nPrediction result:\n{\n    \"confidence\": 0.9999682903289795,\n    \"prediction\": \"normal\",\n    \"status\": \"success\"\n}\nFirst with the Flask App, then with the Docker.\nI also have a shell script to test the API with the Docker image.\n\n\n## Commands\n$ jupyter notebook\ngo on http://localhost:8888/tree\n\nsudo pkill -f influxd\n\nlaunch the db server\n$ influxd -config config/custom-influxdb.conf\n\nconnect to the shell client\n$ influx -port 8089\n\nload csv and send it to influxdb in the intrusion database\n$ telegraf --config config/telegraf.conf\n\n\n## GCP\n\n## 1 Setup \n```bash\ngcloud auth login\ngcloud config set project $PROJECT_ID (attakx)\ngcloud services enable \\\n  cloudbuild.googleapis.com \\\n  run.googleapis.com \\\n  artifactregistry.googleapis.com\n```\n## 2 Create Artifact Registry Repository\n```bash\ngcloud artifacts repositories create \"attakx-repo\" \\\n  --repository-format=docker \\\n  --location=\"europe-west9\" \\\n  --description=\"Docker repository for Attakx\"\n```\n\n## 3 Deploy on Cloud Run\n→ gcp.bash\n\n## 4 Test the API\nI got the domain name :\nhttps://attakx-service-507224908244.europe-west9.run.app/\nI test it with the test_request.py file and it works.\n\n\n## DEMO\nI created an SDN topology with Mininet and Ryu controller. I used the Ryu controller to call the API and send the data to the ML-based IDS. I used the Mininet topology to simulate the network with 2 hosts, 2 switches and an attacker. We can see in the image below that:\n- when the first host sends a ping to the second host, the API returns \"normal\", and the packets are sent to the second host.\n- when the attacker sends a ping flood to the first host, the API returns \"ddos\", and the packets are dropped by more than 85%.\n![Demo](images/demo.png)\n\nEOF","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flueasf%2Fattacksdetector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flueasf%2Fattacksdetector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flueasf%2Fattacksdetector/lists"}