Network Traffic Anomaly Detection Using Machine Learning

00:00

hello Professor this is Magna kri so

00:02

today my teammates Vijay wami graa and I

00:05

are going to talk on network traffic

00:07

anomaly detection using machine learning

00:10

so the next

00:15

slide uh so the contents includes

00:17

introduction methodology code

00:18

demonstration results challenges and

00:21

future work conclusion and reference

00:23

next slide

00:27

please uh introduction to network

00:30

security challenge uh the digital

00:31

Technologies rapidly has uh re

00:34

revolutionized uh how we communicate

00:36

contact business and access information

00:39

with this digital transformation robust

00:41

and secure network infrastructure has

00:44

become uh Paramount however the looming

00:46

threat of uh cyber attacks and network

00:49

uh breaches uh come along uh side the

00:53

numerous benefits of the interconnector

00:55

systems uh and the actors uh constantly

00:59

seek to explorit

01:02

uh vulnerabilities in network

01:05

architectures compromising data uh

01:08

Integrity privacy and uh system

01:10

availability uh traditional security

01:12

measures such as uh firewalls and uh

01:15

intr uh detection systems uh how how

01:19

long been the Frontline defense against

01:22

cyber threats while these tools are

01:24

effective to some extent they often r on

01:27

predefined rules and signatures uh

01:30

making them uh suspectable uh to

01:32

evocation tactics employed by

01:35

sofisticated attracts uh moreover as

01:38

Network in infrastructure go grow in

01:40

complexity and scale manually crafting

01:43

and updating rules be uh becomes

01:46

increasing increasingly daunting uh in

01:49

response to these challenges uh a

01:51

growing interest has been in uh machine

01:54

learning techniques for uh Network

01:55

anomaly detection uh unlike rule based

01:58

approaches machine learning algorithms

02:00

can learn patterns and behaviors uh

02:03

inheritant uh in network traffic data

02:05

enabling more uh adaptive uh and dynamic

02:08

threat detection uh by analyzing vast

02:11

amount of uh data uh machine learning

02:14

models can identify uh subtle uh

02:17

deviations from normal Behavior Uh

02:19

indicative of potential security

02:22

breaches or performance uh anomal

02:25

anomalies uh this product uh like this

02:27

project aims to uh develop a

02:30

comprehension Network a traffic anomaly

02:32

detection system using state of the art

02:35

machine learning techniqu uh this report

02:38

outlines the methodology techniques and

02:40

uh Evolution uh criteria for developing

02:43

the anomaly detection system next will

02:46

be continued uh by the Le will be

02:49

continued by graa

03:05

braa are you

03:07

there yes

03:09

yes

03:11

so code is written in the python for

03:14

machine learning likely to detect

03:16

anomalies in network traffic so this

03:19

code is based on the idea that normal

03:22

Network traffic will follow certain

03:24

patterns so by analyzing data such as

03:27

packet sizes and IP addresses the code

03:30

can identify patterns that deviate from

03:32

the norm so these deviations are then

03:35

flagged as anomalies which could be a

03:38

sign of malicious activity coming to the

03:41

code snippet uh it uses a machine

03:44

learning technique called K means

03:46

clustering this involves grouping data

03:48

points into a specific number of

03:51

clusters uh that are defined by K so

03:55

each data point is assigned to the

03:56

cluster that is most likely resembles

03:59

based on it features in this case the

04:01

features are the properties of the

04:03

network traffic such as packet size and

04:06

IP

04:07

address so the code first Imports the

04:10

necessary libraries including numi for

04:13

numerical operations and SEC learn for

04:17

machine learning then it defines a

04:19

function to perform the anomaly

04:21

detection so here this function takes

04:23

three arguments uh one is lation Matrix

04:29

uh which the it represents the

04:31

connections between the nodes in the

04:32

network and the second one is B dig

04:36

Matrix uh in which it represents the

04:38

degree of each node in the network and

04:41

finally the third one k which represents

04:45

the number of clusters to use the K

04:47

means algorithm so here the function

04:50

first calculates the aen values and aen

04:52

vectors of the lation Matrix aen values

04:56

and aen vectors are mathematical

04:59

Concepts used to analyze the properties

05:01

of Matrix so here in this case they help

05:04

to identify the underlying structure of

05:06

the network traffic data and next um the

05:10

function sorts the Aon values and Aon

05:13

vectors uh and this is done to identify

05:16

the most important features of the data

05:19

now next it takes this first k a vectors

05:23

and computes the norm of each row so the

05:26

norm is a mathematical concept that

05:28

represents the itude of a vector in this

05:31

case it is used to measure the strength

05:33

of the signal in each data

05:36

point the function then normalizes the

05:38

data uh this means uh it scales the data

05:41

to a common range uh this is the

05:44

important thing because it ensures the

05:47

all the features have an equal weight in

05:49

the K means algorithm finally the

05:52

function uses the K means algorithm to

05:54

Cluster the data points so here the C

05:57

algorithm partitions the data points

05:59

into clay

06:00

K clusters and the data points are

06:02

assigned to the cluster that they mostly

06:05

uh reassemble uh based on their features

06:08

so the code can be used to identify

06:10

anomalies in the network traffic so data

06:12

points that are assigned to clusters

06:14

that are far away from the data points

06:16

are likely to be anomalies these

06:18

anomalies can be investigated further to

06:21

determine uh if they are malicious

06:23

something like that and of course uh

06:27

this is a simplified code uh but the

06:30

actual code is more complex so that will

06:32

be includes other steps um hopefully

06:36

this gives a basic understanding how the

06:38

code works yeah and next will be

06:40

continued

06:41

by our team

06:47

mate yeah hello hi uh my name is

06:52

vij uh let me just Che uh to the code

06:56

demonstration uh before that uh in our

06:59

project we have used the the algorithm

07:03

that we have used is C in clustering let

07:06

me just go through the cin algorithm in

07:09

brief so cin algorithm clustering is a

07:12

popular unsupervised machine learning

07:13

algorithm used for passing data set into

07:16

set of K clusters the goal of K means

07:19

clustering is to group the similar data

07:21

points together and discover underlying

07:23

patterns or structures in the data let's

07:26

see how the algorithm actually works so

07:28

the algorithm starts by randomly

07:30

selecting K data points from the data

07:32

set as the initial cluster centroids

07:35

these centroids acts as the initial

07:37

representative for each cluster then

07:39

each data point in the data set is

07:41

assigned to the nearest cent based on

07:44

the Su distance metric this typically we

07:46

can calculate this Distance by ukl and

07:49

distance so the data points are grouped

07:51

into K clusters based on which centroid

07:53

they are closest to then after all the

07:56

data points have been assigned to

07:58

clusters the CID are recalculated as the

08:01

mean all of all the data points assigned

08:03

to each cluster this step updates the

08:06

cented positions then we are will repeat

08:09

the step two and step three repeatedly

08:11

until the convergence criteria are met

08:14

uh convergence occurs when the C no

08:17

longer changes significantly between

08:19

iterations when a maximum number of

08:21

iterations reach in the final the once

08:24

the convergence is achieved the

08:26

algorithms output final cluster

08:29

assignment and SIDS uh let me just take

08:32

to the code

08:33

demonstration

08:39

um so this is our code uh where we

08:43

import uh necessary libraries like numai

08:47

and pandas M Li escal and metrics and

08:51

scii kit special distance and we'll

08:53

start by downloading the data sets that

08:56

we have like we have used the three data

08:59

sets here uh we have downloading these

09:01

data sets from the kddc pickup

09:06

so so here we are importing those data

09:09

sets into uh data

09:12

frames and in the data set we have 42 uh

09:16

feature selection features like uh

09:19

duration prototype service flag Source

09:22

bites destination bites land rank

09:25

fragment urgent and so on we have until

09:29

42 types of features in the data set so

09:33

in the next step we have defined a

09:36

method called convert categorical

09:38

columns so this function converts

09:40

categorical columns in a data frame into

09:42

numerical represents ensuring that

09:45

machine learning algorithms can process

09:47

them effectively it also provides the

09:49

option to store and refuse mappings

09:51

between categorial values and the

09:52

numerical values representation across

09:55

the multiple function

09:57

cells and

10:00

here we are converting those columns I

10:02

mean category columns into numerical

10:05

columns and then here here comes the

10:08

clustering using K

10:10

meanss so here in this uh code we define

10:14

a class K means which implements K means

10:17

clustering algorithm in the in in the

10:20

first initialization here in the

10:23

initialization method this I mean this

10:25

is the Constructor this initialize the

10:27

centroid attributes To None which will

10:29

hold the cented values after fitting the

10:32

model and the next one is centered

10:34

initialization this function initialize

10:37

centroids method randomly selects K data

10:40

points from the training data as the

10:42

initial centroids it ensures that each

10:46

Cent is unique to avoid

10:48

duplication and the next one is

10:52

U the method cluster assignment the

10:55

compute cluster indicates this method

10:57

calculate the distance between each data

10:59

point and the centroids then assign each

11:01

data point to the nearest

11:03

centroid and the next method that we

11:06

have is assigning uh assigned clusters

11:09

so this method organize the data points

11:11

into clusters based on the assigned

11:14

centroids and the next one we have uh

11:18

update centroids method so this update

11:21

centroids method recalculates the

11:24

centroids based on the mean of the data

11:27

points within the each cluster

11:30

and the next one is the kin method this

11:34

one uh iteratively perform the cluster

11:37

using a a loop assignment and the Cent

11:40

update steps until the converges are

11:43

reaching the maximum number of

11:45

iterations and the next we have uh print

11:49

cluster info so this method is basically

11:53

prints the method display information

11:55

about the size of clusters for a given

11:57

value of K

12:00

and the next we have a compute SS so

12:04

these compute SS SS means a sum of

12:07

scared errors so this method calculat

12:09

the sum of scared errors which is

12:11

measure of how spread out of the data

12:14

points within the Clusters and the next

12:17

we have the model fitting so this model

12:19

fitting uh fits the kyin model to the

12:22

training data and it performs multiple

12:25

restarts to find the best best set of

12:28

cids that minimum the SSC and the next

12:32

method that we have in the class is the

12:33

predict method so this predict method

12:36

assigns testing data points to the

12:38

Clusters based on the fitting

12:40

centroids and the next get centroids

12:43

method so this will return uh the

12:46

centroids learn based during the fitting

12:49

process so overall in this uh this class

12:53

and encapsulates the K means clustering

12:55

algorithm that providing methods for

12:58

fitting the model making predictions and

13:00

accessing the learning centroids it also

13:03

include functionality for evaluating the

13:06

quantity of uh quality of clustering

13:08

results using SS and printing cluster

13:12

information and uh in the next step we

13:14

have a um clustering definition like the

13:19

value for the k k so here we have taken

13:23

the value uh value of K is 7 and 15 so

13:28

these are the optimal values for uh

13:31

kin's clustering so we have initialized

13:35

the K value by 7 and

13:37

15 and in The Next Step uh we are uh

13:41

this code will Loop that iterates over

13:43

each value of K in the K value list and

13:47

this this Loop

13:48

iterates um or each uh in in in the case

13:53

in in in this case the list of contains

13:55

that we have initialized here is 7 and

13:57

15 so this Loop runs the K means

14:00

clustering algorithm multiple times each

14:02

time with a different value of K and it

14:05

stores the resulting cluster models in

14:07

the kin's dictionary that we have

14:09

defined here so allowing to access the

14:13

models later for the further further uh

14:15

analysis and

14:17

visualization and here we have we have

14:19

using

14:20

0.15% of data set that he used for the

14:25

training and here in the uh training

14:29

data and training uh uh this code will

14:33

essentially split the data into a small

14:35

subset for training and uh discuss the

14:39

rest of the data and the next we have a

14:42

method called normalized cut so this

14:44

function will essentially perform the

14:46

special clustering using the normalized

14:49

cut criteria which aims to parion the

14:52

data into K clusters based on the igon

14:55

vectors of the LA plasm Matrix special

14:58

cluster in is a powerful technique for

15:00

clustering data with complex structures

15:02

or

15:04

nonion and here we uh here this is the

15:08

function call of for the yo method so

15:12

when we call the function so this is the

15:14

output that we have this output

15:16

summarize that uh clustering process and

15:19

provide insights into how the data

15:21

points are grouped into clusters based

15:23

on their Sim similarities in the lower

15:26

Dimension space defined by the

15:28

normalized ion vectors that we have here

15:32

so moving on to the next

15:36

um here we have the uh relationship

15:41

between the Matrix we have some Matrix

15:44

called Purity recall F1 score and

15:46

entropy and and here we are defining the

15:50

uh relationship between the F1 score and

15:54

the K value here in the first graph we

15:57

are plotting uh relationship between F1

16:00

and F1 score and K for uh using training

16:04

data and testing data so as you can see

16:08

by seeing this the graph we can say that

16:11

in both the training and testing data

16:13

there seems to be a positive correlation

16:15

between Purity and K this means that as

16:18

the number of clusters increase the

16:20

Purity also increasing so uh compared to

16:25

uh training and testing the training

16:26

data lines cons uh consist instantly

16:29

scores higher in Purity than the testing

16:31

data lies so this suggest that model

16:33

might be overfitting the training data

16:36

and the next we have entropy and K the

16:39

relationship between entropy and K

16:43

so uh this this one uh we can see by

16:48

looking at the graph we can say the

16:50

entropy is decreasing so the entropy

16:53

generally decreases as the number of

16:56

clusters increase this means that the

16:58

data becomes more ordered or pure as we

17:01

increase the number of clusters so this

17:03

is because with the more clusters the

17:06

data points are grouped into smaller and

17:08

more specific cluster reducing

17:11

Randomness and here in this uh and the

17:15

next one we have

17:17

kin so this code performs cin clustering

17:20

on the training data assign data points

17:23

to the cluster and evaluate the

17:25

clustering results using some evaluation

17:29

methods and the next one we have uh

17:31

compute anomalies so this uh this

17:34

compute anomalies will take uh two

17:37

parameters that one one is the Clusters

17:39

and the next one is uh I mean sorry

17:41

three so cluster data and labels and it

17:44

will return return the number of

17:45

anomalies that we have detected so here

17:49

uh while after the training data uh we

17:52

have detected a, and

17:56

uh, one 1,100 107 anomalies that we have

18:00

detected here and we are printing those

18:03

anomalies here so and also here in the

18:08

normalized cut evaluation like U we have

18:12

uh for the K value cluster sizes so we

18:15

have the Purity is 95 uh 0.95 that means

18:19

95% of Purity and the recall is uh 0.25

18:24

and F1 score is 0.32 the so the

18:27

condition entropy will is the

18:30

0.26 and the next we have uh another uh

18:35

print evalutions and

18:37

um the dbsn evaluations so dbsc

18:42

evaluation is nothing but density based

18:45

special clustering of application with

18:47

noise is a it's a popular clustering

18:50

algorithm that doesn't require specific

18:52

number of cluster beforehand instead it

18:54

groups that together closely packed into

18:56

based on the two parameters a epon and

18:59

which denotes the radius with the search

19:01

for neighboring points and Main samples

19:04

which specify the number of points

19:05

required to form a dens region so in the

19:09

final results that we got here is like

19:12

uh in the training data we have detected

19:16

1,17

19:18

anomalies using this uh training data

19:22

yeah uh this is uh the working working

19:25

uh demonstration of a project let me go

19:28

back to the this presentation

19:35

slide yeah so and the next continuation

19:40

slide will be uh explained by

19:47

Manu uh hi everyone uh this is vami

19:50

sadya uh I'm going to explain about the

19:52

challenges and the future work uh during

19:55

this project uh we have faced the

19:58

challenge

19:59

changes like uh detecting unusual

20:02

activity in networks is tough because

20:04

the data we have might be messy with

20:07

things like missing values or outer lers

20:11

plus when we are dealing with a lot of

20:13

data our detection system might struggle

20:16

to keep uh keep up solving these issues

20:18

is crucial to making sure our anomal

20:21

detection systems can effectively

20:22

protect digital systems from Cy cyber

20:25

threats uh uh and the future work the

20:28

fure work we can develop in this project

20:31

is uh data quality Advanced Techniques

20:33

and uh real monitoring and uh uh

20:37

expansible AI so coming to the data

20:40

quality we need to find better ways to

20:42

clean up our data before we analyze it

20:45

uh to improve the accuracy of our

20:47

detection system and next coming to

20:50

Advanced Techniques uh we should explore

20:52

more advanced method in machine learning

20:54

to better find anomaly in network data

20:57

real real time monitoring making our

21:00

systems able to adapt quickly to new

21:02

threads by monitoring network activity

21:05

in real time uh expansible AI uh it's

21:09

important to be able to understand why

21:12

our detection systems think something is

21:15

wrong so we need techniques that can exp

21:18

explain the decisions clearly and now

21:21

coming to conclusion part uh VI can you

21:24

please go to next slide um confirmation

21:27

of efficient

21:29

we found that using machine learning

21:31

techniques like kin svm and neural

21:34

networks is really effective for

21:37

sparting unusual activity in networks uh

21:40

making making sure our data is clean and

21:42

evaluating our detection systems

21:45

carefully is crucial for reable results

21:48

uh looking forward we need to uh keep

21:50

improving our system to keep up with the

21:53

Challen with the changing world of cyber

21:56

security this means um integrated

21:58

machine machine learning more deeply

22:00

into how we protect digital systems this

22:04

work emphasizes the ongoing need for

22:06

research and development to enhance the

22:09

capabilities of machine learning based

22:11

anomaly detection systems in cyber

22:13

security so next

22:17

slide yeah uh these are the references

22:20

uh we have taken from the Google Scholar

22:23

uh sites and uh uh we have uh taken the

22:28

uh supervisor learning machine learning

22:30

and everything we have

22:32

covered for this project and we have

22:35

compared with the other models too uh

22:39

and we have given and we have taken the

22:41

accuracy F1 score everything uh we are

22:44

compared with every model in this uh

22:47

project uh uh as explained by Vijay uh

22:51

thank you