| --- |
| license: apache-2.0 |
| language: en |
| library_name: keras |
| tags: |
| - intrusion-detection |
| - network-forensics |
| - iot-security |
| - cnn |
| - lstm |
| - multiclass-classification |
| - cybersecurity |
| datasets: |
| - CICIoT2023 |
| --- |
| |
| # Multiclass Network Forensic Intrusion Detection System |
|
|
| A hybrid **CNN-LSTM** model for fine-grained, multiclass intrusion detection. |
| It serves as a detailed forensic tool to classify network attacks into 25 distinct categories. |
|
|
| ## Model Description |
| This model acts as a "second-stage" analysis tool. After an initial threat is detected (e.g., by a binary IDS), it identifies the specific nature of the attack. |
|
|
| - **Architecture:** `Conv1D -> ... -> LSTM -> Dense -> Dense (Softmax)` |
| - **Dataset:** CICIoT2023 curated subset |
| - **Performance:** 97% accuracy on the 25-class classification task |
|
|
| ## Intended Use |
| - **Primary Use:** Identify the type of network attack for forensic analysis. |
| - **Input:** `(batch_size, 10, 46)` — 46 normalized network features |
| - **Output:** Softmax probabilities over 25 classes; highest probability indicates the predicted class |
|
|
| ## How to Use |
| ```python |
| import tensorflow as tf |
| import numpy as np |
| from huggingface_hub import hf_hub_download |
| |
| # Download the model |
| MODEL_PATH = hf_hub_download("Codelord01/multiclass_model", "multiclass_model.keras") |
| model = tf.keras.models.load_model(MODEL_PATH) |
| model.summary() |
| |
| # Define class names in the order used during training |
| CLASS_NAMES = [ |
| 'BenignTraffic', 'DDoS-ACK_Fragmentation', 'DDoS-HTTP_Flood', 'DDoS-ICMP_Flood', |
| 'DDoS-ICMP_Fragmentation', 'DDoS-PSHACK_Flood', 'DDoS-RSTFINFlood', 'DDoS-SYN_Flood', |
| 'DDoS-SlowLoris', 'DDoS-SynonymousIP_Flood', 'DDoS-TCP_Flood', 'DDoS-UDP_Flood', |
| 'DDoS-UDP_Fragmentation', 'DNS_Spoofing', 'DoS-HTTP_Flood', 'DoS-SYN_Flood', |
| 'DoS-TCP_Flood', 'DoS-UDP_Flood', 'MITM-ArpSpoofing', 'Mirai-greeth_flood', |
| 'Mirai-greip_flood', 'Mirai-udpplain', 'OtherAttack', 'Recon-HostDiscovery', |
| 'VulnerabilityScan' |
| ] |
| |
| # Sample input: 1 sample, 10 timesteps, 46 features |
| sample_data = np.random.rand(1, 10, 46).astype(np.float32) |
| |
| # Make a prediction |
| prediction_probs = model.predict(sample_data) |
| predicted_index = np.argmax(prediction_probs) |
| predicted_class = CLASS_NAMES[predicted_index] |
| confidence = prediction_probs[predicted_index] |
| |
| print(f"Predicted Attack Type: {predicted_class}") |
| print(f"Confidence: {confidence:.4f}") |
| |
| ## Limitations |
| - Validated only on CICIoT2023-like traffic |
| - Input must be normalized |
| - CLASS_NAMES must match training order |
| |
| ## Training Information |
| - Optimizer: Adam |
| - Loss: Categorical Cross-Entropy |
| - 25-class balanced dataset |
| |
| |
| @mastersthesis{ababio2025multilayered, |
| title={A Multi-Layered Hybrid Deep Learning Framework for Cyber-Physical Intrusion Detection in Climate-Monitoring IoT Systems}, |
| author={Awuni David Ababio}, |
| year={2025}, |
| school={Kwame Nkrumah University of Science and Technology} |
| } |
| |
| |
| |
