Institute of Southern Punjab (ISP)

Department of CS (Computer Science)

• Introduction
• Problem Statement
• Objective
• Scope
• Functinal Requirements
• Non-functional Requirements
• Working Methodology
• AI-Based IDPS Architecture
• Results and Evaluation
• Conclusion
Introduction
• Network security is crucial in today's digital landscape, as organizations and individuals
increasingly rely on interconnected systems. Protecting sensitive data and ensuring the
integrity, confidentiality, and availability of network resources is vital to prevent
unauthorized access, data breaches, and cyber-attacks.
• Botnet attacks, where multiple compromised devices are controlled remotely to perform
malicious activities, have become one of the most significant threats. Botnets are often used
for large-scale attacks, including Distributed Denial of Service (DDoS), data theft, and spam
distribution, causing extensive damage to both individuals and businesses. These attacks can
effects networks, disrupt services, and lead to significant financial and reputational losses.
• To address this, our project aims to develop an AI-Based Intrusion Detection and Prevention
System (IDPS) that uses Convolutional Neural Networks (CNNs) to detect and prevent
botnet attacks in real-time. By analyzing network traffic, our system can identify malicious
patterns and automatically block harmful IP addresses, providing a robust and adaptive
solution to combat evolving botnet threats.
Problem Statement
• Rising threat of botnet attacks:
• Botnets are increasingly sophisticated and widespread
• They can cause significant damage, including DDoS attacks, data theft, and network disruption
• Botnet attacks are becoming more frequent and harder to detect.
• Limitations of traditional IDPS systems:
• Rely heavily on signature-based detection, which is ineffective against new or modified attacks
• High rate of false positives, leading to alert fatigue among security teams
• Need for adaptive and intelligent security solutions:
• Requirement for systems that can learn and adapt to new threats in real-time.
• Necessity for more accurate detection with fewer false positives.
• Demand for solutions that can handle high-speed, high-volume network traffic.
Objectives

• Build an AI-based Intrusion Detection and Prevention System (IDPS) using a

• Ensure real-time detection of malicious network traffic by continuously monitoring

• Implement automatic blocking of malicious IP addresses once identified, preventing

• Design the system with scalability and flexibility, allowing it to adapt to evolving
threats and integrate new security features as cyber-attacks become more advanced.
Scope
• Capture Network Traffic: Capture network traffic from multiple client sources.
• • Preprocess Captured Data: Preprocess captured data, converting from pcapng
to CSV format.
• • Train CNN Model: Train a Convolutional Neural Network (CNN) on the KDD
Cup 99 dataset for botnet behavior identification.
• • Real-Time Analysis: Analyze incoming network traffic in real-time using the
trained CNN model.
• • Automated Response: Trigger automated responses upon botnet detection,
including alerts and IP blocking.
• • KPCA Exploration: Explore Kernel Principal Component Analysis (KPCA) to
enhance CNN model speed and efficiency.
• • RabbitMQ Integration: Integrate with RabbitMQ for managing real-time data
flow.
Functional Requirements
• Data Capture: The system must capture network traffic data from clients using a sniffer.
• Transmission: Captured data should be transmitted to a central gateway for processing.
• Data Management: The gateway must manage data flow and temporarily store packets using a data-
holding protocol.
• Packet Analysis: The system should analyze packets to extract key information like source IP,
destination IP, timestamp, and protocol type.
• Storage: Extracted packet details must be stored in pcapng files for subsequent analysis.
• Data Conversion: The system should convert pcapng files into CSV format during the data
preprocessing step.
• AI-based Detection: Preprocessed data must be analyzed using a CNN to detect potential botnet
attacks.
• Threat Response: Upon detecting suspicious activity, the system must generate alerts and block
malicious IP addresses.
• Safe Data Release: If no threats are detected, the system should release processed data to the server.
Non Functional Requirement
• Performance: The detection and prevention system should operate with
minimal latency to block threats in real-time, ensuring swift response to
attacks.
• Reliability: The system must maintain high reliability with consistent uptime,
ensuring network security without interruptions.
• Accuracy: The model should maintain a high detection rate (above 98%
accuracy) and low false-positive rates to ensure effective threat identification.
• Maintainability: The system should allow easy updates and upgrades,
especially for the AI model, to adapt to evolving threats.
• Security: The system itself must be secure against tampering or being
disabled by attackers.
Working Methodology
Working Methodology
• Step 1: Client 1 - Kali Linux Machine
• Client 1 will have the Kali Linux machine in a Virtual Box
• Traffic from the Kali Linux machine will be maliciously sent to the gateway Ubuntu machine.
• Step 2: Client 2 - Windows Host Machine
• Client 2 will be the Windows host machine. The Windows host machine will forward normal data to the RabbitMQ that is
• installed in the gateway Ubuntu machine.
• Step 3: Wireshark - Packet Sniffing
• We are going to sniff the packets that coming from both clients using Wireshark. The sniffed packets will be converted into a file
format of .csv
• Stage 4: AI-Based IDPS
• The .csv file will be provided to the AI-Based IDPS for detection of malicious IP
• and then blocking. AI-Based IDPS is going to make the classification with the help of CNN model as
• either normal or malicious traffic and bock it
• Stage 5: Data Release to Server
• Once the data is secured, it will be released to the server
AI-Based IDPS Architecture
AI-Based IDPS Architecture
• This methodology employs a Convolutional Neural Network (CNN) to detect and
• mitigate botnet attacks in network traffic. Data Preparation: The process begins by loading and
preprocessing network data, applying ontology rules to categorize potential threats, and splitting
the data into
• training and testing sets. CNN Model Development: A CNN model is built with convolutional
layers to
• extract features, pooling layers to reduce dimensionality, and fully connected layers
• for classification. The model is trained on the prepared data to recognize patterns
• associated with botnet activity. Evaluation and Prediction: The trained model's performance is
evaluated, and it's
• used to predict botnet presence in new network traffic. Actionable Response: Upon detecting a
botnet, the system identifies and blocks the
• malicious IP address to prevent further malicious activity
Results and Evaluation
Results and Evaluation
• Detection Rate of Malicious Traffic:
• The model achieved an accuracy of 98%, with strong performance across
multiple attack categories as demonstrated by the confusion matrix and
classification report.
• The precision, recall, and F1-score indicate high efficiency in detecting normal
and malicious traffic patterns’
• Blocking Malicious IP Addresses:
• Example of detected malicious IP addresses and their successful blocking by
the system.
• The AI system proactively identified and blocked malicious IPs in real time,
preventing potential threats.
Conclusion
• The AI-based Intrusion Detection and Prevention System (IDPS)
demonstrated significant success in detecting botnet attacks in real-
time.
• The system efficiently captures, processes, and analyzes network
traffic, providing accurate detection and automated blocking of
malicious IP addresses.
• Future improvements could include integrating federated learning to
enhance data privacy across distributed networks and blockchain
technology to ensure secure, tamper-proof data exchange and
improved trust in detection results
Thank You