import pandas as pd
from sklearn.preprocessing import LabelEncoder
from sklearn.linear_model import LinearRegression
from sklearn.metrics import mean_squared_error, r2_score

# ── 1. Column names taken from the NSL‑KDD documentation ──────────────
col_names = [
"duration","protocol_type","service","flag","src_bytes","dst_bytes","land",
"wrong_fragment","urgent","hot","num_failed_logins","logged_in",
"num_compromised","root_shell","su_attempted","num_root",
"num_file_creations","num_shells","num_access_files","num_outbound_cmds",
"is_host_login","is_guest_login","count","srv_count","serror_rate",
"srv_serror_rate","rerror_rate","srv_rerror_rate","same_srv_rate",
"diff_srv_rate","srv_diff_host_rate","dst_host_count",
"dst_host_srv_count","dst_host_same_srv_rate","dst_host_diff_srv_rate",
"dst_host_same_src_port_rate","dst_host_srv_diff_host_rate",
"dst_host_serror_rate","dst_host_srv_serror_rate","dst_host_rerror_rate",
"dst_host_srv_rerror_rate","class","difficulty_level"
]

# ── 2. Load data *without* header row ─────────────────────────────────
train_url = "https://raw.githubusercontent.com/Mamcose/NSL-KDD-Network-Intrusion-Detection/master/NSL_KDD_Train.csv"
test_url  = "https://raw.githubusercontent.com/Mamcose/NSL-KDD-Network-Intrusion-Detection/master/NSL_KDD_Test.csv"

df_train = pd.read_csv(train_url, header=None, names=col_names)
df_test  = pd.read_csv(test_url,  header=None, names=col_names)

# ── 3. Encode the 3 nominal features ─────────────────────────────────
for col in ['protocol_type', 'service', 'flag']:
le = LabelEncoder()
le.fit(pd.concat([df_train[col], df_test[col]], axis=0))
df_train[col] = le.transform(df_train[col])
df_test[col]  = le.transform(df_test[col])

# ── 4. Prepare features / target ─────────────────────────────────────
X_train = df_train.drop(columns=['class', 'difficulty_level', 'duration'])
y_train = df_train['duration']

X_test  = df_test.drop(columns=['class', 'difficulty_level', 'duration'])
y_test  = df_test['duration']

# ── 5. Train & evaluate simple Linear Regression ─────────────────────
model = LinearRegression().fit(X_train, y_train)
y_pred = model.predict(X_test)

print(f"Test MSE: {mean_squared_error(y_test, y_pred):.2f}")
print(f"Test R² : {r2_score(y_test, y_pred):.3f}")

"""
Test MSE: 3021333.56
Test R² : -0.526
"""

In hierdie voorbeeld probeer die lineêre regressiemodel om verbinding duur te voorspel uit ander netwerkkenmerke. Ons meet prestasie met Gemiddelde Kwadratiese Fout (MSE) en R². 'n R² naby 1.0 sou aandui dat die model die meeste variasie in duur verduidelik, terwyl 'n lae of negatiewe R² 'n swak pas aandui. (Moet nie verbaas wees as die R² hier laag is nie -- om duur te voorspel mag moeilik wees uit die gegewe kenmerke, en lineêre regressie mag nie die patrone vasvang as hulle kompleks is nie.)

Ons gaan 'n Phishing-webwerwe-dataset (van die UCI-bewaarplek) gebruik wat onttrokken kenmerke van webwerwe bevat (soos of die URL 'n IP-adres het, die ouderdom van die domein, teenwoordigheid van verdagte elemente in HTML, ens.) en 'n etiket wat aandui of die webwerf phishing of wettig is. Ons lei 'n logistieke regressiemodel op om webwerwe te klassifiseer en evalueer dan sy akkuraatheid, presisie, terugroep, F1-telling, en ROC AUC op 'n toetsverdeling.

import pandas as pd
from sklearn.datasets import fetch_openml
from sklearn.model_selection import train_test_split
from sklearn.preprocessing import StandardScaler
from sklearn.linear_model import LogisticRegression
from sklearn.metrics import accuracy_score, precision_score, recall_score, f1_score, roc_auc_score

# 1. Load dataset
data = fetch_openml(data_id=4534, as_frame=True)  # PhishingWebsites
df   = data.frame
print(df.head())

# 2. Target mapping ─ legitimate (1) → 0, everything else → 1
df['Result'] = df['Result'].astype(int)
y = (df['Result'] != 1).astype(int)

# 3. Features
X = df.drop(columns=['Result'])

# 4. Train/test split with stratify
## Stratify ensures balanced classes in train/test sets
X_train, X_test, y_train, y_test = train_test_split(
X, y, test_size=0.20, random_state=42, stratify=y)

# 5. Scale
scaler = StandardScaler()
X_train = scaler.fit_transform(X_train)
X_test  = scaler.transform(X_test)

# 6. Logistic Regression
## L‑BFGS is a modern, memory‑efficient “quasi‑Newton” algorithm that works well for medium/large datasets and supports multiclass natively.
## Upper bound on how many optimization steps the solver may take before it gives up.	Not all steps are guaranteed to be taken, but would be the maximum before a "failed to converge" error.
clf = LogisticRegression(max_iter=1000, solver='lbfgs', random_state=42)
clf.fit(X_train, y_train)

# 7. Evaluation
y_pred = clf.predict(X_test)
y_prob = clf.predict_proba(X_test)[:, 1]

print(f"Accuracy : {accuracy_score(y_test, y_pred):.3f}")
print(f"Precision: {precision_score(y_test, y_pred):.3f}")
print(f"Recall   : {recall_score(y_test, y_pred):.3f}")
print(f"F1-score : {f1_score(y_test, y_pred):.3f}")
print(f"ROC AUC  : {roc_auc_score(y_test, y_prob):.3f}")

"""
Accuracy : 0.928
Precision: 0.934
Recall   : 0.901
F1-score : 0.917
ROC AUC  : 0.979
"""

In hierdie phishing-detectie voorbeeld, produseer logistieke regressie 'n waarskynlikheid vir elke webwerf om phishing te wees. Deur akkuraatheid, presisie, terugroep en F1 te evalueer, kry ons 'n gevoel van die model se prestasie. Byvoorbeeld, 'n hoë terugroep beteken dit vang die meeste phishing-webwerwe (belangrik vir sekuriteit om gemiste aanvalle te minimaliseer), terwyl hoë presisie beteken dit het min vals alarms (belangrik om ontleders se moegheid te vermy). Die ROC AUC (Area Under the ROC Curve) bied 'n drempel-onafhanklike maatstaf van prestasie (1.0 is ideaal, 0.5 is nie beter as kans nie). Logistieke regressie presteer dikwels goed op sulke take, maar as die besluitgrens tussen phishing en wettige webwerwe kompleks is, mag meer kragtige nie-lineêre modelle benodig word.

import pandas as pd
from sklearn.tree import DecisionTreeClassifier
from sklearn.preprocessing import LabelEncoder
from sklearn.metrics import accuracy_score, precision_score, recall_score, f1_score, roc_auc_score

# 1️⃣  NSL‑KDD column names (41 features + class + difficulty)
col_names = [
"duration","protocol_type","service","flag","src_bytes","dst_bytes","land",
"wrong_fragment","urgent","hot","num_failed_logins","logged_in","num_compromised",
"root_shell","su_attempted","num_root","num_file_creations","num_shells",
"num_access_files","num_outbound_cmds","is_host_login","is_guest_login","count",
"srv_count","serror_rate","srv_serror_rate","rerror_rate","srv_rerror_rate",
"same_srv_rate","diff_srv_rate","srv_diff_host_rate","dst_host_count",
"dst_host_srv_count","dst_host_same_srv_rate","dst_host_diff_srv_rate",
"dst_host_same_src_port_rate","dst_host_srv_diff_host_rate","dst_host_serror_rate",
"dst_host_srv_serror_rate","dst_host_rerror_rate","dst_host_srv_rerror_rate",
"class","difficulty_level"
]

# 2️⃣  Load data ➜ *headerless* CSV
train_url = "https://raw.githubusercontent.com/Mamcose/NSL-KDD-Network-Intrusion-Detection/master/NSL_KDD_Train.csv"
test_url  = "https://raw.githubusercontent.com/Mamcose/NSL-KDD-Network-Intrusion-Detection/master/NSL_KDD_Test.csv"

df_train = pd.read_csv(train_url, header=None, names=col_names)
df_test  = pd.read_csv(test_url,  header=None, names=col_names)

# 3️⃣  Encode the 3 nominal features
for col in ['protocol_type', 'service', 'flag']:
le = LabelEncoder().fit(pd.concat([df_train[col], df_test[col]]))
df_train[col] = le.transform(df_train[col])
df_test[col]  = le.transform(df_test[col])

# 4️⃣  Prepare X / y   (binary: 0 = normal, 1 = attack)
X_train = df_train.drop(columns=['class', 'difficulty_level'])
y_train = (df_train['class'].str.lower() != 'normal').astype(int)

X_test  = df_test.drop(columns=['class', 'difficulty_level'])
y_test  = (df_test['class'].str.lower() != 'normal').astype(int)

# 5️⃣  Train Decision‑Tree
clf = DecisionTreeClassifier(max_depth=10, random_state=42)
clf.fit(X_train, y_train)

# 6️⃣  Evaluate
y_pred = clf.predict(X_test)
y_prob = clf.predict_proba(X_test)[:, 1]

print(f"Accuracy : {accuracy_score(y_test, y_pred):.3f}")
print(f"Precision: {precision_score(y_test, y_pred):.3f}")
print(f"Recall   : {recall_score(y_test, y_pred):.3f}")
print(f"F1‑score : {f1_score(y_test, y_pred):.3f}")
print(f"ROC AUC  : {roc_auc_score(y_test, y_prob):.3f}")


"""
Accuracy : 0.772
Precision: 0.967
Recall   : 0.621
F1‑score : 0.756
ROC AUC  : 0.758
"""

In hierdie besluitboomvoorbeeld het ons die diepte van die boom tot 10 beperk om uiterste oorpassing te vermy (die max_depth=10 parameter). Die metings toon hoe goed die boom normale teenoor aanvalverkeer onderskei. 'n Hoë terugroep sou beteken dat dit die meeste aanvalle vang (belangrik vir 'n IDS), terwyl hoë presisie beteken dat daar min vals alarms is. Besluitbome bereik dikwels redelike akkuraatheid op gestruktureerde data, maar 'n enkele boom mag nie die beste moontlike prestasie bereik nie. Nietemin is die interpreteerbaarheid van die model 'n groot voordeel -- ons kon die boom se splitsings ondersoek om te sien, byvoorbeeld, watter kenmerke (bv. service, src_bytes, ens.) die mees invloedryk is in die merk van 'n verbinding as kwaadwillig.

import pandas as pd
from sklearn.preprocessing import LabelEncoder
from sklearn.ensemble import RandomForestClassifier
from sklearn.metrics import (accuracy_score, precision_score,
recall_score, f1_score, roc_auc_score)

# ──────────────────────────────────────────────
# 1. LOAD DATA  ➜  files have **no header row**, so we
#                 pass `header=None` and give our own column names.
# ──────────────────────────────────────────────
col_names = [                       # 41 features + 2 targets
"duration","protocol_type","service","flag","src_bytes","dst_bytes","land",
"wrong_fragment","urgent","hot","num_failed_logins","logged_in",
"num_compromised","root_shell","su_attempted","num_root","num_file_creations",
"num_shells","num_access_files","num_outbound_cmds","is_host_login",
"is_guest_login","count","srv_count","serror_rate","srv_serror_rate",
"rerror_rate","srv_rerror_rate","same_srv_rate","diff_srv_rate",
"srv_diff_host_rate","dst_host_count","dst_host_srv_count",
"dst_host_same_srv_rate","dst_host_diff_srv_rate",
"dst_host_same_src_port_rate","dst_host_srv_diff_host_rate",
"dst_host_serror_rate","dst_host_srv_serror_rate","dst_host_rerror_rate",
"dst_host_srv_rerror_rate","class","difficulty_level"
]

train_url = "https://raw.githubusercontent.com/Mamcose/NSL-KDD-Network-Intrusion-Detection/master/NSL_KDD_Train.csv"
test_url  = "https://raw.githubusercontent.com/Mamcose/NSL-KDD-Network-Intrusion-Detection/master/NSL_KDD_Test.csv"

df_train = pd.read_csv(train_url, header=None, names=col_names)
df_test  = pd.read_csv(test_url,  header=None, names=col_names)

# ──────────────────────────────────────────────
# 2. PRE‑PROCESSING
# ──────────────────────────────────────────────
# 2‑a) Encode the three categorical columns so that the model
#      receives integers instead of strings.
#      LabelEncoder gives an int to each unique value in the column: {'icmp':0, 'tcp':1, 'udp':2}
for col in ['protocol_type', 'service', 'flag']:
le = LabelEncoder().fit(pd.concat([df_train[col], df_test[col]]))
df_train[col] = le.transform(df_train[col])
df_test[col]  = le.transform(df_test[col])

# 2‑b) Build feature matrix X  (drop target & difficulty)
X_train = df_train.drop(columns=['class', 'difficulty_level'])
X_test  = df_test.drop(columns=['class', 'difficulty_level'])

# 2‑c) Convert multi‑class labels to binary
#      label 0 → 'normal' traffic, label 1 → any attack
y_train = (df_train['class'].str.lower() != 'normal').astype(int)
y_test  = (df_test['class'].str.lower() != 'normal').astype(int)

# ──────────────────────────────────────────────
# 3. MODEL: RANDOM FOREST
# ──────────────────────────────────────────────
# • n_estimators = 100 ➜ build 100 different decision‑trees.
# • max_depth=None  ➜ let each tree grow until pure leaves
#                    (or until it hits other stopping criteria).
# • random_state=42 ➜ reproducible randomness.
model = RandomForestClassifier(
n_estimators=100,
max_depth=None,
random_state=42,
bootstrap=True          # default: each tree is trained on a
# bootstrap sample the same size as
# the original training set.
# max_samples           # ← you can set this (float or int) to
#     use a smaller % of samples per tree.
)

model.fit(X_train, y_train)

# ──────────────────────────────────────────────
# 4. EVALUATION
# ──────────────────────────────────────────────
y_pred = model.predict(X_test)
y_prob = model.predict_proba(X_test)[:, 1]

print(f"Accuracy : {accuracy_score(y_test, y_pred):.3f}")
print(f"Precision: {precision_score(y_test, y_pred):.3f}")
print(f"Recall   : {recall_score(y_test, y_pred):.3f}")
print(f"F1‑score : {f1_score(y_test, y_pred):.3f}")
print(f"ROC AUC  : {roc_auc_score(y_test, y_prob):.3f}")

"""
Accuracy:  0.770
Precision: 0.966
Recall:    0.618
F1-score:  0.754
ROC AUC:   0.962
"""

Die random forest bereik tipies sterk resultate op hierdie indringingdetectietaak. Ons mag 'n verbetering in metrieke soos F1 of AUC waarneem in vergelyking met die enkele besluitboom, veral in terugroep of presisie, afhangende van die data. Dit stem ooreen met die begrip dat "Random Forest (RF) is 'n ensemble klassifiseerder en presteer goed in vergelyking met ander tradisionele klassifiseerders vir effektiewe klassifikasie van aanvalle.". In 'n sekuriteitsoperasionele konteks mag 'n random forest-model meer betroubaar aanvalle merk terwyl dit vals alarm verminder, danksy die gemiddelde van baie besluitreëls. Kenmerkbelangrikheid uit die woud kan ons vertel watter netwerkkenmerke die mees aanduidende van aanvalle is (bv. sekere netwerkdienste of ongewone tellings van pakkette).

import pandas as pd
from sklearn.datasets import fetch_openml
from sklearn.model_selection import train_test_split
from sklearn.preprocessing import StandardScaler
from sklearn.svm import SVC
from sklearn.metrics import (accuracy_score, precision_score,
recall_score, f1_score, roc_auc_score)

# ─────────────────────────────────────────────────────────────
# 1️⃣  LOAD DATASET   (OpenML id 4534: “PhishingWebsites”)
#     • as_frame=True  ➜  returns a pandas DataFrame
# ─────────────────────────────────────────────────────────────
data = fetch_openml(data_id=4534, as_frame=True)   # or data_name="PhishingWebsites"
df   = data.frame
print(df.head())          # quick sanity‑check

# ─────────────────────────────────────────────────────────────
# 2️⃣  TARGET: 0 = legitimate, 1 = phishing
#     The raw column has values {1, 0, -1}:
#       1  → legitimate   → 0
#       0  &  -1          → phishing    → 1
# ─────────────────────────────────────────────────────────────
y = (df["Result"].astype(int) != 1).astype(int)
X = df.drop(columns=["Result"])

# Train / test split  (stratified keeps class proportions)
X_train, X_test, y_train, y_test = train_test_split(
X, y, test_size=0.20, random_state=42, stratify=y)

# ─────────────────────────────────────────────────────────────
# 3️⃣  PRE‑PROCESS: Standardize features (mean‑0 / std‑1)
# ─────────────────────────────────────────────────────────────
scaler = StandardScaler()
X_train = scaler.fit_transform(X_train)
X_test  = scaler.transform(X_test)

# ─────────────────────────────────────────────────────────────
# 4️⃣  MODEL: RBF‑kernel SVM
#     • C=1.0         (regularization strength)
#     • gamma='scale' (1 / [n_features × var(X)])
#     • probability=True  → enable predict_proba for ROC‑AUC
# ─────────────────────────────────────────────────────────────
clf = SVC(kernel="rbf", C=1.0, gamma="scale",
probability=True, random_state=42)
clf.fit(X_train, y_train)

# ─────────────────────────────────────────────────────────────
# 5️⃣  EVALUATION
# ─────────────────────────────────────────────────────────────
y_pred = clf.predict(X_test)
y_prob = clf.predict_proba(X_test)[:, 1]   # P(class 1)

print(f"Accuracy : {accuracy_score(y_test, y_pred):.3f}")
print(f"Precision: {precision_score(y_test, y_pred):.3f}")
print(f"Recall   : {recall_score(y_test, y_pred):.3f}")
print(f"F1‑score : {f1_score(y_test, y_pred):.3f}")
print(f"ROC AUC  : {roc_auc_score(y_test, y_prob):.3f}")

"""
Accuracy : 0.956
Precision: 0.963
Recall   : 0.937
F1‑score : 0.950
ROC AUC  : 0.989
"""

Die SVM-model sal metrieke lewer wat ons kan vergelyk met logistieke regressie op dieselfde taak. Ons mag vind dat SVM 'n hoë akkuraatheid en AUC bereik as die data goed geskei is deur die kenmerke. Aan die ander kant, as die datastel baie geraas of oorvleuelende klasse gehad het, mag SVM nie beduidend beter presteer as logistieke regressie nie. In praktyk kan SVM's 'n hupstoot gee wanneer daar komplekse, nie-lineêre verhoudings tussen kenmerke en klas is -- die RBF-kern kan gebuigde besluitgrense vasvang wat logistieke regressie sou mis. Soos met alle modelle, is versigtige afstemming van die C (regulering) en kernparameters (soos gamma vir RBF) nodig om vooroordeel en variasie te balanseer.

import pandas as pd
from sklearn.naive_bayes import GaussianNB
from sklearn.metrics import accuracy_score, precision_score, recall_score, f1_score, roc_auc_score

# 1. Load NSL-KDD data
col_names = [                       # 41 features + 2 targets
"duration","protocol_type","service","flag","src_bytes","dst_bytes","land",
"wrong_fragment","urgent","hot","num_failed_logins","logged_in",
"num_compromised","root_shell","su_attempted","num_root","num_file_creations",
"num_shells","num_access_files","num_outbound_cmds","is_host_login",
"is_guest_login","count","srv_count","serror_rate","srv_serror_rate",
"rerror_rate","srv_rerror_rate","same_srv_rate","diff_srv_rate",
"srv_diff_host_rate","dst_host_count","dst_host_srv_count",
"dst_host_same_srv_rate","dst_host_diff_srv_rate",
"dst_host_same_src_port_rate","dst_host_srv_diff_host_rate",
"dst_host_serror_rate","dst_host_srv_serror_rate","dst_host_rerror_rate",
"dst_host_srv_rerror_rate","class","difficulty_level"
]

train_url = "https://raw.githubusercontent.com/Mamcose/NSL-KDD-Network-Intrusion-Detection/master/NSL_KDD_Train.csv"
test_url  = "https://raw.githubusercontent.com/Mamcose/NSL-KDD-Network-Intrusion-Detection/master/NSL_KDD_Test.csv"

df_train = pd.read_csv(train_url, header=None, names=col_names)
df_test  = pd.read_csv(test_url,  header=None, names=col_names)

# 2. Preprocess (encode categorical features, prepare binary labels)
from sklearn.preprocessing import LabelEncoder
for col in ['protocol_type', 'service', 'flag']:
le = LabelEncoder()
le.fit(pd.concat([df_train[col], df_test[col]], axis=0))
df_train[col] = le.transform(df_train[col])
df_test[col]  = le.transform(df_test[col])
X_train = df_train.drop(columns=['class', 'difficulty_level'], errors='ignore')
y_train = df_train['class'].apply(lambda x: 0 if x.strip().lower() == 'normal' else 1)
X_test  = df_test.drop(columns=['class', 'difficulty_level'], errors='ignore')
y_test  = df_test['class'].apply(lambda x: 0 if x.strip().lower() == 'normal' else 1)

# 3. Train Gaussian Naive Bayes
model = GaussianNB()
model.fit(X_train, y_train)

# 4. Evaluate on test set
y_pred = model.predict(X_test)
# For ROC AUC, need probability of class 1:
y_prob = model.predict_proba(X_test)[:, 1] if hasattr(model, "predict_proba") else y_pred
print(f"Accuracy:  {accuracy_score(y_test, y_pred):.3f}")
print(f"Precision: {precision_score(y_test, y_pred):.3f}")
print(f"Recall:    {recall_score(y_test, y_pred):.3f}")
print(f"F1-score:  {f1_score(y_test, y_pred):.3f}")
print(f"ROC AUC:   {roc_auc_score(y_test, y_prob):.3f}")

"""
Accuracy:  0.450
Precision: 0.937
Recall:    0.037
F1-score:  0.071
ROC AUC:   0.867
"""

Hierdie kode leer 'n Naive Bayes klassifiseerder om aanvalle te detecteer. Naive Bayes sal dinge soos P(service=http | Attack) en P(Service=http | Normal) bereken op grond van die opleidingsdata, met die aanname van onafhanklikheid tussen eienskappe. Dit sal dan hierdie waarskynlikhede gebruik om nuwe verbintenisse as normaal of aanval te klassifiseer op grond van die waargeneem eienskappe. Die prestasie van NB op NSL-KDD mag nie so hoog wees soos meer gevorderde modelle nie (aangesien eienskap onafhanklikheid oortree word), maar dit is dikwels aanvaarbaar en kom met die voordeel van uiterste spoed. In scenario's soos regstreekse e-posfiltrering of aanvanklike triage van URL's, kan 'n Naive Bayes-model vinnig duidelik kwaadwillige gevalle merk met lae hulpbronverbruik.

Ons sal weer NSL-KDD gebruik (binariese klassifikasie). Omdat k-NN rekenaarintensief is, sal ons 'n subset van die opleidingsdata gebruik om dit hanteerbaar te hou in hierdie demonstrasie. Ons sal sê, 20,000 opleidingsmonsters uit die volle 125k kies, en k=5 bure gebruik. Na opleiding (werklik net die data stoor), sal ons op die toetsstel evalueer. Ons sal ook eienskappe skaal vir afstandsberekening om te verseker dat geen enkele eienskap oorheers weens skaal.

import pandas as pd
from sklearn.neighbors import KNeighborsClassifier
from sklearn.metrics import accuracy_score, precision_score, recall_score, f1_score, roc_auc_score

# 1. Load NSL-KDD and preprocess similarly
col_names = [                       # 41 features + 2 targets
"duration","protocol_type","service","flag","src_bytes","dst_bytes","land",
"wrong_fragment","urgent","hot","num_failed_logins","logged_in",
"num_compromised","root_shell","su_attempted","num_root","num_file_creations",
"num_shells","num_access_files","num_outbound_cmds","is_host_login",
"is_guest_login","count","srv_count","serror_rate","srv_serror_rate",
"rerror_rate","srv_rerror_rate","same_srv_rate","diff_srv_rate",
"srv_diff_host_rate","dst_host_count","dst_host_srv_count",
"dst_host_same_srv_rate","dst_host_diff_srv_rate",
"dst_host_same_src_port_rate","dst_host_srv_diff_host_rate",
"dst_host_serror_rate","dst_host_srv_serror_rate","dst_host_rerror_rate",
"dst_host_srv_rerror_rate","class","difficulty_level"
]

train_url = "https://raw.githubusercontent.com/Mamcose/NSL-KDD-Network-Intrusion-Detection/master/NSL_KDD_Train.csv"
test_url  = "https://raw.githubusercontent.com/Mamcose/NSL-KDD-Network-Intrusion-Detection/master/NSL_KDD_Test.csv"

df_train = pd.read_csv(train_url, header=None, names=col_names)
df_test  = pd.read_csv(test_url,  header=None, names=col_names)

from sklearn.preprocessing import LabelEncoder
for col in ['protocol_type', 'service', 'flag']:
le = LabelEncoder()
le.fit(pd.concat([df_train[col], df_test[col]], axis=0))
df_train[col] = le.transform(df_train[col])
df_test[col]  = le.transform(df_test[col])
X = df_train.drop(columns=['class', 'difficulty_level'], errors='ignore')
y = df_train['class'].apply(lambda x: 0 if x.strip().lower() == 'normal' else 1)
# Use a random subset of the training data for K-NN (to reduce computation)
X_train = X.sample(n=20000, random_state=42)
y_train = y[X_train.index]
# Use the full test set for evaluation
X_test = df_test.drop(columns=['class', 'difficulty_level'], errors='ignore')
y_test = df_test['class'].apply(lambda x: 0 if x.strip().lower() == 'normal' else 1)

# 2. Feature scaling for distance-based model
from sklearn.preprocessing import StandardScaler
scaler = StandardScaler()
X_train = scaler.fit_transform(X_train)
X_test  = scaler.transform(X_test)

# 3. Train k-NN classifier (store data)
model = KNeighborsClassifier(n_neighbors=5, n_jobs=-1)
model.fit(X_train, y_train)

# 4. Evaluate on test set
y_pred = model.predict(X_test)
y_prob = model.predict_proba(X_test)[:, 1]
print(f"Accuracy:  {accuracy_score(y_test, y_pred):.3f}")
print(f"Precision: {precision_score(y_test, y_pred):.3f}")
print(f"Recall:    {recall_score(y_test, y_pred):.3f}")
print(f"F1-score:  {f1_score(y_test, y_pred):.3f}")
print(f"ROC AUC:   {roc_auc_score(y_test, y_prob):.3f}")

"""
Accuracy:  0.780
Precision: 0.972
Recall:    0.632
F1-score:  0.766
ROC AUC:   0.837
"""

Die k-NN-model sal 'n verbinding klassifiseer deur na die 5 naaste verbindings in die opleidingsstel-substel te kyk. As, byvoorbeeld, 4 van daardie bure aanvalle (anomalië) is en 1 normaal is, sal die nuwe verbinding as 'n aanval geklassifiseer word. Die prestasie mag redelik wees, hoewel dit dikwels nie so hoog is soos 'n goed-afgestemde Random Forest of SVM op dieselfde data nie. egter, k-NN kan soms uitblink wanneer die klasverspreidings baie onreëlmatig en kompleks is -- effektief 'n geheue-gebaseerde soektog gebruik. In kuberveiligheid kan k-NN (met k=1 of klein k) gebruik word vir die opsporing van bekende aanvalpatrone deur voorbeeld, of as 'n komponent in meer komplekse stelsels (bv. vir clustering en dan klassifisering gebaseer op klusterlidmaatskap).

Gradient Boosting Machines (bv. XGBoost)

Gradient Boosting Machines is onder die kragtigste algoritmes vir gestruktureerde data. Gradient boosting verwys na die tegniek om 'n ensemble van swak leerders (dikwels besluitbome) op 'n opeenvolgende manier te bou, waar elke nuwe model die foute van die vorige ensemble regstel. Anders as bagging (Random Forests) wat bome parallel bou en hulle gemiddeld, bou boosting bome een vir een, elkeen wat meer fokus op die voorbeelde wat vorige bome verkeerd voorspel het.

Die gewildste implementasies in onlangse jare is XGBoost, LightGBM, en CatBoost, wat almal gradient boosting besluitboom (GBDT) biblioteke is. Hulle was uiters suksesvol in masjienleerkompetisies en toepassings, dikwels met 'n toonaangewende prestasie op tabeldata. In kuberveiligheid het navorsers en praktisyns gradient gebootste bome gebruik vir take soos malware opsporing (met funksies wat uit lêers of runtime gedrag onttrek is) en netwerk indringing opsporing. Byvoorbeeld, 'n gradient boosting model kan baie swak reëls (bome) soos "as baie SYN-pakkette en ongewone poort -> waarskynlik skandering" kombineer in 'n sterk saamgestelde detektor wat rekening hou met baie subtiele patrone.

Waarom is gebootste bome so effektief? Elke boom in die reeks word op die residuele foute (gradiënte) van die huidige ensemble se voorspellings opgelei. Op hierdie manier "versterk" die model geleidelik die areas waar dit swak is. Die gebruik van besluitbome as basisleerders beteken dat die finale model komplekse interaksies en nie-lineêre verhoudings kan vasvang. Ook, boosting het inherent 'n vorm van ingeboude regularisering: deur baie klein bome by te voeg (en 'n leerkoers te gebruik om hul bydraes te skaal), generaliseer dit dikwels goed sonder groot oorpassing, solank behoorlike parameters gekies word.

Belangrike kenmerke van Gradient Boosting:

• Tipe Probleem: Primêr klassifikasie en regressie. In sekuriteit, gewoonlik klassifikasie (bv. binêre klassifisering van 'n verbinding of lêer). Dit hanteer binêre, multi-klas (met toepaslike verlies), en selfs rangorde probleme.

• Interpretasie: Lae tot medium. Terwyl 'n enkele gebootste boom klein is, kan 'n volle model honderde bome hê, wat nie menslik interpreteerbaar is as 'n geheel nie. egter, soos Random Forest, kan dit funksiebelangrikheidsskorings verskaf, en gereedskap soos SHAP (SHapley Additive exPlanations) kan gebruik word om individuele voorspellings tot 'n sekere mate te interpreteer.

• Voordele: Dikwels die beste presterende algoritme vir gestruktureerde/tabeldata. Kan komplekse patrone en interaksies opspoor. Het baie afstelknoppies (aantal bome, diepte van bome, leerkoers, regulariseringsterme) om modelkompleksiteit aan te pas en oorpassing te voorkom. Moderne implementasies is geoptimaliseer vir spoed (bv. XGBoost gebruik tweede-orde gradiëntinligting en doeltreffende datastrukture). Geneig om ongebalanseerde data beter te hanteer wanneer dit gekombineer word met toepaslike verliesfunksies of deur monstergewigte aan te pas.

• Beperkings: Meer kompleks om af te stel as eenvoudiger modelle; opleiding kan stadig wees as bome diep is of die aantal bome groot is (alhoewel dit steeds gewoonlik vinniger is as om 'n vergelykbare diep neurale netwerk op dieselfde data op te lei). Die model kan oorpas as dit nie afgestel word nie (bv. te veel diepe bome met onvoldoende regularisering). Vanweë baie hiperparameters, kan die effektiewe gebruik van gradient boosting meer kundigheid of eksperimente vereis. Ook, soos boomgebaseerde metodes, hanteer dit nie inherent baie spaarsame hoë-dimensionele data so doeltreffend soos lineêre modelle of Naive Bayes nie (alhoewel dit steeds toegepas kan word, bv. in teksklassifikasie, maar mag nie die eerste keuse wees sonder kenmerkingenieering).

import pandas as pd
from sklearn.datasets import fetch_openml
from sklearn.model_selection import train_test_split
from sklearn.ensemble import GradientBoostingClassifier
from sklearn.metrics import accuracy_score, precision_score, recall_score, f1_score, roc_auc_score

# 1️⃣ Load the “Phishing Websites” data directly from OpenML
data = fetch_openml(data_id=4534, as_frame=True)   # or data_name="PhishingWebsites"
df   = data.frame

# 2️⃣ Separate features/target & make sure everything is numeric
X = df.drop(columns=["Result"])
y = df["Result"].astype(int).apply(lambda v: 1 if v == 1 else 0)  # map {-1,1} → {0,1}

# (If any column is still object‑typed, coerce it to numeric.)
X = X.apply(pd.to_numeric, errors="coerce").fillna(0)

# 3️⃣ Train/test split
X_train, X_test, y_train, y_test = train_test_split(
X.values, y, test_size=0.20, random_state=42
)

# 4️⃣ Gradient Boosting model
model = GradientBoostingClassifier(
n_estimators=100, learning_rate=0.1, max_depth=3, random_state=42
)
model.fit(X_train, y_train)

# 5️⃣ Evaluation
y_pred = model.predict(X_test)
y_prob = model.predict_proba(X_test)[:, 1]

print(f"Accuracy:  {accuracy_score(y_test, y_pred):.3f}")
print(f"Precision: {precision_score(y_test, y_pred):.3f}")
print(f"Recall:    {recall_score(y_test, y_pred):.3f}")
print(f"F1‑score:  {f1_score(y_test, y_pred):.3f}")
print(f"ROC AUC:   {roc_auc_score(y_test, y_prob):.3f}")

"""
Accuracy:  0.951
Precision: 0.949
Recall:    0.965
F1‑score:  0.957
ROC AUC:   0.990
"""

Kombinasie van Modelle: Ensemble Leer en Stacking

Ensemble leer is 'n strategie van die kombinasie van verskeie modelle om die algehele prestasie te verbeter. Ons het reeds spesifieke ensemble metodes gesien: Random Forest (‘n ensemble van bome via bagging) en Gradient Boosting (‘n ensemble van bome via sekwensiële boosting). Maar ensembles kan ook op ander maniere geskep word, soos stemensembles of gestapelde generalisering (stacking). Die hoofidee is dat verskillende modelle verskillende patrone kan vasvang of verskillende swakhede kan hê; deur hulle te kombineer, kan ons elke model se foute met 'n ander se sterkpunte kompenseer.

• Stem Ensemble: In 'n eenvoudige stemklassifiseerder, oplei ons verskeie diverse modelle (sê, 'n logistieke regressie, 'n besluitboom, en 'n SVM) en laat hulle stem oor die finale voorspelling (meerderheidsstem vir klassifikasie). As ons die stemme gewig (bv. hoër gewig aan meer akkurate modelle), is dit 'n gewigte stemskema. Dit verbeter tipies die prestasie wanneer die individuele modelle redelik goed en onafhanklik is -- die ensemble verminder die risiko van 'n individuele model se fout aangesien ander dit kan regstel. Dit is soos om 'n paneel van kundiges te hê eerder as 'n enkele mening.

• Stacking (Gestapelde Ensemble): Stacking gaan 'n stap verder. In plaas van 'n eenvoudige stem, oplei dit 'n meta-model om te leer hoe om die voorspellinge van basismodelle die beste te kombineer. Byvoorbeeld, jy oplei 3 verskillende klassifiseerders (basisleerlinge), dan voer jy hul uitsette (of waarskynlikhede) as kenmerke in 'n meta-klassifiseerder (dikwels 'n eenvoudige model soos logistieke regressie) wat die optimale manier leer om hulle te meng. Die meta-model word op 'n validasieset of via kruisvalidasie opgelei om oorpassing te vermy. Stacking kan dikwels beter presteer as eenvoudige stem deur te leer watter modelle meer vertrou kan word in watter omstandighede. In kuberveiligheid kan een model beter wees om netwerk skanderings op te vang terwyl 'n ander beter is om malware sein te vang; 'n stacking model kan leer om elkeen toepaslik te vertrou.

Ensembles, of dit nou deur stem of stacking is, geneig om akkuraatheid en robuustheid te verhoog. Die nadeel is verhoogde kompleksiteit en soms verminderde interpreteerbaarheid (alhoewel sommige ensemble benaderings soos 'n gemiddelde van besluitbome steeds 'n bietjie insig kan bied, bv. kenmerk belangrikheid). In praktyk, as operasionele beperkings dit toelaat, kan die gebruik van 'n ensemble lei tot hoër opsporingskoerse. Baie wenoplossings in kuberveiligheid uitdagings (en Kaggle kompetisies in die algemeen) gebruik ensemble tegnieke om die laaste bietjie prestasie te verknies.

import pandas as pd
from sklearn.datasets import fetch_openml
from sklearn.model_selection import train_test_split
from sklearn.pipeline import make_pipeline
from sklearn.preprocessing import StandardScaler
from sklearn.linear_model import LogisticRegression
from sklearn.tree import DecisionTreeClassifier
from sklearn.neighbors import KNeighborsClassifier
from sklearn.ensemble import StackingClassifier, RandomForestClassifier
from sklearn.metrics import (accuracy_score, precision_score,
recall_score, f1_score, roc_auc_score)

# ──────────────────────────────────────────────
# 1️⃣  LOAD DATASET (OpenML id 4534)
# ──────────────────────────────────────────────
data = fetch_openml(data_id=4534, as_frame=True)     # “PhishingWebsites”
df   = data.frame

# Target mapping:  1 → legitimate (0),   0/‑1 → phishing (1)
y = (df["Result"].astype(int) != 1).astype(int)
X = df.drop(columns=["Result"])

# Train / test split (stratified to keep class balance)
X_train, X_test, y_train, y_test = train_test_split(
X, y, test_size=0.20, random_state=42, stratify=y)

# ──────────────────────────────────────────────
# 2️⃣  DEFINE BASE LEARNERS
#     • LogisticRegression and k‑NN need scaling ➜ wrap them
#       in a Pipeline(StandardScaler → model) so that scaling
#       happens inside each CV fold of StackingClassifier.
# ──────────────────────────────────────────────
base_learners = [
('lr',  make_pipeline(StandardScaler(),
LogisticRegression(max_iter=1000,
solver='lbfgs',
random_state=42))),
('dt',  DecisionTreeClassifier(max_depth=5, random_state=42)),
('knn', make_pipeline(StandardScaler(),
KNeighborsClassifier(n_neighbors=5)))
]

# Meta‑learner (level‑2 model)
meta_learner = RandomForestClassifier(n_estimators=50, random_state=42)

stack_model = StackingClassifier(
estimators      = base_learners,
final_estimator = meta_learner,
cv              = 5,        # 5‑fold CV to create meta‑features
passthrough     = False     # only base learners’ predictions go to meta‑learner
)

# ──────────────────────────────────────────────
# 3️⃣  TRAIN ENSEMBLE
# ──────────────────────────────────────────────
stack_model.fit(X_train, y_train)

# ──────────────────────────────────────────────
# 4️⃣  EVALUATE
# ──────────────────────────────────────────────
y_pred = stack_model.predict(X_test)
y_prob = stack_model.predict_proba(X_test)[:, 1]   # P(phishing)

print(f"Accuracy : {accuracy_score(y_test, y_pred):.3f}")
print(f"Precision: {precision_score(y_test, y_pred):.3f}")
print(f"Recall   : {recall_score(y_test, y_pred):.3f}")
print(f"F1‑score : {f1_score(y_test, y_pred):.3f}")
print(f"ROC AUC  : {roc_auc_score(y_test, y_prob):.3f}")

"""
Accuracy : 0.954
Precision: 0.951
Recall   : 0.946
F1‑score : 0.948
ROC AUC  : 0.992
"""

Verwysings

• https://madhuramiah.medium.com/logistic-regression-6e55553cc003
• https://www.geeksforgeeks.org/decision-tree-introduction-example/
• https://rjwave.org/ijedr/viewpaperforall.php?paper=IJEDR1703132
• https://www.ibm.com/think/topics/support-vector-machine
• https://en.m.wikipedia.org/wiki/Naive_Bayes_spam_filtering
• https://medium.com/@rupalipatelkvc/gbdt-demystified-how-lightgbm-xgboost-and-catboost-work-9479b7262644
• https://zvelo.com/ai-and-machine-learning-in-cybersecurity/
• https://medium.com/@chaandram/linear-regression-explained-28d5bf1934ae
• https://cybersecurity.springeropen.com/articles/10.1186/s42400-021-00103-8
• https://www.ibm.com/think/topics/knn
• https://www.ibm.com/think/topics/knn
• https://arxiv.org/pdf/2101.02552
• https://cybersecurity-magazine.com/how-deep-learning-enhances-intrusion-detection-systems/
• https://cybersecurity-magazine.com/how-deep-learning-enhances-intrusion-detection-systems/
• https://medium.com/@sarahzouinina/ensemble-learning-boosting-model-performance-by-combining-strengths-02e56165b901
• https://medium.com/@sarahzouinina/ensemble-learning-boosting-model-performance-by-combining-strengths-02e56165b901