Machine Learning · Network Security · Python
AI-Based Network Attack Classifier
A multi-class ML classifier trained on 220,000 real network payloads to detect and categorise cyber attack types — Brute Force, SQL Injection, XSS, and System Command Execution — without relying on static signature rules.
Python scikit-learn XGBoost Random Forest Pandas Feature Engineering Nov – Dec 2024
220K
Network payloads
92.6%
Best model accuracy
9
Engineered features
3
Models compared
Project Overview

Traditional network security systems rely on rule-based signature matching — a brittle approach that requires constant manual updates and fails to detect novel attack variants. This project replaces that approach with a machine learning classifier trained on raw HTTP payloads from network security appliance logs.

The model classifies each payload into one of five categories: Brute Force, Cross-Site Scripting, SQL Injection, System Command Execution, or Normal. The system was developed as part of the AI Security Operations (AI-SOC) specialist training programme in South Korea.

Dataset
LabelAttack TypeCount% of Total
Brute_ForceCredential stuffing via automated tools (Hydra); 100% POST requests135,03761.4%
normalLegitimate traffic baseline44,00020.0%
Cross_Site_ScriptingXSS via scanner tools (Arachni, Nikto); 97% GET requests16,5427.5%
SQL_InjectionSQLmap-driven injection attempts; HTTP/1.1 only12,5255.7%
System_Cmd_ExecutionOS command injection; identified via Connector user-agent11,8965.4%
Total220,000100%
Feature Engineering

Rather than vectorising raw text (computationally expensive at this scale), we performed statistical frequency analysis across label-payload pairs to identify keywords that appeared with high discriminative frequency for specific attack classes. 9 binary/categorical features were extracted from each payload string.

method
HTTP method (GET=1, POST=0)
Signal: Brute Force = 100% POST
ver
HTTP version (1.0=1, 1.1=0)
Signal: Brute Force skews HTTP/1.0
word
OS/tool keyword: hydra(1), linux(2), win(3), mac(4), nikto(5)
Signal: hydra → Brute Force exclusively
sql
Presence of "sqlmap" in payload (binary)
Signal: Strong indicator of SQL_Injection
ar
Presence of "arachni" scanner (binary)
Signal: XSS + SysCmd attacks
uid
Presence of "userid" parameter (binary)
Signal: Brute Force login targeting
zap
Presence of OWASP ZAP scanner (binary)
Signal: Active scanning / Brute Force
connector
Presence of "connector" user-agent (binary)
Signal: System_Cmd_Execution only
apple
Presence of "applewebkit" user-agent (binary)
Signal: Normal traffic distinguisher
Preprocessing Pipeline
# Feature extraction and encoding pipeline def prepro(data): # Structural features from payload token positions data['method'] = data['payload'].str.split().str[0] # GET / POST data['ver'] = data['payload'].str.split().str[1] # HTTP version # Keyword-based binary feature extraction data['sql'] = data['payload'].apply(add_sql) # sqlmap presence data['word'] = data['payload'].apply(add_word) # OS/tool keyword data['ar'] = data['payload'].apply(add_ar) # arachni scanner data['uid'] = data['payload'].apply(add_uid) # userid param data['connector'] = data['payload'].apply(add_con) # connector UA data['zap'] = data['payload'].apply(add_zap) # ZAP scanner data['apple'] = data['payload'].apply(add_apple) # AppleWebKit UA # Label encoding data['ver'] = data['ver'].map({'HTTP/1.1':0, 'HTTP/1.0':1}) data['method'] = data['method'].map({'POST':0, 'GET':1}) return data[['method','ver','word','uid','ar','sql','connector','zap','apple']], tg
Model Training
Training Setup
ParameterValue
Train / Test Split80% / 20% (stratified by label)
Random Seed42
Test Set Size44,000 samples
StratificationPreserved class distribution across splits
HardwareIntel i9-13900, 64GB RAM, RTX 4070
EnvironmentPython 3.12.7 · Anaconda · Jupyter Lab
Algorithm Selection — Why Random Forest

Three classifiers were evaluated. Random Forest (bagging ensemble) was selected as the primary model because it outperformed both XGBoost and Logistic Regression in overall accuracy, while training significantly faster. The bagging approach — randomly sampling subsets of data and averaging results across parallel trees — proved more stable than voting-based ensembles for this imbalanced dataset.

Results
Model Accuracy Comparison
Random Forest
92.6%
XGBoost
92.6%
Logistic Regression
91.7%
Random Forest — Per-Class Classification Report (Test Set: 44,000 samples)
ClassPrecisionRecallF1-ScoreSupport
Brute_Force 0.991.000.99 27,008
normal 0.930.990.96 8,800
SQL_Injection 1.000.870.93 2,505
Cross_Site_Scripting 0.550.870.67 3,308
System_Cmd_Execution 1.000.020.04 2,379
Weighted Avg 0.950.930.91 44,000
Known Limitations
System_Cmd_Execution — Recall: 0.02
The model almost completely missed System Command Execution attacks (recall = 0.02, F1 = 0.04). This is a consequence of the keyword-based feature engineering approach — the connector feature, while unique to this class, was insufficient as a sole discriminator. The class is also the smallest in the dataset (5.4%), amplifying the imbalance effect.
Class Imbalance
Brute Force accounts for 61.4% of samples, pulling overall accuracy upward. The weighted average F1 of 0.91 is flattered by Brute Force's F1 of 0.99. The macro average F1 of 0.72 is a more accurate representation of true cross-class performance.
Future Improvements