A machine learning and reinforcement learning-based intrusion detection system designed for Windows environments with real-time monitoring capabilities.
- 🔍 Real-time network traffic monitoring
- 🧠 Neural network-based intrusion detection
- 🤖 Reinforcement learning for adaptive thresholds
- 🚨 Detect multiple attack types: DOS, Probe, R2L, U2R
- 📊 Professional dashboard with visualizations
- 🛡️ Traffic generation and simulation capabilities
- 🔄 Bridge and Monitor components for flexible deployment
- 📈 Self-learning capabilities through RL feedback
pip install WinIDSgit clone https://github.com/yourusername/WinIDS.git
cd WinIDS
pip install -e .WinIDS provides both command-line tools and Python library components.
-
Start the Monitor:
WinIDS-monitor --host localhost --port 5000
-
Start the Bridge (traffic generator):
WinIDS-bridge --monitor-host localhost --monitor-port 5000
-
Launch the Dashboard:
WinIDS-dashboard
-
Test with Attack Panel (optional):
WinIDS-attack-panel
from WinIDS import FastIDS, IDSBridge, IDSMonitor
# Create and start the monitor
monitor = IDSMonitor(host="localhost", port=5000)
monitor.start()
# Create and start the bridge
bridge = IDSBridge(monitor_host="localhost", monitor_port=5000)
bridge.start()
# Create and start the IDS with reinforcement learning
ids = FastIDS(model_path="models/best_fast_model.h5",
norm_params_path="models/normalization_params.json",
use_rl=True)
ids.connect_to_bridge()
ids.start()
# Get current stats
stats = ids.get_stats()
print(f"Uptime: {stats['uptime']}s, Packets: {stats['total_packets']}, Alerts: {stats['alerts']}")
# Stop components when done
ids.stop()
bridge.stop()
monitor.stop()The core intrusion detection engine using neural network models with reinforcement learning capabilities.
from WinIDS import FastIDS
ids = FastIDS(
model_path="models/best_fast_model.h5",
norm_params_path="models/normalization_params.json",
threshold=0.7,
bridge_host="localhost",
bridge_port=5000,
use_rl=True,
rl_model_dir="./rl_models",
rl_training_mode=True
)Connection manager between the bridge and the IDS system.
from WinIDS import IDSMonitor
monitor = IDSMonitor(
host="localhost",
port=5000,
check_interval=1.0,
traffic_file="data/traffic_log.json",
disable_attacks=False
)Traffic generator that connects to the monitor.
from WinIDS import IDSBridge
bridge = IDSBridge(
monitor_host="localhost",
monitor_port=5000,
data_file="data/training_data.csv",
synthetic=True
)Graphical user interface for the IDS system.
from WinIDS import ProDashboard, FastIDS
ids = FastIDS(model_path="models/best_fast_model.h5", use_rl=True)
dashboard = ProDashboard(ids, dark_mode=True)
dashboard.run()Tool for generating test attacks.
from WinIDS import AttackPanel
panel = AttackPanel(
bridge_host="localhost",
bridge_port=5000,
dark_mode=True
)
panel.run()WinIDS uses reinforcement learning to continuously adapt and optimize its detection capabilities:
The RL agent automatically adjusts detection thresholds based on:
- Historical attack patterns
- False positive rates
- System performance
from WinIDS import FastIDS
# Create an IDS with reinforcement learning enabled
ids = FastIDS(
model_path="models/best_fast_model.h5",
use_rl=True,
rl_model_dir="./custom_rl_models"
)
# RL will automatically adjust thresholds based on traffic patterns
ids.start()You can provide explicit feedback to improve detection:
# Example of providing feedback to the RL system
feedback = {
"alert_id": "alert-1234",
"is_attack": True, # True if this was indeed an attack, False if false positive
"confidence": 0.85
}
# Send feedback (handled internally by the IDS)
bridge.send_feedback(feedback)Specify where to store trained RL models:
WinIDS-dashboard --rl-model-dir /path/to/rl_modelsWinIDS includes an attack simulator for testing the IDS system:
from WinIDS.attack_simulator import simulate_attack
# Simulate a DOS attack with 75% intensity for 10 seconds
attack_data = simulate_attack(attack_type="dos", intensity=0.75, duration=10)
# Simulate a probe attack
probe_attack = simulate_attack(attack_type="probe", intensity=0.5, duration=5)WinIDS provides scripts for training custom models:
python -m WinIDS.scripts.train_model --dataset your_data.csv --model-output models/custom_model.h5usage: WinIDS-dashboard [-h] [--model MODEL] [--norm-params NORM_PARAMS]
[--threshold THRESHOLD] [--bridge-host BRIDGE_HOST]
[--bridge-port BRIDGE_PORT] [--light-mode]
[--disable-attacks] [--disable-rl]
[--rl-model-dir RL_MODEL_DIR] [--disable-rl-training]
usage: WinIDS-bridge [-h] [--monitor-host MONITOR_HOST]
[--monitor-port MONITOR_PORT] [--interval INTERVAL]
[--synthetic] [--data-file DATA_FILE]
usage: WinIDS-monitor [-h] [--host HOST] [--port PORT]
[--check-interval CHECK_INTERVAL]
[--traffic-file TRAFFIC_FILE] [--disable-attacks]
usage: WinIDS-attack-panel [-h] [--bridge-host BRIDGE_HOST]
[--bridge-port BRIDGE_PORT] [--light-mode]
WinIDS implements a Deep Q-Network (DQN) approach to optimize intrusion detection:
-
State: The current system state includes metrics like false positive rate, attack distribution, and current threshold.
-
Actions: The RL agent can adjust detection thresholds up or down with varying degrees.
-
Rewards: The system receives rewards for:
- Successfully detecting real attacks
- Avoiding false positives
- Maintaining an optimal balance between security and performance
-
Training: The agent continuously learns from interactions with the network traffic and feedback.
-
Adaptation: The system automatically adjusts to changing network conditions and attack patterns.
This project is licensed under the MIT License - see the LICENSE file for details.
Contributions are welcome! Please feel free to submit a Pull Request.
- Special thanks to all contributors
- Built with TensorFlow, NumPy, and other open-source libraries