DDoS-Vision: CNN-Based Network Traffic Classification

Project Overview

This project implements a Convolutional Neural Network (CNN) to detect Distributed Denial of Service (DDoS) attacks. Using the CIC-IDS2017 dataset (225,746 rows), we convert 1D numerical logs into 2D grayscale images.

By treating network flows as spatial patterns, the CNN can identify malicious "burst" signatures that are often invisible to traditional linear models.

Theoretical Part: Binary-to-Image Conversion

The fundamental challenge is converting 1D CSV data into a 2D image format suitable for a CNN.

1. Windowing & Security-First Labeling

To capture a "snapshot" of activity, we group 150 consecutive rows into a single sample window.

• Security Logic: If any row within the 150-row window contains a DDoS signature, the entire image is labeled as DDoS. This ensures the model learns to identify the specific malicious signal within the noise.

2. Reshaping and Z-Score Scaling

Features are standardized using Z-Score normalization to ensure high-variance network spikes are visible. Data is reshaped to 128×128×1 and normalized to a [0, 1] range:

$$Side = \lfloor \sqrt{L} \rfloor$$ $$x_{normalized} = \frac{x_{raw} - \mu}{\sigma}$$

---

Evolutionary Development & Results

Phase 1: The Baseline (50% Accuracy)

• Status: Model was stuck in a local minimum, predicting only the majority class. The heatmap showed a uniform "fog," indicating a failure to extract features.

Phase 2: Hyperparameter Tuning (70% Accuracy)

• Status: Implemented Dropout and lowered the learning rate. Accuracy improved, but the model showed "Edge Bias," focusing on zero-padding rather than the network flow data.

Phase 3: The Elite Model (99% Accuracy)

• Adjustments: Switched to a Functional API architecture, implemented Batch Normalization, used Z-Score Standardization, and applied Class Weights to force the model to prioritize DDoS detection.
• Outcome: The model achieved near-perfect metrics across both classes. The Grad-CAM heatmap now shows precise "hotspots" proving feature identification.

---

Final Architecture (Functional API)

# Functional API for Keras 3 Compatibility
inputs = layers.Input(shape=(128, 128, 1))
x = layers.Conv2D(32, (3, 3), padding='same', activation='relu')(inputs)
x = layers.BatchNormalization()(x)
x = layers.MaxPooling2D((2, 2))(x)

# Target Layer for Interpretability
target_layer = layers.Conv2D(64, (3, 3), padding='same', activation='relu', name="target_conv")(x)
x = layers.BatchNormalization()(target_layer)
x = layers.MaxPooling2D((2, 2))(x)

x = layers.Flatten()(x)
x = layers.Dense(64, activation='relu')(x)
x = layers.Dropout(0.5)(x)
outputs = layers.Dense(1, activation='sigmoid')(x)

model = models.Model(inputs=inputs, outputs=outputs)

Final Classification Report

Class	Precision	Recall	F1-Score	Support
Benign	0.99	0.99	0.99	126
DDoS	0.99	0.99	0.99	175
Accuracy			0.99	301
Macro Avg	0.99	0.99	0.99	301
Weighted Avg	0.99	0.99	0.99	301

Interpretability: Grad-CAM Mathematics

To interpret the AI's decision, we compute the importance of each feature map via the gradient of the class score y: $$a_k=\frac{1}{HxW}\sum_i\sum_j\frac{∂_y}{∂A^k_{ij}}$$

The visual heatmap (L) is generated by: $$L{GRAD-CAM}=R_eLU(\sum_k a_kA^k)$$

Software Guide

• Training: Run ddos_cnn_vision.py. Uses Adam optimizer and Binary Cross-Entropy Loss:

$$Loss=-\frac{1}{N}\sum^N_{i=1}[y_ilog(\hat{y_i})+(1-y_i)log(1-\hat{y_i})]$$

• Analysis: View the generated Grad-CAM heatmap to identify which network features contributed to the DDoS classification.

Installation

pip install tensorflow pandas numpy matplotlib opencv-python Pillow scikit-learn