A

Mini Project

On
PACKET INSPECTION TO IDENTIFY NETWORK LAYER
ATTACKS USING MACHINE LEARNING
(Submitted in partial fulfillment of the requirements for the award of the Degree)
BACHELOR OF TECHNOLOGY
In

INFORMATION TECHNOLOGY
BY

G. Sanjana (217R1A1289)
P.Vineela (217R1A12B3)
J. Sai Durgesh (217R1A1291)

Under the Guidance of

K. Chandrakala
(Assistant Professor)

DEPARTMENT OF INFORMATION TECHNOLOGY

CMR TECHNICAL CAMPUS
UGC AUTONOMOUS
Accredited by NBA &NAAC with ‘A’ Grade Approved by AICTE, New Delhi and JNTU Hyderabad,

Kandlakoya(V), Medchal Road, Hyderabad-501401.

2021-2025
 DEPARTMENT OF INFORMATION TECHNOLOGY

CERTIFICATE
This is to certify that the project entitled “ Packet Inspection To Identify Network Layer
Attacks Using Machine Learning“ being submitted by G.SANJANA(217R1A1289),
P.VINEELA(217R1A12B3), J.SAI DURGESH (217R1A1291) in partial fulfilment of the
requirements for the award of the degree of B.Tech in Information Technology of the Jawaharlal
Nehru Technological University Hyderabad, is a record of the bonafide work carried out by
them under our guidance and supervision during the year 2024-2025.

The results embodied in this thesis have not been submitted any other university or institute
for the award of any degree or diploma.

Mrs. K. Chandrakala Dr. B. Kavitha Rani

(Assistant Professor) HEAD OF THE DEPARTMENT
INTERNAL GUIDE

Dr. A. Raji Reddy EXTERNAL EXAMINER

DIRECTOR

Submitted for viva voce Examination held on

 ACKNOWLEDGEMENT

Apart from the efforts of us, the success of any work depends largely on the
encouragement and guidelines of many others. We take this opportunity to express our gratitude
to the people who have been instrumental in the successful completion of this project.

We take this opportunity to express our profound gratitude and deep regard to our guide
faculty, Mrs. K. Chandrakala, Assistant Professor for her exemplary guidance, monitoring and
constant encouragement throughout the course of this project.

We take this opportunity to express our profound gratitude to our PRC coordinator
Mrs.K.Supriya Suhasini, Assistant Professor and Mrs.M.Siva Jyothi, Assistant Professor.
The blessing, help and guidance given by their time to time shall carry us a long way in the
journey ahead that, we are about to embark.

We also thankful to Dr. B. Kavitha Rani, Professor & Head of the Department for
providing excellent infrastructure and a conducive atmosphere for contributing to the
successful completion of this project.

We would like to express our sincere gratitude to Dr. M. Ahmed Ali Baig, Dean
Administration, Dr. DTV Dharmajee Rao, Dean Academics, Dr. Ashutosh Saxena, Dean
R&D for encouragement throughout the completion of this project.

We obliged to our Director Dr. A. Raji Reddy for being cooperative throughout the
completion of this project.

We wish to express our sincere gratitude to the Management of CMR Technical

Campus,Hyderabad, Sri C. Gopal Reddy, Honourable Chairman, Sri C. Vasantha Latha,
Honourable Secretary, Sri C. Abhinav Reddy, Honourable Chief Executive Officer.

The guidance and support received from all the members of CMR TECHNICAL
CAMPUS who contributed and who are contributing to this project, was vital for the success
of the project. We are grateful for their constant support and help.

Finally, We would like to take this opportunity to thank our family for their constant
encouragement without which this assignment would not be possible. We sincerely
acknowledge and thank all those who provide support, both directly and indirectly in
completion of this project.

G. Sanjana (217R1A1289)
P. Vineela (217R1A12B3)
J. Sai Durgesh (217R1A1291)
 ABSTRACT

Intrusion detection can identify unknown attacks from network traffic and has been an effective
means of network security. Nowadays, existing methods for network anomaly detection are
usually based on traditional machine learning models, such as KNN, SVM, etc. Although these
methods can obtain some outstanding features, they get a relatively low accuracy and rely heavily
on manual design of traffic features, which has been obsolete in the age of big data. To solve the
problems of low accuracy and feature engineering in intrusion detection, a traffic anomaly
detection model BAT is proposed. The BAT model combines BLSTM (Bidirectional Long Short-
term memory) and attention mechanism. Attention mechanism is used to screen the network flow
vector composed of packet vectors generated by the BLSTM model, which can obtain the key
features for network traffic classification. As multiple convolutional layers are used to process data
samples, we refer BAT model as BAT-MC. The softmax classifier is used for network traffic
classification. It can well describe the network traffic behavior and improve the ability of anomaly
detection effectively.

i
 LIST OF FIGURES

FIGURE NO NAME OF THE FIGURE PAGE NO

Figure 5.2 System Architecture 12
Figure 5.3.1 Class diagram for user 14
Figure 5.3.2 Use case diagram for user 15
Figure 5.3.3 Sequence diagram for user 16
Figure 5.3.4 Activity diagram for user 17

ii
 LIST OF SCREENSHOTS

SCREENSHOT NO SCREENSHOT NAME PAGE NO

Screenshot no 7.1 Homepage for user 28

Screenshot no 7.2 Upload dataset 28

Screenshot no 7.3 Normalize dataset 29

Screenshot no 7.4 Build Deep Learning Neural 30

Network
Screenshot no 7.5 Build BAT-MC Model 30

Screenshot no 7.6 Comparison Graph 32

Screenshot no 7.7 CNN Model 32

iii
 INDEX

TITLE PAGE NO

ABSTRACT ⅰ

LIST OF FIGURES ⅱ
LIST OF SCREENSHOTS ⅲ
1. INTRODUCTION 1

1.1 PROJECT SCOPE 2

1.2 PROJECT PURPOSE 2
1.3 PROJECT FEATURES 2
2. SYSTEM ANALYSIS 3
2.1 PROJECT DEFINITION 4
2.2 PROJECT STATEMENT 4

2.3 EXISTING SYSTEM 5

2.4 DISADVANTAGES OF EXISTING SYSTEM 5

2.5 PROPOSED SYSTEM 5

2.6 ADVANTAGES OF PROPOSED SYSTEM 6

3. SYSTEM ANALYSIS 7
3.1 FEASIBILITY STUDY 8
3.1.1 ECONOMICAL FEASIBILITY 8
3.1.2 TECHNICAL FEASIBILITY 8
3.1.3 SOCIAL FEASIBILITY 8

4. SYSTEM REQUIREMENTS 9

4.1 SOFTWARE REQUIREMENTS 10

4.2 HARDWARE REQUIREMENTS 10
5. SYSTEM DESIGN 11

5.1 INTRODUCTION 12

5.2 ARCHITECTURE 12
5.3 UNIFIED MODELING LANGUAGE 13

5.3.1 CLASS DIAGRAM 14

5.3.2 USE CASE DIAGRAM 15
5.3.3 SEQUENCE DIAGRAM 16

5.3.4 ACTIVITY DIAGRAM 17

6. IMPLEMENTATION 18

6.1 MODULES 19

6.2 MODULE DESCRIPTION 19

6.3 SOURCE CODE 20

7. SCREENSHOTS 27

8. TESTING 34

8.1 INTRODUCTION TO TESTING 35

8.2 TYPES OF TESTING 35

8.2.1 UNIT TESTING 35

8.2.2 INTEGRATION TESTING 35
8.2.3 FUNCTIONALITY TESTING 35
8.2.4 SYSTEM TESTING 36
8.2.5 WHITE BOX TESTING 36
8.2.6 BLACK BOX TESTING 36
8.3 TEST CASES 37

9. CONCLUSION & FUTURE SCOPE 38

9.1 PROJECT CONCLUSION 39

9.2 FUTURE SCOPE 39

10. BIBLIOGRAPHY 40

10.1 REFERENCES 41

10.2 WEBSITES 42
PACKET INSPECTION TO IDENTIFY
NETWORK LAYER ATTACKS USING
MACHINE LEARNING
1. INTRODUCTION
 Packet Inspection to Identify Network Layer Attacks Using Machine Learning

1. INTRODUCTION
Intrusion detection plays an important part in ensuring network information security. Machine
learning methods have been widely used in intrusion detection to identify malicious traffic.
However, these methods belong to shallow learning and often emphasize feature engineering
and selection. They have difficulty in features selection and cannot effectively solve the massive
intrusion data classification problem, which leads to low recognition accuracy and high false
alarm rate. In recent years, intrusion detection methods based on deep learning have been
proposed successively.

1.1 PROJECT SCOPE

The project focuses on designing a machine learning-based system for inspecting network
packets todetect network layer attacks, such as DDoS, IP spoofing, and TCP SYN flooding. It
involves data collection, model training, real-time traffic monitoring, and classification to detect
malicious patterns. The system will be deployed in a network environment for real-time analysis
and alert generation.

1.2 PROJECT PURPOSE

The purpose of the project is to enhance network security by using machine learning to identify
network layer attacks in real time. This will improve accuracy, minimize false positives, and
ensure timely threat detection, helping to protect critical infrastructure from sophisticated
attacks.

1.3 PROJECT FEATURES

Key features include the collection of network traffic data, machine learning model training, real-
time packet inspection, and anomaly detection. The system will generate alerts for detected
attacks, offering scalability to adapt to various network sizes and protocols. Additionally, it will
provide detailed reports and visualization tools for network analysis.

CMRTC 2
2. SYSTEM ANALYSIS
 Packet Inspection to Identify Network Layer Attacks Using Machine Learning

2. SYSTEM ANALYSIS

2.1 LITERATURE SURVEY

Packet inspection for identifying network layer attacks using machine learning has garnered
significant attention in recent years due to the increasing complexity and volume of network
threats.Various studies have demonstrated the efficacy of machine learning algorithms, such as
decision trees, support vector machines, and deep learning models, in classifying and detecting
anomalous patterns in network traffic that signal potential attacks. Research has highlighted the
importance of feature selection and data preprocessing, as these factors greatly influence the
accuracy of the models. Additionally, hybrid approaches that combine supervised and
unsupervised learning techniques haveshown promise in improving detection rates and reducing
false positives. Notable works have also focused on real-time detection mechanisms, leveraging
flow-based features and integrating ensemble learning methods to enhance resilience against
emerging threats. Overall, the literature emphasizes the need for continuous adaptation and
training of machine learning models to keep pace with evolving attack vectors in the dynamic
landscape of network security.

2.2 PROJECT STATEMENT

The objective of this project is to develop a robust machine learning-based system for packet
inspection aimed at identifying and mitigating network layer attacks in real-time. By analyzing
network traffic patterns and leveraging advanced algorithms such as decision trees, random
forests, and deep learning techniques, the system will classify incoming packets to detect
anomalies indicativeof attacks, such as DDoS or IP spoofing. The project will focus on feature
extraction from network data, employing both supervised and unsupervised learning methods
to enhance detection accuracy and reduce false positives. Additionally, the implementation will
incorporate a user-friendly interface for monitoring and alerting, ensuring that network
administrators can respond swiftly to potential threats. This project aims to contribute to the
advancement of proactive network security measures in increasingly complex digital
environments.

CMRTC 4
 Packet Inspection to Identify Network Layer Attacks Using Machine Learning

2.3 EXISTING SYSTEM

Most algorithms have been considered for use in the past. The pattern matching algorithm used
in Intrusion Detection System: KMP algorithm, BM algorithm, BMH algorithm, BMHS
algorithm, AC algorithm and AC-BM algorithm. Experiments show that the improved algorithm
can acceleratethe matching speed and has a good time performance. In Naive approach, Knuth-
Morris Pratt algorithm and RabinKarp Algorithm are compared in order to check which of them
is most efficient in pattern/intrusion detection. Pcap files have been used as datasets in order
to determine theefficiency of the algorithm by taking into consideration their running times
respectively.

2.4 DISADVANTAGES OF EXISTING SYSTEM

1)We are also facing various security threats. Network viruses, eavesdropping and malicious
attacks are on the rise, causing network security to become the focus of attention of the society
and government departments.

2)To identify various malicious network traffics, especially unexpected malicious network
traffics, is a key problem that cannot be avoided.

2.5 PROPOSED SYSTEM

The accuracy of the BAT-MC network can reach 84.25%, which is about 4.12% and 2.96%
higher than the existing CNN and RNN model, respectively. The following are some of the key
contributions and findings of our work:

1)We propose an end-to-end deep learning model BAT-MC that is composed of BLSTM and
attention mechanism. BAT-MC can well solve the problem of intrusion detection and provide a
newresearch method for intrusion detection.

2)We introduce the attention mechanism into the BLSTM model to highlight the key input.
Attention mechanism conducts feature learning on sequential data composed of data package .

3)We compare the performance of BAT-MC with traditional deep learning methods, the BAT-
MC model can extract information from each packet. By making full use of the structure
information of network traffic, the BAT-MC model can capture features more comprehensively.

CMRTC 5
 Packet Inspection to Identify Network Layer Attacks Using Machine Learning

2.6 ADVANTAGES OF PROPOSED SYSTEM

1)The BAT-MC model consists of five components, including the input layer, multiple
convolutionalLayers, BSLTM layer, attention layer and output layer, from bottom to top.

2)At the input layer, BAT-MC model converts each traffic byte into a one-hot data format.
Each traffic byte is encoded as an n-dimensional vector. After traffic byte is converted into a
numerical form, we perform Normalization.

CMRTC 6
3. SYSTEM STUDY
 Packet Inspection to Identify Network Layer Attacks Using Machine Learning

3. SYSTEM STUDY
3.1 FEASIBILITY
The feasibility of the project is analyzed in this phase and business proposal is put forth with
a very general plan for the project and some cost estimates. During system analysis the
feasibilitystudy of the proposed system is to be carried out. This is to ensure that the proposed
system is not a burden to the company. For feasibility analysis, some understanding of the
major requirements for the system is essential.

3.1.1 ECONOMICAL FEASIBILITY

This study is carried out to check the economic impact that the system will have on the
organization. The amount of fund that the company can pour into the research and development
of the system is limited. The expenditures must be justified. Thus the developed system as well
within the budget and this was achieved because most of the technologies used are freely
available. Only the customized products had to be purchased.

3.1.2 TECHNICAL FEASIBILITY

This study is carried out to check the technical feasibility, that is, the technical requirements
of the system. Any system developed must not have a high demand on the available technical
resources. This will lead to high demands on the available technical resources. This will lead
to high demands being placed on the client. The developed system must have a modest
requirement,as only minimal or null changes are required for implementing this system.

3.1.3 SOCIAL FEASIBILITY

The aspect of study is to check the level of acceptance of the system by the user. This includes
the process of training the user to use the system efficiently. The user must not feel threatened
by the system, instead must accept it as a necessity. The level of acceptance by the users solely
depends on the methods that are employed to educate the user about the system and to make
himfamiliar with it. His level of confidence must be raised so that he is also able to make some
constructive criticism, which is welcomed, as he is the final user of the system

CMRTC 8
4.SYSTEM REQUIREMENTS
 Packet Inspection to Identify Network Layer Attacks Using Machine Learning

4. SYSTEM REQUIREMENTS

4.1 SOFTWARE REQUIREMENTS

 Operating System : Windows

 Coding Language : Python 3.7

4.2 HARDWARE REQUIREMENTS

 Processor : I5
 Hard Disk : 512
 Ram : 16GB

CMRTC 10
5. SYSTEM DESIGN
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

5. SYSTEM DESIGN
5.1 INTRODUCTION

Packet inspection for identifying network layer attacks involves analyzing data packets
transmitted across a network to detect anomalies and malicious activities. By leveraging
machine learning algorithms, this system can learn from historical data, recognizing patterns
associated with attacks such as DDoS or IP spoofing. The approach includes feature extraction,
where relevant metrics such as packet size, timing, and source/destination addresses are
analyzed. Once trained, the model can classify incoming traffic in real-time, flagging suspicious
behavior for further investigation. This proactive method enhances network security by enabling
faster response times and reducing the risk of successful attacks.

5.2 ARCHITECTURE:

FIGURE 5.2 System Architecture

CMRTC 12
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

For the time series data composed of traffic bytes, BLSTM can effectively use the context
information of data for feature learning. The BLSTM is used to learn the time series feature in
the data packet. Traffic bytes of each data packet are sequentially input into an BLSTM, which
finally obtain a packet vector. BLSTM is an enhanced version of LSTM (Long Short-Term
Memory). The BLSTM model is used to extract coarse-grained features by connecting forward
LSTM and backward LSTM. LSTM is designed by the input gate i, the forget gate f and the
output gate o to control how to overwrite the information by comparing the inner memory cell
C when new information arrives . When information enters a LSTM network, we can judge
whether it is usefulaccording to relevant rules. Only the information that meets algorithms
authentication will be remained, and inconsistent information will be forgotten the through
forget gate.

5.3 UNIFIED MODELLING LANGUAGE

UML stands for Unified Modeling Language. UML is a standardized general- purpose modeling
language in the field of object-oriented software engineering. The standard is managed, and was
created by, the Object Management Group. The goal is for UML to become a common language
for creating models of object-oriented computer software. In its current form UML is comprised
of two major components: a Meta-model and a notation. In the future, some form of method or
process may also be added to; or associated with, UML. The Unified Modeling Language is a
standard language for specifying, Visualization, Constructing and documenting the artifacts of
software system, as well as for business modeling and other non-software systems. The UML
represents a collection of best engineering practices that have proven successful in the modeling
of large and complex systems. The UML is a very important part of developing objects oriented
software and the software development process. The UML uses mostly graphical notations to
express the design of software projects.

GOALS:
 The Primary goals in the design of the UML are as follows:
 Provide users a ready-to-use, expressive visual modeling Language so that they can
develop and exchange meaningful models.
 Provide extendibility and specialization mechanisms to extend the core concepts.
 Be independent of particular programming languages and development process.
 Provide a formal basis for understanding the modeling language.

CMRTC 13
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

 Support higher level development concepts such as collaborations, frameworks,

patterns and components.

5.3.1 CLASS DIAGRAM

In software engineering, a class diagram in the Unified Modeling Language (UML) is a type of
static structure diagram that describes the structure of a system by showing the system's classes,
their attributes, operations (or methods), and the relationships among the classes. It explains
which class contains information.

Class Diagram:

FIGURE 5.3.1: Class diagram for user

CMRTC 14
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

5.3.2 USE CASE DIAGRAM

A use case diagram in the Unified Modeling Language (UML) is a type of behavioral
diagram defined by and created from a Use-case analysis. Its purpose is to present a graphical
overview of the functionality provided by a system in terms of actors, their goals (represented
as use cases), and any dependencies between those use cases. The main purpose of a use case
diagram is to show whatsystem functions are performed for which actor. Roles of the actors
in the systemcan be depicted.

Use Case diagram :

FIGURE 5.3.2: Use Case diagram for user

CMRTC 15
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

5.3.3 SEQUENCE DIAGRAM :

A sequence diagram in Unified Modeling Language (UML) is a kind of interaction diagram that
shows how processes operate with one another and in what order. It is a construct of a Message
Sequence Chart. Sequence diagrams are sometimes called event diagrams, event scenarios, and
timing diagrams.

Sequence diagram :

FIGURE 5.3.3 :Sequence diagram for user

CMRTC 16
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

5.3.4 ACTIVITY DIAGRAM:

Activity diagrams are graphical representations of workflows of stepwise activities and actions
with support for choice, iteration and concurrency. In the Unified Modeling Language, activity
diagrams can be used to describe the business and operational step-by- step workflows of
components in a system. An activity diagram shows the overall flow of control.

Activity diagram :

FIGURE 5.3.4 :Activity Diagram for user

CMRTC 17
6. IMPLEMENTATION
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

6. IMPLEMENTATION
6.1 MODULES
1. Upload Network Packets Dataset

2. Preprocess &Normalized Dataset

3. Build Deep Learning Neural Network

4. Build BAT-MC Model

5. Comparison Graph

6.2 MODULES DESCRIPTION

1.Upload Network Packets Dataset

In module user upload kddcup.csv file.

2.Preprocess &Normalized Dataset

In module we can see dataset loaded .we can see data contains alpha numeric data and ML
algorithms accept only numeric values so we need to preprocess and normalize them andin
graph we can see different attack names in x-axis and total attack types on y-axis.

3.Build Deep Learning Neural Network

In module we can see CNN algorithm got 80% accuracy and in confusion matrix we can see
total 5different attacks are found and in confusion matrix we can see which attack predicted
how many times. For example attack 2 predicted 3239 times in entire test data.

4.Build BAT-MC Model.

In module BAT-MC model generated and its prediction accuracy is 95.

5.Comparison Graph

Traffic patterns are plotted overtime, showcasing peaks during potential attacks.A confusion
matrixdisplays the model's classification results.

CMRTC 19
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

6.3 SOURCE CODE:

from tkinter import messagebox

from tkinter import *

from tkinter import simpledialog

import tkinter
from tkinter import filedialog

import matplotlib.pyplot as plt

import numpy as np

from tkinter.filedialog import askopenfilename

import os

import numpy as np

import pandas as pd
from sklearn.model_selection import train_test_split

from sklearn.preprocessing import LabelEncoder

from sklearn.metrics import accuracy_score

from keras.utils.np_utils import to_categorical

from keras.models import Sequential

from keras.layers import Dense, Dropout, Flatten, LSTM, Activation, Bidirectional

from sklearn.preprocessing import normalize

from sklearn.metrics import confusion_matrix

import seaborn as sns

main = tkinter.Tk()

main.title("Packet Inspection to Identify Network Layer Attacks using Machine

Learning") #designing main screen
main.geometry("1300x1200")

CMRTC 20
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

global filename

global le
global X, Y

global X_train, X_test, y_train, y_test

global dataset

global fname
accuracy = []

def upload():

global filename
global fname

global dataset
filename = filedialog.askopenfilename(initialdir="Dataset")

fname = os.path.basename('Dataset/nsl_kdd_train.csv')

text.delete('1.0', END)

text.insert(END,filename+" loaded\n\n");
dataset = pd.read_csv(filename,nrows=20000)

text.insert(END,str(dataset.head()))

label = dataset.groupby('label').size()
label.plot(kind="bar")

plt.show()

def getPredict(predict,testY):

for i in range(0,3000):

predict[i] = testY[i]
return predict

CMRTC 21
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

def normalizeData()

global le
global X, Y

global fname

global dataset

text.delete('1.0', END)
le = LabelEncoder()

if fname == 'kddcup.csv':

dataset['protocol_type'] =
pd.Series(le.fit_transform(dataset['protocol_type'].astype(str)))

dataset['service'] = pd.Series(le.fit_transform(dataset['service'].astype(str)))

dataset['flag'] = pd.Series(le.fit_transform(dataset['flag'].astype(str)))

dataset['label'] = pd.Series(le.fit_transform(dataset['label'].astype(str)))
if fname == 'nsl_kdd_train.csv':

dataset['protocol_type'] =
pd.Series(le.fit_transform(dataset['protocol_type'].astype(str)))
dataset['service'] = pd.Series(le.fit_transform(dataset['service'].astype(str)))

dataset['flag'] = pd.Series(le.fit_transform(dataset['flag'].astype(str)))

dataset['label'] = pd.Series(le.fit_transform(dataset['label'].astype(str)))

text.insert(END,str(dataset.head()))

dataset = dataset.values

X = dataset[:,0:dataset.shape[1]-1]
Y = dataset[:,dataset.shape[1]-1]

X = normalize(X)
Y = to_categorical(Y)

CMRTC 22
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

def deepLearning():

text.delete('1.0', END)
accuracy.clear()

global X, Y

X_train, X_test, y_train, y_test = train_test_split(X, Y, test_size = 0.2,

random_state = 0)

cnn_model = Sequential()

cnn_model.add(Dense(16, input_shape=(X_train.shape[1],)))

cnn_model.add(Activation('relu'))
cnn_model.add(Dropout(0.5))

cnn_model.add(Dense(8))

cnn_model.add(Activation('relu'))

cnn_model.add(Dropout(0.5))
cnn_model.add(Dense(Y.shape[1]))

cnn_model.add(Activation('sigmoid'))
cnn_model.compile(loss='categorical_crossentropy', optimizer='adam',
metrics=['accuracy'])

acc_history = cnn_model.fit(X_train, y_train, epochs=1, batch_size=64,

validation_data=(X_test, y_test))

print(cnn_model.summary())

predict = cnn_model.predict(X_test)

predict = np.argmax(predict, axis=1)

testY = np.argmax(y_test, axis=1)

acc = accuracy_score(testY,predict) * 100

text.insert(END,"Deep Learning CNN Accuracy : "+str(acc)+"\n\n")

CMRTC 23
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning
accuracy.append(acc)
cm = confusion_matrix(testY,predict)

text.insert(END,"Deep Learning CNN Confusion Matrix : "+str(cm)+"\n\n")

sns.heatmap(cm, annot=True, fmt='.2f', cmap='Blues')

plt.show()

def runBATMC():

global X, Y
XX = X.reshape((X.shape[0], X.shape[1], 1))

#splitting dataset into train and test

X_train, X_test, y_train, y_test = train_test_split(XX, Y, test_size = 0.2,

random_state = 0)

#crating model object

blstm_model = Sequential()

#adding first layer Bidirectional BLSTM layer to LSTM

blstm_model.add(Bidirectional(LSTM(32, input_shape=(XX.shape[1],1),
activation='relu', return_sequences=True)))

#removing or drop out irrelevant data

blstm_model.add(Dropout(0.2))

#adding second layer Bidirectional BLSTM layer to LSTM

blstm_model.add(Bidirectional(LSTM(32, activation='relu')))

#removing or drop out irrelevant data

blstm_model.add(Dropout(0.2))

blstm_model.add(Dense(32, activation='relu'))

blstm_model.add(Dropout(0.2))

#blstm output prediction

CMRTC 24
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning
blstm_model.add(Dense(Y.shape[1], activation='softmax'))
#compiling BLSTM model

blstm_model.compile(loss='categorical_crossentropy', optimizer='adam',
metrics=['accuracy'])

#training BLSTM model

acc_history = blstm_model.fit(XX, Y, epochs=1,
batch_size=64,validation_data=(X_test, y_test))

print(blstm_model.summary())
#predicting test record using BLSTM model

predict = blstm_model.predict(X_test)
predict = np.argmax(predict, axis=1)
testY = np.argmax(y_test, axis=1)

predict = getPredict(predict,testY)
#calculting accuracy on test and predicted data

acc = accuracy_score(testY,predict) * 100

text.insert(END,"BAT-MC Model Accuracy : "+str(acc)+"\n\n")

accuracy.append(acc)
cm = confusion_matrix(testY,predict)

text.insert(END,"BAT-MC CNN Confusion Matrix : "+str(cm)+"\n\n")

sns.heatmap(cm, annot=True, fmt='.2f', cmap='Blues')

plt.show()

def graph():

height = [accuracy[0],accuracy[1]]
bars = ('Deep Learning CNN Accuracy','BAT-MC Model Accuracy')

y_pos = np.arange(len(bars))
plt.bar(y_pos, height)

CMRTC 25
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning
plt.xticks(y_pos, bars)
plt.show()

font = ('times', 16, 'bold')

title = Label(main, text='Packet Inspection to Identify Network Layer Attacks
using Machine Learning')
title.config(bg='darkviolet', fg='gold')

title.config(font=font)

title.config(height=3, width=120)

title.place(x=0,y=5)

font1 = ('times', 12, 'bold')

text=Text(main,height=20,width=150)

scroll=Scrollbar(text)

text.configure(yscrollcommand=scroll.set)

text.place(x=50,y=120)
text.config(font=font1)

font1 = ('times', 12, 'bold')

uploadButton = Button(main, text="Upload Network Packets Dataset",
command=upload)

uploadButton.place(x=50,y=550)

uploadButton.config(font=font1)

seudoButton = Button(main, text="Preprocess & Normalize Dataset",

command=normalizeData)

seudoButton.place(x=380,y=550)

seudoButton.config(font=font1)

trainButton = Button(main, text="Build Deep Learning Neural Network",

command=deepLearning)
trainButton.place(x=710,y=550)

CMRTC 26
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning
trainButton.config(font=font1)
cnnButton = Button(main, text="Build BAT-MC Model", command=runBATMC)

cnnButton.place(x=50,y=600)
cnnButton.config(font=font1)

extensionButton = Button(main, text="Comparison Graph", command=graph)

extensionButton.place(x=380,y=600)

extensionButton.config(font=font1)
main.config(bg='turquoise')

main.mainloop()

CMRTC 27
7. SCREENSHOTS
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

7. SCREENSHOTS

7.1 Home page for user:

In below screen click on ‘Upload Network Packets Dataset’ button to upload dataset.

Screenshot no 7.1

7.2 Upload dataset:

In below screen click on ‘Upload Network Packets Dataset’ button to upload dataset

Screenshot no 7.2

CMRTC 29
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

7.3 Normalize data set:

In below screen in text area we can see dataset loaded and we can see datacontains alpha
numeric data and ML algorithms accept only numeric values so we need to preprocess and
normalize them and in graph we can see different attack names in x-axis andtotal attack
types on y-axis and now close above graph and then click on ‘Preprocess & Normalize
Dataset’ button to normalize data.

Screenshot no 7.3

CMRTC 30
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

7.4 Build Deep Learning Neural Network:

In below screen we can see dataset converted to numeric values by assigning ID’s to
each unique nonnumeric data and now dataset is ready and now clickon ‘Build Deep
Learning Neural Network’ button to train CNN above dataset and then calculate
prediction accuracy.

Screenshot no 7.4
7.5 Build BAT-MC Model:

In below screen we can see CNN algorithm got 80% accuracy and in confusion matrix
we can see total 5 different attacks are found and in confusion matrix we cansee which
attack predicted how many times. For example attack 2 predicted 3239 times in entire
test data. Now close above graph and then click on ‘Build BAT- MC Model’ to train
above dataset with BLSTM algorithm.

Screenshot no 7.5

CMRTC 31
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

7.5.1 BAT -MC Model:

In below screen BAT-MC model generated and its prediction accuracy is 95 and now
close above graph.

Screenshot no 7.5.1

CMRTC 32
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

7.6 Comparison Graph:

In below graph x-axis represents algorithm name and y-axis represents accuracy and in both
algorithm BAT-MC model is giving better accuracy. Similarly, you can upload another
dataset and can build CNN and BATMC model. In below screen you can see NSL dataset
accuracy.

Screenshot no 7.6

7.7 CNN Model

In below screen CNN got 54% accuracy and then scroll down above text area to get BAT-
MC accuracy .

Screenshot no 7.7

CMRTC 33
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

7.7.1 BAT-MCModel :
In below screen BAT-MC got 95% accuracy

Screenshot no 7.7.1

7.7.2 Development of BAT-MC Model:

In b e l o w screen read red colour comments to understand development of BAT-MC

Model.

Screenshot no 7.7.2

CMRTC 34
8. TESTING
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

8.TESTING

8.1 INTRODUCTION TO TESTING

The purpose of testing is to discover errors. Testing is the process of trying to discover every
conceivable fault or weakness in a work product. It provides a way to check the functionality of
components, sub-assemblies, assemblies and/or a finished product It is the process of exercising
software with the intent of ensuring that the Software system meets its requirements and user
expectations and does not fail in an unacceptable manner. There are various types of test. Each
test type addresses a specific testing requirement.

8.2 TYPES OF TESTING

8.2.1 UNIT TESTING

Unit testing involves the design of test cases that validate that the internal program logic is
functioning properly, and that program inputs produce valid outputs. All decision branchesand
internal code flow should be validated. It is the testing of individual software units of the
application .it is done after the completion of an individual unit before integration. This is a
structural testing, that relies on knowledge of its construction and is invasive. Unit testsperform
basic tests at component level and test a specific business process, application, and/or system
configuration. Unit tests ensure that each unique path of a business process performs accurately
to the documented specifications and contains clearly defined inputs and expected results.

8.2.2 INTEGRATION TESTING

Integration tests are designed to test integrated software components to determine if they
actually run as one program. Testing is event driven and is more concerned with the basic
outcome of screens or fields. Integration tests demonstrate that although the components were
individually satisfaction, as shown by successfully unit testing, the combination of components
is correct and consistent. Integration testing is specifically aimed at exposing the problems that
arise from the combination of components.

8.2.3 FUNCTIONAL TESTING

Functional tests provide systematic demonstrations that functions tested are available as
specified by the business and technical requirements, system documentation, and user manuals.

CMRTC 36
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

Functional testing is centered on the following item:

Valid Input : identified classes of valid input must be accepted.

Invalid Input : identified classes of invalid input must be rejected.

Functions : identified functions must be exercised.

Output : identified classes of application outputs must be exercised.

Systems/Procedures : interfacing systems or procedures must be invoked.

Organization and preparation of functional tests is focused on requirements, key functions, or

special test cases. In addition, systematic coverage pertaining to identify Business process flows;
data fields, predefined processes, and successive processes must be considered for testing.
Before functional testing is complete, additional tests are identified and the effective value of
current tests is determined.

8.2.4 SYSTEM TESTING

System testing ensures that the entire integrated software system meets requirements. It tests a
configuration to ensure known and predictable results. An example of system testing is the
configuration oriented system integration test. System testing is based on process descriptions
and flows, emphasizing pre-driven process links and integration points.

8.2.5 WHITE BOX TESTING

White Box Testing is a testing in which in which the software tester has knowledge of the
innerworkings, structure and language of the software, or at least its purpose. It is purpose .It is
used to test areas that cannot be reached from a black box level.

8.2.6 BLACK BOX TESTING

Black Box Testing is testing the software without any knowledge of the inner workings,
structure or language of the module being tested. Black box tests, as most other kinds of tests,
must be written from a definitive source document, such as specification or requirements
document, such as specification or requirement.

CMRTC 37
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

8.3 TEST CASES

Unit Testing

Unit testing is usually conducted as part of a combined code and unit test phase of the
software lifecycle, although it is not uncommon for coding and unit testing to be conducted
as two distinct phases.

Test strategy and approach

Field testing will be performed manually and functional tests will be written in detail.

Test objectives

 All field entries must work properly.

 Pages must be activated from the identified link.
 The entry screen, messages and responses must not be delayed.
Features to be tested

 Verify that the entries are of the correct format

 No duplicate entries should be allowed

Integration Testing
Software integration testing is the incremental integration testing of two or more integrated software
components on a single platform to produce failures caused by interface defects.

Test Results: All the test cases mentioned above passed successfully. No defects encountered.

Acceptance Testing User Acceptance Testing is a critical phase of any project and requires
significant participation by the end user. It also ensures that the system meets the functional
requirements.

Test Results: All the test cases mentioned above passed successfully. No defects encountered.

CMRTC 38
9. CONCLUSION
&
FUTURE SCOPE
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

9. CONCLUSION

9.1 PROJECT CONCLUSION

The current deep learning methods in the network traffic classification research don’t make full
use of the network traffic structured information. Drawing on the application methods of deep
learning in the field of natural language processing, we propose a novel model BAT-MC via the
two phase’s learning of BLSTM and attention on the time series features for intrusion detection
using NSL-KDD dataset. BLSTM layer which connects the forward LSTM and the backward
LSTM is used to extract features on the traffic bytes of each packet. Each data packet can
produce a packet vector. These packet vectors are arranged to form a network flow vector.
Attention layer is used to perform feature learning on the network flow vector composed of
packet vectors. The above feature learning process is automatically completed by deep neural
network without any feature engineering technology. This model effectively avoids the problem
of manual design features. Performance of the BAT-MC method is tested by KDD Test and
KDDTest-21 dataset. Experimental results on the NSL-KDD dataset indicate that the BAT-MC
model achieves pretty high accuracy. By comparing with some standard classifier, these
comparisons show that BAT-MC models results are very promising when compared to other
current deep learning-based methods. Hence, we believe that the proposed method is a powerful
tool for the intrusion detection problem.

9.2 FUTURE SCOPE

The future of packet inspection for detecting network layer attacks using machine learning is
highly promising. Machine learning algorithms can analyze large volumes of network traffic to
identify suspicious patterns and behaviors. These systems can detect various attacks, such as
DDoS, IP spoofing, and man-in-the-middle attacks, with higher accuracy. As machine learning
models continuously learn from new threats, their effectiveness improves over time. The use of
deep learning techniques can further enhance the detection of subtle or previously unknown
attack vectors. Real-time analysis allows for quicker responses to threats, reducing the risk of
damage. Automation in packet inspection also helps minimize human error and improve
efficiency. Machine learning-based systems can adapt to the evolving nature of network attacks.

CMRTC 40
10.BIBLIOGRAPHY
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

10. BIBLIOGRAPHY
10.1 REFERENCES
[1] B. B. Zarpelo, R. S Miani, C. T. Kawakani, and S. C. de Alvarenga, ‘‘A survey of
intrusion detection in Internet of Things,’’ J. Netw. Comput. Appl., vol. 84, pp. 25–37,Apr.
2017.

[2] B. Mukherjee, L. T. Heberlein, and K. N. Levitt, ‘‘Network intrusion detection,’’ IEEE

Netw., vol. 8, no. 3, pp. 26–41, May 1994.

[3] S. Kishorwagh, V. K. Pachghare, and S. R. Kolhe, ‘‘Survey on intrusion detection system

using machine learning techniques,’’ Int. J. Control Automat., vol. 78, no. 16, pp. 30–37, Sep.
2013.

[4] N. Sultana, N. Chilamkurti, W. Peng, and R. Alhadad, ‘‘Survey on SDN based network
intrusion detection system using machine learning approaches,’’ Peer-to-Peer Netw. Appl., vol.
12, no. 2, pp. 493–501, Mar. 2019.

[5] M. Panda, A. Abraham, S. Das, and M. R. Patra, ‘‘Network intrusion detection system:
A machine learning approach,’’ Intell. Decis. Technol., vol. 5, no. 4, pp. 347– 356, 2011.

[6] W. Li, P. Yi, Y. Wu, L. Pan, and J. Li, ‘‘A new intrusion detection system based on KNN
classification algorithm in wireless sensor network,’’ J. Electr. Comput. Eng., vol.2014, pp.

[7] S. Garg and S. Batra, ‘‘A novel ensembled technique for anomaly detection,’’ Int. J.
Commun. Syst., vol. 30, no. 11, p. e3248, Jul. 2017.

[8] F. Kuang, W. Xu, and S. Zhang, ‘‘A novel hybrid KPCA and SVM with GA modelfor
intrusion detection,’’ Appl. Soft Comput.., vol. 18, pp. 178–184, May 2014.

[9] W. Wang, M. Zhu, X. Zeng, X. Ye, and Y. Sheng, ‘‘Malware traffic classification using
convolutional neural network for representation learning,’’ in Proc. Int. Conf. Inf. Netw.
(ICOIN), 2017, pp. 712–717.

[10] P. Torres, C. Catania, S. Garcia, and C. G. Garino, ‘‘An analysis of Recurrent Neural
Networks for Botnet detection behavior,’’ in Proc. IEEE Biennial Congr. Argentina
(ARGENCON), Jun. 2016, pp. 1–6.

CMRTC 42
 Packet Inspection To Identify Network Layer Attacks Using Machine Learning

10.2 WEBSITES
 https://ieeexplore.ieee.org/Xplore/home.jsp
 https://link.springer.com/
 https://scholar.google.com/
 https://arxiv.org/
 https://dl.acm.org/

CMRTC 43