Windows-based Intrusion Detection System using machine learning and reinforcement learning for adaptive security
Project description
WinIDS - Windows Intrusion Detection System
A machine learning and reinforcement learning-based intrusion detection system designed for Windows environments with real-time monitoring capabilities.
Features
- 🔍 Real-time network traffic monitoring
- 🧠 Neural network-based intrusion detection
- 🤖 Reinforcement learning for adaptive thresholds
- 🚨 Detect multiple attack types: DOS, Probe, R2L, U2R
- 📊 Professional dashboard with visualizations
- 🛡️ Traffic generation and simulation capabilities
- 🔄 Bridge and Monitor components for flexible deployment
- 📈 Self-learning capabilities through RL feedback
Installation
From PyPI
pip install WinIDS
From Source
git clone https://github.com/yourusername/WinIDS.git
cd WinIDS
pip install -e .
Quick Start
WinIDS provides both command-line tools and Python library components.
Using Command-line Tools
-
Start the Monitor:
WinIDS-monitor --host localhost --port 5000
-
Start the Bridge (traffic generator):
WinIDS-bridge --monitor-host localhost --monitor-port 5000
-
Launch the Dashboard:
WinIDS-dashboard
-
Test with Attack Panel (optional):
WinIDS-attack-panel
Using as a Python Library
from WinIDS import FastIDS, IDSBridge, IDSMonitor
# Create and start the monitor
monitor = IDSMonitor(host="localhost", port=5000)
monitor.start()
# Create and start the bridge
bridge = IDSBridge(monitor_host="localhost", monitor_port=5000)
bridge.start()
# Create and start the IDS with reinforcement learning
ids = FastIDS(model_path="models/best_fast_model.h5",
norm_params_path="models/normalization_params.json",
use_rl=True)
ids.connect_to_bridge()
ids.start()
# Get current stats
stats = ids.get_stats()
print(f"Uptime: {stats['uptime']}s, Packets: {stats['total_packets']}, Alerts: {stats['alerts']}")
# Stop components when done
ids.stop()
bridge.stop()
monitor.stop()
Components
FastIDS
The core intrusion detection engine using neural network models with reinforcement learning capabilities.
from WinIDS import FastIDS
ids = FastIDS(
model_path="models/best_fast_model.h5",
norm_params_path="models/normalization_params.json",
threshold=0.7,
bridge_host="localhost",
bridge_port=5000,
use_rl=True,
rl_model_dir="./rl_models",
rl_training_mode=True
)
IDSMonitor
Connection manager between the bridge and the IDS system.
from WinIDS import IDSMonitor
monitor = IDSMonitor(
host="localhost",
port=5000,
check_interval=1.0,
traffic_file="data/traffic_log.json",
disable_attacks=False
)
IDSBridge
Traffic generator that connects to the monitor.
from WinIDS import IDSBridge
bridge = IDSBridge(
monitor_host="localhost",
monitor_port=5000,
data_file="data/training_data.csv",
synthetic=True
)
ProDashboard
Graphical user interface for the IDS system.
from WinIDS import ProDashboard, FastIDS
ids = FastIDS(model_path="models/best_fast_model.h5", use_rl=True)
dashboard = ProDashboard(ids, dark_mode=True)
dashboard.run()
AttackPanel
Tool for generating test attacks.
from WinIDS import AttackPanel
panel = AttackPanel(
bridge_host="localhost",
bridge_port=5000,
dark_mode=True
)
panel.run()
Reinforcement Learning
WinIDS uses reinforcement learning to continuously adapt and optimize its detection capabilities:
Adaptive Thresholds
The RL agent automatically adjusts detection thresholds based on:
- Historical attack patterns
- False positive rates
- System performance
from WinIDS import FastIDS
# Create an IDS with reinforcement learning enabled
ids = FastIDS(
model_path="models/best_fast_model.h5",
use_rl=True,
rl_model_dir="./custom_rl_models"
)
# RL will automatically adjust thresholds based on traffic patterns
ids.start()
Feedback Mechanism
You can provide explicit feedback to improve detection:
# Example of providing feedback to the RL system
feedback = {
"alert_id": "alert-1234",
"is_attack": True, # True if this was indeed an attack, False if false positive
"confidence": 0.85
}
# Send feedback (handled internally by the IDS)
bridge.send_feedback(feedback)
Custom RL Model Directory
Specify where to store trained RL models:
WinIDS-dashboard --rl-model-dir /path/to/rl_models
Attack Simulation
WinIDS includes an attack simulator for testing the IDS system:
from WinIDS.attack_simulator import simulate_attack
# Simulate a DOS attack with 75% intensity for 10 seconds
attack_data = simulate_attack(attack_type="dos", intensity=0.75, duration=10)
# Simulate a probe attack
probe_attack = simulate_attack(attack_type="probe", intensity=0.5, duration=5)
Training Custom Models
WinIDS provides scripts for training custom models:
python -m WinIDS.scripts.train_model --dataset your_data.csv --model-output models/custom_model.h5
Command-line Options
WinIDS-dashboard
usage: WinIDS-dashboard [-h] [--model MODEL] [--norm-params NORM_PARAMS]
[--threshold THRESHOLD] [--bridge-host BRIDGE_HOST]
[--bridge-port BRIDGE_PORT] [--light-mode]
[--disable-attacks] [--disable-rl]
[--rl-model-dir RL_MODEL_DIR] [--disable-rl-training]
WinIDS-bridge
usage: WinIDS-bridge [-h] [--monitor-host MONITOR_HOST]
[--monitor-port MONITOR_PORT] [--interval INTERVAL]
[--synthetic] [--data-file DATA_FILE]
WinIDS-monitor
usage: WinIDS-monitor [-h] [--host HOST] [--port PORT]
[--check-interval CHECK_INTERVAL]
[--traffic-file TRAFFIC_FILE] [--disable-attacks]
WinIDS-attack-panel
usage: WinIDS-attack-panel [-h] [--bridge-host BRIDGE_HOST]
[--bridge-port BRIDGE_PORT] [--light-mode]
How Reinforcement Learning Works in WinIDS
WinIDS implements a Deep Q-Network (DQN) approach to optimize intrusion detection:
-
State: The current system state includes metrics like false positive rate, attack distribution, and current threshold.
-
Actions: The RL agent can adjust detection thresholds up or down with varying degrees.
-
Rewards: The system receives rewards for:
- Successfully detecting real attacks
- Avoiding false positives
- Maintaining an optimal balance between security and performance
-
Training: The agent continuously learns from interactions with the network traffic and feedback.
-
Adaptation: The system automatically adjusts to changing network conditions and attack patterns.
License
This project is licensed under the MIT License - see the LICENSE file for details.
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
Acknowledgements
- Special thanks to all contributors
- Built with TensorFlow, NumPy, and other open-source libraries
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file winids-0.1.1.tar.gz.
File metadata
- Download URL: winids-0.1.1.tar.gz
- Upload date:
- Size: 40.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.0.1 CPython/3.8.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fb6a2cd27a11634e6418071d2a5cdf23057e607b64f72c94ae4e98e2aa601543
|
|
| MD5 |
041dc7feaef16538dc254f52165e8248
|
|
| BLAKE2b-256 |
8a4252fd1ab2139756e7edf4782aea9b6ae91c974e9552b5ff51d53ad6300149
|
File details
Details for the file winids-0.1.1-py3-none-any.whl.
File metadata
- Download URL: winids-0.1.1-py3-none-any.whl
- Upload date:
- Size: 45.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.0.1 CPython/3.8.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9a600e5c96bcae4569761cc39cd0043b54454efaa59501b81038e8ca52e23f8a
|
|
| MD5 |
e44533bc72a625180e9bb76445b180b8
|
|
| BLAKE2b-256 |
59de4863175eef2a8e45d81f441f5e9f32df2a7e77fb552b81200f271125eba0
|
