Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun.

K-Means

Open Source Tools

UNIT II: Malware and Vulnerability

Adarsh Kumar
Professor, Systems, School of Computer Science, UPES, Dehradun,
Uttarakhand, India
[email protected]

February 21, 2025

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 1 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Table of Contents

1 Dec.Tre. and Rand. Frst.

2 Genetic Algorithms
3 Neu. Net.for Sys. Tun.
4 K-Means

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 2 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Decision Trees for Threat Classification

A decision tree is a hierarchical model used to make decisions

based on feature splits.
Each internal node represents a condition on a feature, and
each leaf node represents a classification.
Can be used to classify threats based on characteristics like IP
address, protocol, port number, etc.
Example: Classifying Threats Suppose we want to classify
whether incoming traffic is malicious or benign:
Feature 1: Source IP Reputation
Feature 2: Port Number
Feature 3: Protocol Used
The decision tree will split on these features to make a prediction.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 3 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Example: Decision Trees for Threat Classification

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 4 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Random Forest for Fine-tuning Detection

Random Forest is an ensemble method of decision trees.

It creates multiple decision trees by randomly selecting subsets
of features and data samples.
Aggregates the results from all trees to improve classification
accuracy.
Example: Fine-tuning Detection Rules
A random forest can be used to adjust detection rules based
on real-time data.
Fine-tunes the decision boundary for distinguishing between
similar classes of threats.
For instance, distinguishing between malware and benign
anomalies using multiple traffic features.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 5 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Example: Random Forest for Threat Classification

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 6 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Visualizing a Simple Decision Tree

Example: Binary Classification

Imagine a decision tree with the following structure:
Root: IP Reputation Score
Left Child: Port Number is 80 (Benign)
Right Child: Protocol is suspicious (Malicious)

Example: Threat Classification Using a Decision Tree

Let’s classify incoming network traffic as either ’Benign’ or ’Malicious’ based on:
IP Reputation Score (Root Node): If the score is low, classify as benign. If
high, further analyze.
Port Number (Left Child): If port number is 80, classify as ’Benign’. Otherwise,
continue to the next feature.
Protocol Type (Right Child): If the protocol is HTTP or HTTPS, classify as
’Benign’. If it’s suspicious (e.g., Telnet or unknown protocols), classify as
’Malicious’.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 7 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Visualizing a Simple Decision Tree

Tree Structure
A sample decision tree could have the following structure:
Root Node: Check IP Reputation Score.
Left Branch (Low Reputation): Port Number == 80 ⇒ Benign
Right Branch (High Reputation): Protocol == Suspicious ⇒ Malicious

Classification Example
Input 1: IP Reputation = Low, Port Number = 80 ⇒ Classified as Benign
Input 2: IP Reputation = High, Protocol = Telnet ⇒ Classified as Malicious

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 8 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

What is Support Vector Machine (SVM)?

SVM is a supervised machine learning model used for classification and

regression.
In cybersecurity, SVM is primarily used for intrusion detection, malware
classification, and anomaly detection.
SVM finds the optimal hyperplane that separates different classes of data.

How Does SVM Work?

Linear SVM: Finds a hyperplane separating data classes linearly.
Non-linear SVM: Uses kernel functions (e.g., RBF, polynomial) to classify data
that isn’t linearly separable.
SVM maximizes the margin between different classes for better generalization.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 9 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Example: Random Forest for Threat Classification

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 10 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Example: Random Forest for Threat Classification

Figure: SVM Example

Hyperplane
A hyperplane is a decision boundary in n-dimensional space.
In 2D, it is a line; in 3D, a plane.
The objective is to find a hyperplane that maximizes the margin between classes.

Support Vectors
Support vectors are data points closest to the hyperplane.
They are critical in defining the hyperplane’s position.
Removing non-support vectors does not affect the hyperplane.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 11 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Example: Classifying Emails

Data Points:
Not Spam: (1, 2), (2, 3), (3, 3)
Spam: (5, 4), (6, 5), (5, 6)
Hyperplane: Separates Spam from Not Spam.
Support Vectors: Points closest to the hyperplane.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 12 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

How Does SVM Work

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 13 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

How Does SVM Work in Cybersecurity?

Figure: SVM in Cybersecurity

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 14 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Example: Malware Detection with SVM

Dataset contains features like file behaviors, network traffic

patterns.
The SVM model is trained to classify whether the activity is
benign or malicious.
Steps:
1 Extract features from network traffic.
2 Train SVM model using labeled malware and benign data.
3 Predict and classify new activities.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 15 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Example: Malware Detection with SVM

Dataset contains features like file behaviors, network traffic

patterns.
The SVM model is trained to classify whether the activity is
benign or malicious.
Steps:
1 Extract features from network traffic.
2 Train SVM model using labeled malware and benign data.
3 Predict and classify new activities.
Advantages of SVM in Cybersecurity
High accuracy in high-dimensional data spaces (e.g., network
traffic features).
Effective when classes are separable with a large margin.
Robust against overfitting, especially in complex datasets.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 15 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Challenges of Using SVM in Cybersecurity

Computationally expensive for large datasets.

Selecting the right kernel function can be tricky.
Sensitivity to noise in the data.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 16 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Genetic Algorithms

Introduction to Genetic Algorithms

Genetic Algorithms (GAs) are search heuristics inspired by the
process of natural selection.
Used to solve optimization problems by evolving solutions over
generations.
Particularly effective in dynamic environments, such as
cybersecurity.
Applications of GAs in Cybersecurity
Intrusion Detection Systems (IDS)
Malware Detection
Network Security Optimization
Password Cracking
Security Policy Generation

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 17 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Example: Intrusion Detection System

GAs can be used to optimize the feature set for an IDS.

Objective: Maximize detection rate while minimizing false
positives.
Steps of a Genetic Algorithm
1 Initialization: Generate an initial population of candidate
solutions.
2 Selection: Evaluate fitness and select individuals for
reproduction.
3 Crossover: Combine pairs of parents to create offspring.
4 Mutation: Introduce random changes to offspring.
5 Replacement: Form a new population by replacing some
individuals.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 18 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Numerical Example Setup

Objective: Optimize feature selection for an IDS.

Population Size: 4 individuals
Features:
Feature 1: IP Address
Feature 2: Protocol
Feature 3: Port Number
Feature 4: Packet Size

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 19 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Initial Population

Individual Representations (Binary Encoding):

Individual 1: 1100 (Features 1, 2)
Individual 2: 1010 (Features 1, 3)
Individual 3: 0111 (Features 2, 3, 4)
Individual 4: 0001 (Feature 4)

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 20 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Fitness Evaluation

Fitness Function:
True Positives
Fitness =
True Positives + False Positives
Example Fitness Values:
Individual 1: 0.8
Individual 2: 0.6
Individual 3: 0.9
Individual 4: 0.4

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 21 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Selection and Crossover

Selection: Choose top individuals based on fitness.

Selected: Individual 3 (0.9) and Individual 1 (0.8).
Crossover: Create offspring by combining bits:

Offspring 1: 1111, Offspring 2: 1010

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 22 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Mutation and New Generation

Mutation: Introduce small random changes to offspring.

Example Mutation:

Offspring 1: 1110 (one bit flipped)

New Population:
1110
1010
0111
0001

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 23 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Introduction to Neural Networks

Definition of neural networks:
Computational models inspired by the human brain.
Used for pattern recognition, classification, and regression tasks.
Capable of learning complex functions from data through training.
Neural networks are inspired by the human brain.
They consist of interconnected nodes (artificial neurons).
Nodes are organized into layers.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 24 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Introduction to Neural Networks

Structure:
Input layer:
Receives input data (features).
Each neuron corresponds to a feature of the input.

Hidden layers:
Intermediate layers that transform inputs into outputs.
The number of hidden layers and neurons can vary based on the model.

Output layer:
Produces the final output (predictions).
The structure depends on the task (e.g., regression or classification).

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 25 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Introduction to Neural Networks

Structure:
Input layer:
Receives input data (features).
Each neuron corresponds to a feature of the input.

Hidden layers:
Intermediate layers that transform inputs into outputs.
The number of hidden layers and neurons can vary based on the model.

Output layer:
Produces the final output (predictions).
The structure depends on the task (e.g., regression or classification).

Key concepts:
Neurons:
Basic units of a neural network that receive inputs, process them, and produce an output.

Activation functions:
Functions that determine the output of neurons (e.g., sigmoid, ReLU, tanh).
Introduce non-linearity into the model, enabling it to learn complex patterns.

Weights and biases:

Weights determine the strength of connections between neurons.
Biases allow the model to fit the data better by adjusting the output.
Both weights and biases are learned during the training process.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 25 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Example: Email Classification

Input Features:
Email Content:
Textual data processed using techniques like TF-IDF or word
embeddings (e.g., Word2Vec, GloVe).
Example: An email body containing phrases like ”Congratulations!
You’ve won” may indicate spam.
Sender Information:
Analyzes the sender’s domain (e.g., @example.com) and frequency
of emails from that sender.
Example: If emails from the domain ”unknown-sender.com” are
frequent and marked as spam, it raises suspicion.
Subject Line:
Checks for the presence of specific keywords (e.g., ”free”, ”urgent”,
”limited time offer”).
Example: Subject ”Get your free trial now!” would likely contribute
to a spam classification.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 26 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Example: Email Classification

Architecture:
Input Layer:
Receives the processed features as input vectors.
Each feature (e.g., email content, sender info, subject) is
represented numerically.
Hidden Layers:
Two hidden layers, with an example configuration:
First hidden layer: 64 neurons with ReLU activation.
Second hidden layer: 32 neurons with ReLU activation.
These layers learn complex patterns from the features through
weights and biases.
Output Layer:
A single neuron with a sigmoid activation function for binary
classification (spam or not spam).
Output y will be:
(
1 if spam
y=
0 if not spam
Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 27 / 52
Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Example: Email Classification

Decision Making:
Threshold for Classification:
A threshold (e.g., 0.5) is set to classify the output from the
neural network.
If the predicted probability p > 0.5, classify as spam;
otherwise, classify as not spam.
Example: If the model outputs a probability of 0.7, the email
is classified as spam. Conversely, an output of 0.4 classifies it
as not spam.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 28 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Neural Networks in System Tuning

Objective: Optimize system performance parameters (e.g.,

CPU usage, memory allocation).
Example: Using a neural network to tune hyperparameters in
machine learning models.
Calculations:
Input features: Learning rate, batch size, number of layers.
Output: Model accuracy.
Loss function: Mean Squared Error (MSE).

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 29 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Example Calculation

Given:
Learning Rate: 0.01
Batch Size: 32
Number of Layers: 3
Output accuracy: 85%
Loss calculation:
n
1X
MSE = (yi − yˆi )2
n
i=1

Let n = 100, yi as true values, and yˆi as predicted values.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 30 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Example Calculation

Calculating MSE:
Assume true values y = [y1 , y2 , . . . , y100 ] and predicted values
ŷ = [yˆ1 , yˆ2 , . . . , y100
ˆ ].
Calculate the squared differences:

(yi − yˆi )2

for each i from 1 to 100.

Sum the squared differences:
100
X
Total = (yi − yˆi )2
i=1

Compute the MSE:

Total
MSE =
100

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 31 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Example Calculation
Calculating MSE:
Assume true values y and predicted values ŷ:
y = [3, −0.5, 2, 7, 1.5, 4, 5.5, 6, 2.5, 3.5, . . .] (100 values)
ŷ = [2.5, 0.0, 2, 8, 1.4, 4.5, 5.0, 5.5, 3.0, 3.8, . . .] (100 values)
Calculate the squared differences for each i:
2
(yi − yˆi )
For example:
2 2 2
(y1 − yˆ1 ) = (3 − 2.5) = (0.5) = 0.25
2 2 2
(y2 − yˆ2 ) = (−0.5 − 0.0) = (−0.5) = 0.25
2 2 2
(y3 − yˆ3 ) = (2 − 2) =0 =0
2 2 2
(y4 − yˆ4 ) = (7 − 8) = (−1) =1
Repeat this for all 100 values to get the squared differences:
Squared Differences = [0.25, 0.25, 0, 1, . . .]
Sum the squared differences:
100
2
X
Total = (yi − yˆi )
i=1
Suppose after summing all values, we get:
Total = 15
Compute the MSE:
Total 15
MSE = = = 0.15
100 100
Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 32 / 52
Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Example Calculation

Interpretation:
The MSE value of 0.15 indicates the average squared
difference between the predicted and true values.
Lower MSE values suggest better model performance,
indicating that the predictions are closer to the actual
outcomes.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 33 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Neural Networks in Cybersecurity

Objective: Detect and prevent cyber threats (e.g., intrusion

detection, malware classification).
Example: Using a neural network for phishing detection.
Input features: URL length, number of special characters,
and domain age.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 34 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Example Calculation: Given Inputs

Given:
URL Length: 45
Special Characters: 5
Domain Age (in days): 30
Neural Network Output:
Probability of phishing: ŷ = 0.92

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 35 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Cost Function (Binary Cross-Entropy)

Cost Function (Binary Cross-Entropy):

n
1X
BCE = − [yi log(yˆi ) + (1 − yi ) log(1 − yˆi )]
n i=1

Definitions:
n: Total number of samples.
yi : Actual label (1 for phishing, 0 for non-phishing).
yˆi : Predicted probability of phishing.
Assumptions:
Let’s assume we have a batch size of n = 2 with the following labels:
For the first sample: y1 = 1 (phishing)
For the second sample: y2 = 0 (not phishing)
Corresponding predicted probabilities:
yˆ1 = 0.92 (for phishing)
yˆ2 = 0.05 (for not phishing)

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 36 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Calculating Binary Cross-Entropy

Calculating BCE:
Substitute values into the BCE formula:

n
1 X
BCE = − [yi log(yˆi ) + (1 − yi ) log(1 − yˆi )]
n i=1

For our example, where n = 2:

1
BCE = − [1 · log(0.92) + 0 · log(0.05) + (1 − 1) · log(1 − 0.92) + (1 − 0) · log(1 − 0.05)]
2

Simplifying further, we find:

1
BCE = − [log(0.92) + log(0.95)]
2

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 37 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Final Calculation and Result

Calculating Individual Terms:

Compute log(0.92) and log(0.95):
log(0.92) ≈ −0.0873
log(0.95) ≈ −0.0513
Substitute into BCE:
1 1
BCE = − [−0.0873 + (−0.0513)] = − [−0.1386] = 0.0693
2 2
Final Result:
The calculated binary cross-entropy loss is:

BCE ≈ 0.0693

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 38 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Binary Cross-Entropy (BCE) Explanation

The value BCE = 0.0693 represents the Binary Cross-Entropy (BCE) loss for the
given classification problem. BCE is a commonly used loss function for binary
classification tasks, and it measures how well the predicted probabilities match the
true labels.
In this case:
You have two samples:
First sample (actual label y1 = 1) with predicted probability yˆ1 = 0.92
(indicating it is phishing).
Second sample (actual label y2 = 0) with predicted probability yˆ2 = 0.05
(indicating it is not phishing).

The BCE formula is used to calculate how close the predicted probabilities are to the
true labels. A lower BCE value indicates a better fit between the model’s predictions
and the actual labels.

The final value of BCE = 0.0693 suggests that the model’s predictions for these two
samples have a small error, meaning the model is predicting fairly accurate
probabilities.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 39 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Hyperparameter Tuning

Techniques: Grid search, Random search, Bayesian

optimization.
Neural network model: Multi-Layer Perceptron (MLP).
Example: Tuning dropout rate and number of epochs.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 40 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Hyperparameters in Cybersecurity

Dropout Rate: 0.5

Dropout is a regularization technique used to prevent
overfitting in neural networks by randomly setting a fraction of
the input units to 0 during training.
In cybersecurity, this technique helps improve the robustness of
models used for threat detection by ensuring that they
generalize well to unseen data, such as new types of attacks.
Epochs: 50
An epoch is one complete pass through the entire training
dataset. Training a model for multiple epochs allows it to learn
from the data iteratively.
In the context of cybersecurity, training for more epochs may
help the model better identify patterns of malicious behavior
from extensive datasets of network traffic or user activity.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 41 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Model Performance and Training Time

Output Model Accuracy: 90%
This accuracy indicates how well the model can classify or detect threats
compared to the actual labels.
In practice, an accuracy of 90% suggests that the model is effective in
distinguishing between normal and malicious activities, crucial for
maintaining security in a networked environment.
Training Time Calculation:
The formula for total training time is:

Training Time = Epochs × Time per Epoch

Assuming Time per Epoch: 2 seconds

This is the average time taken to process the data for one
epoch, which can depend on various factors including model
complexity, dataset size, and hardware specifications.
Calculating Training Time:

Training Time = 50 × 2 = 100 seconds

This total time indicates the efficiency of the training process, which is
critical when deploying models in real-time cybersecurity applications
where quick response times are essential.
Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 42 / 52
Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Future Challenges in System Tuning Algorithms/Software

Complexity of Modern Systems: Increasing complexity

requires more sophisticated tuning algorithms.
Real-time Performance Monitoring: Need for algorithms
that can dynamically adapt to changing workloads.
Integration with Emerging Technologies: Challenges in
tuning systems that incorporate AI, IoT, and cloud computing.
Scalability Issues: Ensuring tuning methods are effective
across diverse and scalable environments.
Security Implications: Balancing performance optimization
with maintaining robust security.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 43 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Introduction to K-Means Clustering

K-Means clustering is an
unsupervised machine learning Data points are assigned to the
algorithm. nearest cluster centroid.
It groups data into clusters based on The algorithm iteratively adjusts
feature similarities. centroids to minimize intra-cluster
variance.
Each cluster has a centroid, which is
the mean of all points in that cluster. K-Means is widely used in anomaly
detection and network traffic analysis
The number of clusters (K) is in cybersecurity.
predefined.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 44 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

How K-Means Clustering Works

Step 1: Choose the number of clusters K.

Step 2: Initialize K random centroids.
Step 3: Assign each data point to the nearest centroid based
on distance.
Step 4: Recalculate centroids by finding the mean of all points
in a cluster.
Step 5: Repeat steps 3 and 4 until convergence.
Step 6: The algorithm stops when centroids no longer change.
K-Means can converge quickly for smaller datasets but may
require more time for large datasets.
convergence refers to the point at which the algorithm has
stabilized and no longer changes the positions of the centroids or
the assignments of data points to clusters.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 45 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Convergence Criteria

The algorithm can be considered to have converged when:

Centroids Stabilization: The centroids no longer change
significantly between iterations.
No Change in Assignments: The assignment of data points
to clusters remains the same across consecutive iterations.
Maximum Iterations: A predefined maximum number of
iterations is reached, regardless of whether convergence criteria
are met.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 46 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Importance of K-Means Clustering in Cybersecurity

Helps detect patterns in network traffic.

Assists in identifying anomalies in user behavior.
Can be used to cluster malware samples based on features.
Groups network logs to identify abnormal activities.
Used for unsupervised detection of cyber threats.
Effective in segregating benign traffic from potentially harmful
traffic.
Provides insights into new, previously unknown security risks.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 47 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Example: K-Means for Network Traffic Anomaly Detection

Network traffic features include source IP,

destination IP, port numbers, and packet sizes.
K-Means clusters normal and abnormal traffic.
Normal traffic forms tight clusters, while
anomalies form sparse clusters.
Clusters are analyzed to detect outliers
representing potential threats.
K can be selected based on historical traffic
analysis.
Frequent anomalies may indicate ongoing attacks
or misconfigurations.
Effective for identifying distributed
denial-of-service (DDoS) attacks.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 48 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Example: K-Means for Malware Clustering

Malware samples are clustered based on their features (e.g., file size, code
structure, behavior).
K-Means can group different types of malware into clusters.
Centroids represent the average characteristics of malware within a cluster.
Malware with similar behaviors are grouped together.
Helps to detect new strains of malware by comparing them to known clusters.
Clusters can be analyzed to understand common attack vectors.
Useful for developing targeted detection and response strategies.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 49 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Choosing the Right K in Cybersecurity Applications

Choosing the number of clusters K is crucial for effective

detection.
Elbow method helps in selecting the right K.
Plot the sum of squared distances (SSD) against different
values of K.
The ”elbow” point on the graph represents the optimal K.
Too few clusters may lead to underfitting and poor detection
of anomalies.
Too many clusters may lead to overfitting and false positives.
Selecting the right K ensures balanced accuracy and precision
in threat detection.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 50 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Challenges of Using K-Means in Cybersecurity

K-Means assumes clusters are spherical, which may not always

be the case in cybersecurity data.
Difficulty in selecting the right number of clusters.
Sensitive to outliers and noise in network traffic data.
May converge to local minima rather than the global solution.
Performance can degrade with high-dimensional data.
Clustering effectiveness may vary depending on feature
selection.
Requires preprocessing of data, including normalization and
dimensionality reduction.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 51 / 52

Dec.Tre. and Rand. Frst. Genetic Algorithms Neu. Net.for Sys. Tun. K-Means

Improving K-Means for Cybersecurity

Use feature scaling to standardize data before applying

K-Means.
Consider using K-Means++ for better initialization of
centroids.
Hybridize K-Means with other algorithms like DBSCAN for
non-spherical data.
Regularly update the feature set to include new attack vectors.
Use dimensionality reduction techniques such as PCA for
high-dimensional data.
Perform outlier detection before applying K-Means to improve
results.
Test different distance metrics (e.g., Euclidean, Manhattan)
to improve clustering accuracy.

Adarsh Kumar Adarsh[dot]Kumar[at]ddn[dot]upes[dot]ac[dot]in February 21, 2025 52 / 52