UNIVERSITY COLLEGE OF ENGINEERING

(BIT CAMPUS)
ANNA UNIVERSITY, TIRUCHIRAPALLI

AI IN CYBERSECURITY
A PROJECT REPORT
For
NAAN MUDHALVAN(NM1067) –AI And Green Skills

Submitted by
KABIL RAJ.A(810022104712)
III-Year/VI – Semester (2024-2025)
B.E – Computer Science and Engineering

Submitted to
Mr.J.B.Shriram
 TABLE OF CONTENT

CHAPTER CONTENT

1 AIM

2 PROBLEM STATEMENT

3 PROJECT OBJECTIVES

4 VARIABLES USED

5 IMPLEMENTATION DETAILS

6 INPUT CODE

7 SAMPLE CODE

8 FUTURE ENHANCEMENTS

9 CONCLUSION
 AIR QUALITY INDEX PREDICTOR

Aim:
The aim of this project is to explore how Artificial Intelligence (AI)
can be leveraged to enhance cybersecurity frameworks. This
involves the use of machine learning (ML), deep learning (DL), and
data analytics to identify threats, detect anomalies, respond to
incidents, and predict future vulnerabilities in networks and systems,
thereby reducing manual effort and improving security posture.

Problem Statement:
Cybersecurity threats are growing in sophistication and frequency.
Traditional systems that rely on manually defined rules and signature-based
detection are increasingly unable to cope with zero-day exploits,
polymorphic malware, insider threats, and advanced persistent threats
(APTs). These threats often go undetected for long periods, resulting in data
breaches, financial losses, and reputation damage.
Given the massive scale of digital activity and the complexity of modern
networks, there is a need for intelligent, scalable, and adaptive security
systems. AI can fill this gap by learning from vast volumes of data,
recognizing patterns, and making decisions without human intervention.

Project Objectives:
 Understand AI concepts relevant to cybersecurity (e.g.,
supervised/unsupervised learning, anomaly detection).
 Analyze real-world cyberattack datasets to extract features relevant for
AI models.
 Design and implement an AI-based intrusion detection system (IDS)
using algorithms like Random Forest, Neural Networks, and Autoencoders.
 Evaluate model performance using metrics like accuracy, precision,
recall, F1-score, and false positive rate.
 Simulate real-time threat detection to assess the practical applicability
of the system.
 Propose a scalable architecture for integrating AI with existing
cybersecurity tools.
Variables Used:
 IP Source and Identifies source and target of traffic.
Destination
 Port Numbers – Helps determine services and potential attack vectors.

 Protocol Type (TCP, UDP, ICMP) to categorize traffic.

 Packet Size & Indicators of traffic behaviour

Flow Duration

 Label (Target) Indicates whether the record is benign or an attack.

 Feature Vectors  ) – Combination of all the above for training.

(Input X)

Implementation Details:
1. Dataset Selection

A high-quality dataset is critical for training an effective cybersecurity model. Some

widely used datasets in cybersecurity research include:

 CICIDS2017:

o Provided by the Canadian Institute for Cybersecurity.

o Includes realistic network traffic with labeled attacks such as DDoS,

brute-force, infiltration, and botnets.

 UNSW-NB15:

o Contains nine types of attacks including Fuzzers, Analysis, Backdoors,

DoS, Exploits, Generic, Reconnaissance, Shellcode, and Worms.

 NSL-KDD:

o An enhanced version of the older KDD Cup 1999 dataset.

o Used for network intrusion detection.

These datasets include both normal (benign) and malicious traffic, offering balanced
class distributions for training models.

2. Data Preprocessing

Raw cybersecurity data often contains irrelevant or noisy information.

Preprocessing ensures data quality and prepares it for modeling.

a. Data Cleaning

 Remove duplicate rows and null values.

 Ensure consistent data formats for timestamps, IP addresses, and labels.

b. Feature Selection & Extraction

 Extract relevant features such as:

o Packet size

o Flow duration

o Number of bytes transferred

o Source and destination ports

o Protocol type (TCP/UDP/ICMP)

o Flags (e.g., SYN, ACK, FIN)

c. Encoding and Normalization

 Convert categorical data (e.g., protocol types) into numerical values using one-
hot encoding or label encoding.

 Normalize numeric features using Min-Max scaling or Z-score normalization to

bring all values to a similar range.

3. Model Selection
AI models can be supervised, unsupervised, or hybrid, depending on the
availability of labeled data.

a. Supervised Learning Models

Used when the dataset includes labeled instances (benign/malicious).

 Random Forest: Robust ensemble classifier, handles large datasets well.

 Support Vector Machine (SVM): Effective for binary classification.

 Logistic Regression: Lightweight, good for baseline modeling.

 Gradient Boosting (XGBoost, LightGBM): High-performance models for

imbalanced data.

b. Unsupervised Learning Models

Used for anomaly detection when labels are missing.

 K-Means Clustering: Groups similar behavior together; outliers considered

anomalies.

 Isolation Forest: Efficient anomaly detection model.

 Autoencoders: Neural networks trained to reconstruct input; high

reconstruction error indicates anomaly.

c. Deep Learning Models

 LSTM (Long Short-Term Memory): Captures time-series data and sequential

patterns in attacks.

 CNN (Convolutional Neural Network): Used for spatial feature extraction in

traffic data.

 Autoencoders: Learn compressed representations; useful for unsupervised

anomaly detection.

4. Training and Validation

  Train-Test Split: Divide data into training and testing sets (typically 70/30 or
80/20 split).

 Cross-Validation: K-fold cross-validation (usually k=5 or 10) helps validate

model stability.

 Model Tuning: Adjust hyperparameters like tree depth (in Random Forest),
learning rate (in Gradient Boosting), or number of epochs (in Deep Learning).

 Feature Importance: Use SHAP (SHapley Additive exPlanations) or

feature_importances_ to understand which features contribute most to
prediction.

5. Model Evaluation

Evaluate the model using various performance metrics:

 Accuracy: (TP + TN) / Total

 Precision: TP / (TP + FP)

 Recall (Detection Rate): TP / (TP + FN)

 F1-Score: Harmonic mean of precision and recall.

 False Positive Rate (FPR): FP / (FP + TN)

 Confusion Matrix: Visual representation of true vs predicted labels.

For cybersecurity, Recall and False Positive Rate are more critical than just
Accuracy, as false negatives can mean undetected threats, and high false positives
can overwhelm analysts.

6. Real-Time Simulation (Optional but Valuable)

To demonstrate practicality, simulate detection in a streaming environment.

 Use packet capture tools like Wireshark or tcpdump to collect live traffic.
 Create a pipeline that:

o Captures packets.

o Extracts features in real-time.

o Feeds data into the trained model.

o Outputs alerts if traffic is malicious.

 Use Flask or FastAPI to expose the AI model as a REST API for integration
with real-world systems.

7. Tool Stack

 Programming Language: Python

 Libraries:

o scikit-learn – Machine Learning models and metrics

o TensorFlow/Keras – Deep learning framework

o Pandas, NumPy – Data processing

o Matplotlib, Seaborn – Visualizations

o joblib – Model serialization for deployment

 Security Tools:

o Wireshark – Packet analysis

o Snort – Intrusion detection/prevention

o Splunk or ELK Stack – Log analysis and alert management

Input Code:
import pandas as pd
import numpy as np
from sklearn.ensemble import RandomForestClassifier
from sklearn.model_selection import train_test_split
from sklearn.preprocessing import LabelEncoder, MinMaxScaler
from sklearn.metrics import classification_report, confusion_matrix, accuracy_score
import seaborn as sns
import matplotlib.pyplot as plt

# Step 1: Load Dataset (CSV format)

df = pd.read_csv("cybersecurity_dataset.csv") # Replace with your actual dataset path

# Step 2: Basic Cleaning

df.dropna(inplace=True) # Remove rows with missing values
df.drop_duplicates(inplace=True)

# Step 3: Feature & Target Separation

X = df.drop(columns=['label']) # Features
y = df['label'] # Target: 'Benign' or 'Malicious'

# Step 4: Encode Categorical Data

label_encoders = {}
for column in X.select_dtypes(include='object').columns:
le = LabelEncoder()
X[column] = le.fit_transform(X[column])
label_encoders[column] = le

# Encode target variable

target_encoder = LabelEncoder()
y = target_encoder.fit_transform(y) # 0 = Benign, 1 = Malicious

# Step 5: Feature Scaling

scaler = MinMaxScaler()
X_scaled = scaler.fit_transform(X)

# Step 6: Train-Test Split

X_train, X_test, y_train, y_test = train_test_split(X_scaled, y, test_size=0.3,
random_state=42)

# Step 7: Model Training

model = RandomForestClassifier(n_estimators=100, random_state=42)
model.fit(X_train, y_train)

# Step 8: Predictions
y_pred = model.predict(X_test)

# Step 9: Evaluation
print("Accuracy Score:", accuracy_score(y_test, y_pred))
print("\nClassification Report:\n", classification_report(y_test, y_pred,
target_names=['Benign', 'Malicious']))

# Step 10: Confusion Matrix Visualization

cm = confusion_matrix(y_test, y_pred)
plt.figure(figsize=(6, 5))
sns.heatmap(cm, annot=True, fmt='d', cmap='Blues', xticklabels=['Benign', 'Malicious'],
yticklabels=['Benign', 'Malicious'])
plt.title("Confusion Matrix")
plt.xlabel("Predicted")
plt.ylabel("Actual")
plt.show()

# Step 11: Save Model (Optional)

import joblib
joblib.dump(model, "cybersecurity_model.pkl")
joblib.dump(scaler, "scaler.pkl")
joblib.dump(label_encoders, "label_encoders.pkl")
Sample Output:
C
Future Enhancements:
 Federated Learning: Implement decentralized learning to enhance data
privacy.
 Explainable AI (XAI): Improve model transparency to understand how
and why threats are flagged.
 Integration with Threat Intelligence Feeds: Enhance detection with up-
to-date global threat databases.
 Cloud Security Integration: Adapt AI tools for protecting cloud
infrastructure and SaaS platforms.
 Self-Healing Networks: Use AI to not only detect but also autonomously
respond and fix vulnerabilities.
 Blockchain-Enhanced Security: Use distributed ledgers for securing
logs and event records against tampering.

Conclusion:
Artificial Intelligence plays a transformative role in modern
cybersecurity by offering proactive and intelligent defense mechanisms. AI
can analyze massive amounts of data in real time, detect complex threats,
and automate responses with minimal human input. While promising,
challenges like data quality, model interpretability, and adversarial AI still
need to be addressed. Future cybersecurity systems must blend AI with
robust governance and compliance frameworks to ensure safe digital
environments.