A neural network trained on RT-IoT2022 — 123,117 real-world network flow records from a smart home testbed — to classify traffic into 12 attack and benign categories. Built with TensorFlow / Keras, class-weight balancing, and a rigorous preprocessing pipeline.
01 — Dataset
Captured from a real smart-home testbed. Severely imbalanced — DOS_SYN_Hping alone accounts for ~77% of records, making naive accuracy a misleading metric.
02 — Pipeline
Every step runs in order to produce clean, leak-free training data for the classifier.
UCI ML Repository via ucimlrepo. 123,117 rows × 85 cols. No missing values.
Remove the unnamed row-number column saved into the CSV — carries no signal.
pd.get_dummies on proto & service (2 categorical cols → 10 binary columns).
Fixed: called twice80/20 train-test, stratified on Attack_type to preserve rare class proportions.
Fixed: duplicate callRemove columns with std = 0 before scaling to avoid division-by-zero NaN values.
Fixed: orderFit StandardScaler on train only. Apply to both train and test to prevent leakage.
np.nan_to_num replaces any remaining NaN / ±Inf with 0.0 after scaling.
Fixed: before fitLabelEncoder maps 12 string class names → integers 0–11 for sparse CE loss.
Fixed: dead code03 — Model Architecture
Intentionally lean: one hidden layer with 16 neurons. Simplicity is a feature for a network-flow classifier where the signal is strong.
04 — Results
Evaluated on the held-out 20% test set. Per-class F1 is the key metric given the severe class imbalance.
05 — Verifiability
Every artefact needed to reproduce or audit this project is openly available.
Full training notebook. Anyone can open and run it in a free Colab environment without any setup.
RT-IoT2022 is publicly hosted at UCI. The ucimlrepo library loads it automatically — no manual download required.
06 — Observations
Key findings from the loss curve behaviour and recommendations for future iterations.
The training loss being higher than validation loss confirms that the balanced class weights are correctly penalizing mistakes on rare classes. The model is being pushed harder on minority categories during training — exactly as intended.
To improve precision for the weakest categories, future iterations should explore synthetic oversampling — particularly SMOTE — applied to ultra-rare classes like NMAP_FIN_SCAN (28 samples) and Metasploit_Brute_SSH (37 samples).
Implementing deeper hidden layers or ensemble methods like XGBoost could yield gains on extreme imbalance cases. Tree-based ensembles often handle skewed distributions more effectively than standard neural networks at this scale.