ML based Cyber Attack Detection in Simulated Networks

Project Domain / Category

Networking/Machine learning.

Abstract / Introduction

This project aims to design and evaluate a Cyber-Attack detection system in a controlled and virtualized lab environment. Using GNS3 (or EVE-NG) as the network simulator, Virtual-Box/VMware Workstation for hosting VMs, Wireshark for traffic capture, and Kali Linux for attack generation, we will create realistic network scenarios representing normal and malicious traffic.

The captured packet data (pcap files) will be processed into datasets that feed a machine learning model trained to distinguish between normal and attacked traffic. The system will then classify live or replayed traffic flows as normal or malicious, demonstrating the feasibility of using ML in small-scale testbeds for Cyber-Attack detection.

Order of implementation

        Lab Setup

        Build a GNS3/EVE-NG topology with:

        Victim server VM (running Apache, SSH, or FTP).

        Client node VM (simulating legitimate user).

        Kali Linux VM (for attacks).

        Monitoring node with Wireshark (for traffic capture).

        Traffic Generation

        Simulate legitimate activities: browsing, file transfer, DNS queries.

        Launch attacks from Kali: brute force (Hydra), DoS/DDoS (hping3, slowloris), scanning (Nmap).

        Traffic Capture & Dataset Creation

        Use Wireshark to capture traffic at the monitoring node.

        Export captured pcap files.

        Preprocess pcaps into datasets (e.g., extract flow features, packet statistics).

        Machine Learning Model Development

        Split dataset into training/testing sets.

        Apply ML algorithms (Random Forest, Isolation Forest, or SVM).

        Train and evaluate classification accuracy.

        Deployment & Testing

        Deploy the trained model inside a VM in the same environment.

        Feed new traffic captures to the model in real-time/replay mode.

        Generate an alert or classification output (normal/attack).

Page 92 of 167

Functional Requirements:

        Build a small virtual lab topology with client, server, attacker, and monitoring nodes.

        Generate both normal traffic (web browsing, file transfer, DNS) and attack traffic (brute force, DoS/DDoS, port scans) using Kali Linux.

        Capture traffic with Wireshark at the monitoring point.

        Preprocess the captured traffic into flow-level datasets suitable for ML training.

        Train a machine learning model to detect attacks (binary classification: normal vs. attack).

        Deploy the trained model inside the simulated environment to classify traffic in near-real time.

Tools: You are suggested to follow learning / installing / implementing the tools as per the given order for better understanding.

        GNS3 or EVE-NG → Simulated network environment.

        VirtualBox / VMware Workstation → VM hosting for client, server, and Kali Linux attacker.

        Kali Linux → Attack generation (brute force, DoS, scanning, etc.).

        Wireshark → Packet capture and dataset extraction.

        Python (inside VM) → Dataset preprocessing and machine learning model development.

Note:

Helping material/ tutorial links (watch in this order)

1) GNS3 / lab topology (setup VMs, connect VirtualBox)

        GNS3 Tutorial - Beginners Setup Guide (YouTube) — step-by-step GNS3 installation and basic topology.

▶ Watch: https://www.youtube.com/watch?v=yRehj98ccuk

        ▶ Watch: https://www.youtube.com/watch?v=IQekERpy1-E

         Wireshark / packet capture (how to capture, filter, export pcap)

            Wireshark Tutorial for Beginners (YouTube) — capture basics, filtering, saving PCAPs. ▶ Watch: https://www.youtube.com/watch?v=qTaOZrDnMzQ

            ▶ Playlist: https://www.youtube.com/playlist?list=PLW8bTPfXNGdC5Co0VnBK1yVzAwSSphzpJ

         Kali Linux attack generation (nmap, hydra, hping3, scapy)

            Kali Tools documentation: hping3 (official Kali tools page) — reference & usage examples for DoS/fuzzing.

          Read: https://www.kali.org/tools/hping3/

Kali Tools: nmap & hydra pages — official usage examples for scanning and brute-force.

          nmap: https://www.kali.org/tools/nmap/

          hydra: https://www.kali.org/tools/hydra/

         PCAP → logs / processing (Zeek recommended)

            Zeek Quickstart / Book of Zeek — how to run Zeek on a pcap or live interface and produce conn.log etc. (very useful for feature extraction).

          Read: https://docs.zeek.org/en/lts/quickstart.html

Page 93 of 167