Adaptive Fuzzy Synthetic Traffic Generator (Defensive Research)

This project provides a modular, feature-vector-based red-team simulation framework for IoT IDS robustness testing in a controlled lab.

Important safety note:

• This repository is designed for defensive benchmarking and model hardening.
• It does not implement live packet injection, exploit automation, or operational attack deployment.
• It sends synthetic packet feature vectors into the IDS testing pipeline, not real packets on the wire.

Project Structure

• attack_gen/fuzzy_module.py: Fuzzy conditioning layer (attack intensity and stealth coefficients).
• attack_gen/models/cgan.py: Conditional WGAN-GP model.
• attack_gen/models/vae.py: Conditional VAE model.
• attack_gen/models/lstm_attacker.py: Sequence generator for temporal patterns.
• attack_gen/models/adaptive_ensemble.py: Dynamic structure routing across cGAN/VAE/LSTM.
• attack_gen/calibration.py: Surrogate probability calibration and ECE/Brier reporting.
• attack_gen/deployment_export.py: Deployment bundle export (TorchScript, sklearn, manifest).
• attack_gen/ids_harness.py: Detailed per-category harness report + detect/reject simulation exports.
• attack_gen/data_utils.py: Dataset loading and preprocessing.
• attack_gen/adaptive_loop.py: Surrogate IDS training and adaptive hard-example loops.
• attack_gen/evaluate.py: Metrics and plotting.
• attack_gen/ids_harness.py: IDS integration harness.
• attack_gen/config.yaml: Runtime configuration.
• attack_gen/main.py: Main orchestration pipeline.
• attack_gen.py: CLI entrypoint.

Environment Setup

Python 3.10+ recommended.

python -m venv .venv
source .venv/bin/activate
pip install --upgrade pip
pip install torch torchvision torchaudio
pip install scikit-fuzzy scapy pandas numpy matplotlib seaborn scipy scikit-learn pyyaml

Dataset Setup (Phase 1)

Use local downloaded copies of these datasets and point attack_gen/config.yaml dataset.path to the folder or CSV.

1. N-BaIoT

• Source: UCI / N-BaIoT mirrors.
• Typical format: multiple CSV files per device and attack family.
• Steps:

1. Download and extract.

2. Set dataset.name to n_baiot.

3. Set dataset.path to extracted folder.

4. Leave label_col empty to auto-detect or set it explicitly.

5. UNSW-NB15

• Source: UNSW Canberra Cyber.
• Typical format: training/testing CSV with attack labels.
• Steps:

1. Download CSV files.

2. Set dataset.name to unsw_nb15.

3. Set dataset.path to folder or combined CSV file.

4. If needed, set label_col to label or attack_cat.

5. CIC-IoT-Dataset2023

• Source: Canadian Institute for Cybersecurity.
• Typical format: large CSV collections with Label or Attack_type.
• Steps:

1. Download and extract CSV files.

2. Set dataset.name to cic_iot_2023.

3. Set dataset.path to dataset folder.

4. Set max_files in config for memory-friendly loading.

5. TON_IoT

• Source: UNSW / ToN-IoT release.
• Typical format: IoT telemetry and network CSV files with label columns.
• Steps:

1. Download and extract.
2. Set dataset.name to ton_iot.
3. Set dataset.path to folder or specific CSV file.

Preprocessing Included

attack_gen/data_utils.py performs:

• Recursive CSV loading
• Label-column detection by dataset hints
• Numeric feature normalization via StandardScaler
• Categorical encoding via OneHotEncoder
• Stratified train/test splitting when possible

Phase 2: Fuzzy Logic Layer

Implemented in attack_gen/fuzzy_module.py.

Inputs:

• packet_rate
• payload_size
• inter_arrival_time
• port_entropy

Memberships:

• low / medium / high for each input

Outputs:

• attack_intensity in [0,1]
• stealth_coefficient in [0,1]

Phase 3: Deep Learning Models

1. cGAN (WGAN-GP)

• Generator: noise + fuzzy conditioning -> synthetic traffic vectors
• Critic: Wasserstein score + auxiliary benign/attack head
• Strength: high sample flexibility
• Trade-off: training instability risk and hyperparameter sensitivity

2. VAE

• Encoder/decoder conditioned on fuzzy vector
• Reparameterization trick for latent sampling
• Strength: stable training and interpretable latent manifold
• Trade-off: can produce smoother or less sharp distributions

3. LSTM Attacker

• Sequence model for temporally coherent traffic patterns
• Strength: captures sequential attack progression
• Trade-off: higher data requirements and slower training

Phase 4: Adaptive Feedback Loops

Implemented in attack_gen/adaptive_loop.py.

1. REINFORCE loop

• Policy samples latent scaling actions.
• Reward encourages hard-to-classify (high-uncertainty) samples.

2. Gradient loop

• Differentiable surrogate IDS (Torch MLP).
• Generator optimizes realism + decision-boundary uncertainty.

This setup supports detector robustness testing without packet-level weaponization.

Adaptive Architecture Switching

The pipeline now includes a detector-aware adaptive router:

• Inputs: fuzzy condition vector + feedback state (detector pressure, uncertainty, realism, diversity)
• Experts: cGAN, VAE, LSTM
• Output: blending weights over experts used to generate final synthetic samples

This enables structural adaptation over time rather than relying on a single generator family.

Phase 5: Evaluation Metrics

Implemented in attack_gen/evaluate.py.

• Miss Rate diagnostic (generated attack-like samples predicted benign)
• MMD (RBF) for realism comparison with real attack samples
• Feature entropy for diversity
• Fuzzy output-space coverage
• Detection latency delta in milliseconds

Plotting:

• Training curves
• Metric bar charts

Phase 6: IDS Harness Integration

Implemented in attack_gen/ids_harness.py.

• Generate N samples per category: dos, botnet, scan, mitm, protocol_abuse
• Feed into any IDS exposing predict(X)
• Log per-category and overall miss-rate diagnostics

Run

python attack_gen.py --config attack_gen/config.yaml

Feature stream mode:

python attack_gen.py --config attack_gen/config.yaml --mode feature-stream

After each run, deployable model checkpoints are saved to the configured checkpoint_dir.

If dataset.path is empty, the pipeline runs with synthetic fallback data so you can validate the full stack quickly.

Config

See attack_gen/config.yaml for:

• attack_type list
• fuzzy_mode profile
• num_samples
• surrogate_model
• surrogate calibration settings
• adaptive settings
• deployment export settings
• dataset settings
• training settings

Production Readiness Additions

• Surrogate calibration: Platt or isotonic post-calibration of attack probabilities.
• Calibration diagnostics: raw vs calibrated Brier score and ECE.
• Threshold tuning: automatic threshold optimization using F1 or balanced accuracy.
• Deployment bundle export: calibrated surrogate, TorchScript models, checksummed manifest, and sample request template.
• Harness exports: per-category JSON/CSV reports and detect/reject simulation summaries.

Why This Helps IDS Against Adaptive Fuzzy Threat Patterns

• Fuzzy-driven variability perturbs rate, inter-arrival timing, payload size, and port spread in a controlled way, approximating adaptive traffic behavior classes.
• This reveals brittle IDS thresholds under distribution shift before production deployment.
• Repeated runs provide stable reject/accept and latency benchmarks for regression testing.
• Plugin integration allows your own IDS model to score generated feature-vector traces directly.

This improves IDS robustness to adaptive behaviors while keeping experiments defensive and controlled.

Output Artifacts

By default, the pipeline now writes:

• plots to artifacts/plots
• detailed harness reports to artifacts/harness
• detect/reject simulation reports to artifacts/defense_simulation
• checkpoints to artifacts/checkpoints
• deployment bundle to artifacts/deployment