Intrusion Detection System (IDS)
AI Based Intrusion Detection System: A Smarter Shield Against Cyber Threats
In todayβs rapidly evolving digital landscape, traditional security tools often fall short in detecting sophisticated cyberattacks. This is where an AI based intrusion detection system (AI IDS) becomes essential. Leveraging machine learning and intelligent behavior analysis, AI intrusion detection systems can identify threats faster, adapt to new attack patterns, and reduce false positivesβsomething legacy systems struggle with.
Whether you’re running a corporate network or managing cloud-based infrastructure, an AI based IDS empowers cybersecurity teams to proactively monitor traffic and respond in real-time. From detecting anomalies in user behavior to identifying zero-day attacks, AI intrusion detection offers a dynamic and scalable layer of defense.
As cyber threats become more complex, implementing an AI based intrusion detection system is no longer a luxury but a necessity for organizations seeking robust, next-gen security. In this article, we explore how AI IDS works, its advantages over traditional systems, and how to integrate it into your existing security strategy.

Intrusion Detection SystemTable of Contents
!ls
sample_data
from google.colab import drive
drive.mount('/content/drive')
Mounted at /content/drive
import warnings
warnings.filterwarnings('ignore')
Simple Intrusion DetectionΒΆ
- Counts how many times each IP shows up.
- Flags IPs that exceed a threshold (e.g., more than 100 requests).
- This can detect simple DoS-type attacks or brute-force attempts.
import pandas as pd
from collections import Counter
log = pd.read_csv('/content/drive/My Drive/network_log.csv')
ip_counts = Counter(log['src_ip'].values)
threshold = 100
intrusions = [ip for ip, count in ip_counts.items() if count > threshold]
print("Suspicious IPs:", intrusions)
Suspicious IPs: ['192.168.0.99']
import pandas as pd
from sklearn.ensemble import IsolationForest
# Read the log file
log = pd.read_csv('/content/drive/My Drive/network_log.csv')
# Count the occurrences of each IP
ip_counts = log['src_ip'].value_counts().reset_index()
ip_counts.columns = ['src_ip', 'count']
# Train an IsolationForest model on the IP counts
model = IsolationForest(contamination=0.1) # Assuming 10% outliers
ip_counts['anomaly'] = model.fit_predict(ip_counts[['count']])
# Get suspicious IPs
suspicious_ips = ip_counts[ip_counts['anomaly'] == -1]['src_ip'].tolist()
print("Suspicious IPs:", suspicious_ips)
Suspicious IPs: ['192.168.0.99', '192.168.0.19']

Intrusion Detection using Scikit-learnΒΆ
Uses machine learning to detect anomalies in network traffic.
Flags data points the model thinks are intrusions.
Very useful for numeric-based anomaly detection.
Port scan detectionΒΆ
- This flags IPs that are trying to connect to too many ports
import pandas as pd
from collections import defaultdict
log = pd.read_csv("/content/drive/My Drive/network_log_1.csv")
ip_ports = defaultdict(set)
for _, row in log.iterrows():
ip_ports[row['src_ip']].add(row['dst_port'])
attackers = [ip for ip, ports in ip_ports.items() if len(ports) > 50]
print("Port scan suspects:", attackers)
Port scan suspects: ['192.168.0.250']
import pandas as pd
from sklearn.ensemble import IsolationForest
# Read the log file
log = pd.read_csv("/content/drive/My Drive/network_log_1.csv")
# Count the number of distinct ports accessed by each IP
ip_ports = log.groupby('src_ip')['dst_port'].nunique().reset_index()
# Train an IsolationForest model to detect anomalies (potential port scanning)
model = IsolationForest(contamination=0.05) # Assuming 5% outliers
ip_ports['anomaly'] = model.fit_predict(ip_ports[['dst_port']])
# Get suspicious IPs (anomalies are labeled -1)
attackers = ip_ports[ip_ports['anomaly'] == -1]['src_ip'].tolist()
print("Port scan suspects:", attackers)
Port scan suspects: ['192.168.0.14', '192.168.0.250', '192.168.0.26', '192.168.0.98']
Brute-Force Login DetectionΒΆ [AI IDs]
- IPs with excessive failed login attempts
import pandas as pd
from collections import Counter
log = pd.read_csv("/content/drive/My Drive/login_log.csv")
failed = log[log['status'] == 'FAIL']
ip_counts = Counter(failed['ip'])
suspicious = [ip for ip, count in ip_counts.items() if count > 10]
print("Possible brute-force IPs:", suspicious)
Possible brute-force IPs: ['192.168.1.200']
import pandas as pd
from sklearn.ensemble import IsolationForest
# Read the log file
log = pd.read_csv("/content/drive/My Drive/login_log.csv")
# Filter failed login attempts
failed = log[log['status'] == 'FAIL']
# Count failed attempts per IP
ip_failed_attempts = failed.groupby('ip').size().reset_index(name='failed_count')
# Train an IsolationForest model for anomaly detection
model = IsolationForest(contamination=0.05) # 5% outliers
ip_failed_attempts['anomaly'] = model.fit_predict(ip_failed_attempts[['failed_count']])
# Get suspicious IPs (anomalies labeled as -1)
suspicious_ips = ip_failed_attempts[ip_failed_attempts['anomaly'] == -1]['ip'].tolist()
print("Possible brute-force IPs:", suspicious_ips)
Possible brute-force IPs: ['192.168.1.200']
DDoS Attack DetectionΒΆ
- IPs that send an unusually high number of requests in a short time.
import pandas as pd
from collections import Counter
log = pd.read_csv("/content/drive/My Drive/traffic_log.csv")
ip_counts = Counter(log['src_ip'])
ddos_suspects = [ip for ip, count in ip_counts.items() if count > 1000] # Threshold
print("DDoS suspected IPs:", ddos_suspects)
DDoS suspected IPs: ['10.0.0.251', '10.0.0.250']
import pandas as pd
from sklearn.ensemble import IsolationForest
# Read the log file
log = pd.read_csv("/content/drive/My Drive/traffic_log.csv")
# Count requests per IP
ip_requests = log.groupby('src_ip').size().reset_index(name='request_count')
# Initialize IsolationForest with 5% contamination (outliers)
model = IsolationForest(contamination=0.05)
# Predict anomalies: -1 for outliers, 1 for normal
ip_requests['anomaly'] = model.fit_predict(ip_requests[['request_count']])
# List IPs with anomalies (DDoS suspects)
ddos_suspects = ip_requests[ip_requests['anomaly'] == -1]['src_ip'].tolist()
print("DDoS suspected IPs:", ddos_suspects)
DDoS suspected IPs: ['10.0.0.1', '10.0.0.125', '10.0.0.134', '10.0.0.250', '10.0.0.251', '10.0.0.252', '10.0.0.36', '10.0.0.51']

