Results Dashboard

Model evaluation metrics on CICIDS2017 test set

F1 Score

95.8%

Harmonic mean of precision & recall

Accuracy

96.1%

Correct predictions overall

ROC-AUC

99.9%

Area under ROC curve

Confusion Matrix

Predicted	Negative	Positive
Negative	633416	48391
Positive	482	556215

True Positives

556,215

False Positives

48,391

False Negatives

482

True Negatives

633,416

ROC Curve

AUC: 0.999

AUC: 99.88%

Detailed Metrics

Precision

92.0%

Recall

99.9%

False Positive Rate

7.10%

F1 Score

95.8%

Detection Rate by Attack Type

Bot

94%

DDoS

100%

DoS GoldenEye

100%

DoS Hulk

100%

DoS Slowhttptest

100%

DoS slowloris

100%

FTP-Patator

100%

Heartbleed

91%

Infiltration

61%

PortScan

100%

SSH-Patator

100%

Web Attack � Brute Force

95%

Web Attack � Sql Injection

52%

Web Attack � XSS

97%

Dataset Composition

Training Set

Training flows1,590,881 benign + 556,697 attack

Test Set

Benign flows681,807

Attack flows556,697

Total samples1,238,504

What Works Well

Volumetric and DoS attacks are detected with high recall (excellent). The model excels at anomalies with unusual traffic volume or packet count patterns.

Lower Recall Attacks

Web attacks and infiltration attempts show lower detection rates because they often mimic legitimate traffic in flow-level statistics. Payload-based detection would be needed.

Why This Matters

This model represents signature-free, anomaly-based detection. It works best as a first-stage filter in a multi-layer defense, complementing rule-based systems for known attacks.