NIDS-CatBoost β Network Intrusion Detector
A CatBoost binary classifier (benign vs. malicious) trained on the full CIC-IDS-2017 dataset using the 78 standard CICFlowMeter flow-level features.
Companion artifact to pop123-ux/pcap-ml-traffic-classifier on GitHub.
Model at a glance
| Architecture | CatBoost β symmetric oblivious decision trees |
| Task | Binary classification (0 = benign, 1 = malicious) |
| Input | 78 CICFlowMeter flow features per connection |
| Training data | CIC-IDS-2017 β all 8 daily captures, ~2.8 M labeled flows |
| Class balancing | auto_class_weights='Balanced' (benign traffic ~4Γ more common) |
| Regularization | L2 leaf reg, early stopping on validation F1 |
| File | cicids_catboost.cbm (CatBoost native binary) |
Evaluation
Metrics on a stratified 30 % hold-out split of the combined CIC-IDS-2017 dataset (848,363 flows):
| Class | Precision | Recall | F1 | Support |
|---|---|---|---|---|
| Benign (0) | 1.000 | 0.999 | 0.999 | 681,396 |
| Malicious (1) | 0.995 | 1.000 | 0.997 | 166,967 |
| Accuracy | 0.999 | 848,363 | ||
| Macro avg | 0.997 | 0.999 | 0.998 | 848,363 |
| Weighted avg | 0.999 | 0.999 | 0.999 | 848,363 |
Operationally: on ~167 k real attack flows, the model missed effectively zero (recall β 1.000). Of everything it flagged as malicious, 99.5 % actually were β about 5 false positives per 1,000 alerts. That's a workable ratio for a SOC analyst rather than alert-fatigue territory.
β οΈ Read before deploying. These numbers come from a random hold-out drawn from the same 8-day capture as the training data β same network, same attack tools, same time window. Cross-network generalization to a different corporate LAN or novel attacker tooling is not measured here and is expected to be lower. Treat this as a strong CIC-IDS-2017 benchmark result, not a plug-and-play production IDS.
Usage
from catboost import CatBoostClassifier
from huggingface_hub import hf_hub_download
import pandas as pd
# Download and load the model (cached under ~/.cache/huggingface after first run)
path = hf_hub_download(
repo_id="pop123ux/pcap-ml-traffic-classifier",
filename="cicids_catboost.cbm",
)
model = CatBoostClassifier().load_model(path)
# X must be a DataFrame containing the 78 CICFlowMeter features in the same
# order the model was trained on β check with model.feature_names_
X = pd.read_csv("your_cicflowmeter_output.csv")
preds = model.predict(X) # 0 = benign, 1 = malicious
probs = model.predict_proba(X) # calibrated malicious probability
From raw PCAP to prediction
The model expects flow-level features, not raw packets. Convert PCAPs first with CICFlowMeter:
cicflowmeter -f suspicious.pcap -c flows.csv
python3 load_pretrained.py flows.csv # helper script in the GitHub repo
Feature schema
Standard CICFlowMeter feature set β flow duration, forward/backward packet counts and byte totals, packet-length distributions, inter-arrival-time statistics, TCP flag counts, active/idle timings, etc. The full ordered feature list is embedded in cicids_catboost.json (also included in this repo).
Intended use
- Defensive-security research and blue-team tooling
- Educational demonstrations of ML applied to intrusion detection
- Baseline for CIC-IDS-2017 benchmarking
Out of scope
- Live packet inspection without a CICFlowMeter-equivalent flow aggregator
- Attack families not represented in CIC-IDS-2017 (modern C2 frameworks, encrypted-tunnel exfiltration, zero-days)
- Any deployment without independent validation on your own network's traffic
Training details
- Framework: CatBoost 1.2+
- Hardware: Google Colab (CPU runtime)
- Split: 70 / 30 stratified train / test
- Iterations: 500 with
early_stopping_rounds=50 - Learning rate: 0.05
- Depth: 6
License
MIT β see the source repository.
Citation
@misc{pcap_ml_traffic_classifier_2026,
author = {pop123-ux},
title = {pcap-ml-traffic-classifier: CatBoost-Powered Network Intrusion Detection},
year = {2026},
publisher = {GitHub},
howpublished = {\url{https://github.com/pop123-ux/pcap-ml-traffic-classifier}}
}