In [3]:
# This Python 3 environment comes with many helpful analytics libraries installed
# It is defined by the kaggle/python Docker image: https://github.com/kaggle/docker-python
# For example, here's several helpful packages to load

import numpy as np # linear algebra
import pandas as pd # data processing, CSV file I/O (e.g. pd.read_csv)

# Input data files are available in the read-only "../input/" directory
# For example, running this (by clicking run or pressing Shift+Enter) will list all files under the input directory

import os
dspaths = []
for dirname, _, filenames in os.walk('/datasets/'):
    for filename in filenames:
        if filename.endswith('.csv'):
            pds = os.path.join(dirname, filename)
            dspaths.append(pds)
            print(pds)

# You can write up to 20GB to the current directory (/kaggle/working/) that gets preserved as output when you create a version using "Save & Run All" 
# You can also write temporary files to /kaggle/temp/, but they won't be saved outside of the current session

# CIC-Collection Cleaning: CIC-IDS2017
This notebook presents the cleanup done on CIC-IDS2017, a very popular academic intrusion detection set. IDS2017 is just one dataset in a broader collection. DoS2017, IDS2018 and DDoS2019 also exist with the same featureset. 

**This cleanup code has been built to yield consistent results across the entire CIC collection with features extracted by CICFlowmeter.**

In [2]:
from fastai.tabular.all import df_shrink
from fastcore.parallel import *

In [3]:
col_name_consistency = {
'Flow ID': 'Flow ID',
'Source IP': 'Source IP',
'Src IP':  'Source IP',
'Source Port': 'Source Port',
'Src Port': 'Source Port',
'Destination IP': 'Destination IP',
'Dst IP': 'Destination IP',
'Destination Port': 'Destination Port',
'Dst Port': 'Destination Port',
'Protocol': 'Protocol',
'Timestamp': 'Timestamp',
'Flow Duration': 'Flow Duration',
'Total Fwd Packets': 'Total Fwd Packets',
'Tot Fwd Pkts': 'Total Fwd Packets',
'Total Backward Packets': 'Total Backward Packets',
'Tot Bwd Pkts': 'Total Backward Packets',
'Total Length of Fwd Packets': 'Fwd Packets Length Total',
'TotLen Fwd Pkts': 'Fwd Packets Length Total',
'Total Length of Bwd Packets': 'Bwd Packets Length Total',
'TotLen Bwd Pkts': 'Bwd Packets Length Total',
'Fwd Packet Length Max': 'Fwd Packet Length Max',
'Fwd Pkt Len Max': 'Fwd Packet Length Max',
'Fwd Packet Length Min': 'Fwd Packet Length Min',
'Fwd Pkt Len Min': 'Fwd Packet Length Min',
'Fwd Packet Length Mean': 'Fwd Packet Length Mean',
'Fwd Pkt Len Mean': 'Fwd Packet Length Mean',
'Fwd Packet Length Std': 'Fwd Packet Length Std',
'Fwd Pkt Len Std': 'Fwd Packet Length Std',
'Bwd Packet Length Max': 'Bwd Packet Length Max',
'Bwd Pkt Len Max': 'Bwd Packet Length Max',
'Bwd Packet Length Min': 'Bwd Packet Length Min',
'Bwd Pkt Len Min': 'Bwd Packet Length Min',
'Bwd Packet Length Mean': 'Bwd Packet Length Mean',
'Bwd Pkt Len Mean': 'Bwd Packet Length Mean',
'Bwd Packet Length Std': 'Bwd Packet Length Std',
'Bwd Pkt Len Std': 'Bwd Packet Length Std',
'Flow Bytes/s': 'Flow Bytes/s',
'Flow Byts/s': 'Flow Bytes/s',
'Flow Packets/s': 'Flow Packets/s',
'Flow Pkts/s': 'Flow Packets/s',
'Flow IAT Mean': 'Flow IAT Mean',
'Flow IAT Std': 'Flow IAT Std',
'Flow IAT Max': 'Flow IAT Max',
'Flow IAT Min': 'Flow IAT Min',
'Fwd IAT Total': 'Fwd IAT Total',
'Fwd IAT Tot': 'Fwd IAT Total',
'Fwd IAT Mean': 'Fwd IAT Mean',
'Fwd IAT Std': 'Fwd IAT Std',
'Fwd IAT Max': 'Fwd IAT Max',
'Fwd IAT Min': 'Fwd IAT Min',
'Bwd IAT Total': 'Bwd IAT Total',
'Bwd IAT Tot': 'Bwd IAT Total',
'Bwd IAT Mean': 'Bwd IAT Mean',
'Bwd IAT Std': 'Bwd IAT Std',
'Bwd IAT Max': 'Bwd IAT Max',
'Bwd IAT Min': 'Bwd IAT Min',
'Fwd PSH Flags': 'Fwd PSH Flags',
'Bwd PSH Flags': 'Bwd PSH Flags',
'Fwd URG Flags': 'Fwd URG Flags',
'Bwd URG Flags': 'Bwd URG Flags',
'Fwd Header Length': 'Fwd Header Length',
'Fwd Header Len': 'Fwd Header Length',
'Bwd Header Length': 'Bwd Header Length',
'Bwd Header Len': 'Bwd Header Length',
'Fwd Packets/s': 'Fwd Packets/s',
'Fwd Pkts/s': 'Fwd Packets/s',
'Bwd Packets/s': 'Bwd Packets/s',
'Bwd Pkts/s': 'Bwd Packets/s',
'Min Packet Length': 'Packet Length Min',
'Pkt Len Min': 'Packet Length Min',
'Max Packet Length': 'Packet Length Max',
'Pkt Len Max': 'Packet Length Max',
'Packet Length Mean': 'Packet Length Mean',
'Pkt Len Mean': 'Packet Length Mean',
'Packet Length Std': 'Packet Length Std',
'Pkt Len Std': 'Packet Length Std',
'Packet Length Variance': 'Packet Length Variance',
'Pkt Len Var': 'Packet Length Variance',
'FIN Flag Count': 'FIN Flag Count',
'FIN Flag Cnt': 'FIN Flag Count',
'SYN Flag Count': 'SYN Flag Count',
'SYN Flag Cnt': 'SYN Flag Count',
'RST Flag Count': 'RST Flag Count',
'RST Flag Cnt': 'RST Flag Count',
'PSH Flag Count': 'PSH Flag Count',
'PSH Flag Cnt': 'PSH Flag Count',
'ACK Flag Count': 'ACK Flag Count',
'ACK Flag Cnt': 'ACK Flag Count',
'URG Flag Count': 'URG Flag Count',
'URG Flag Cnt': 'URG Flag Count',
'CWE Flag Count': 'CWE Flag Count',
'CWE Flag Cnt': 'CWE Flag Count',
'ECE Flag Count': 'ECE Flag Count',
'ECE Flag Cnt': 'ECE Flag Count',
'Down/Up Ratio': 'Down/Up Ratio',
'Average Packet Size': 'Avg Packet Size',
'Pkt Size Avg': 'Avg Packet Size',
'Avg Fwd Segment Size': 'Avg Fwd Segment Size',
'Fwd Seg Size Avg': 'Avg Fwd Segment Size',
'Avg Bwd Segment Size': 'Avg Bwd Segment Size',
'Bwd Seg Size Avg': 'Avg Bwd Segment Size',
'Fwd Avg Bytes/Bulk': 'Fwd Avg Bytes/Bulk',
'Fwd Byts/b Avg': 'Fwd Avg Bytes/Bulk',
'Fwd Avg Packets/Bulk': 'Fwd Avg Packets/Bulk',
'Fwd Pkts/b Avg': 'Fwd Avg Packets/Bulk',
'Fwd Avg Bulk Rate': 'Fwd Avg Bulk Rate',
'Fwd Blk Rate Avg': 'Fwd Avg Bulk Rate',
'Bwd Avg Bytes/Bulk': 'Bwd Avg Bytes/Bulk',
'Bwd Byts/b Avg': 'Bwd Avg Bytes/Bulk',
'Bwd Avg Packets/Bulk': 'Bwd Avg Packets/Bulk',
'Bwd Pkts/b Avg': 'Bwd Avg Packets/Bulk',
'Bwd Avg Bulk Rate': 'Bwd Avg Bulk Rate',
'Bwd Blk Rate Avg': 'Bwd Avg Bulk Rate',
'Subflow Fwd Packets': 'Subflow Fwd Packets',
'Subflow Fwd Pkts': 'Subflow Fwd Packets',
'Subflow Fwd Bytes': 'Subflow Fwd Bytes',
'Subflow Fwd Byts': 'Subflow Fwd Bytes',
'Subflow Bwd Packets': 'Subflow Bwd Packets',
'Subflow Bwd Pkts': 'Subflow Bwd Packets',
'Subflow Bwd Bytes': 'Subflow Bwd Bytes',
'Subflow Bwd Byts': 'Subflow Bwd Bytes',
'Init_Win_bytes_forward': 'Init Fwd Win Bytes',
'Init Fwd Win Byts': 'Init Fwd Win Bytes',
'Init_Win_bytes_backward': 'Init Bwd Win Bytes',
'Init Bwd Win Byts': 'Init Bwd Win Bytes',
'act_data_pkt_fwd': 'Fwd Act Data Packets',
'Fwd Act Data Pkts': 'Fwd Act Data Packets',
'min_seg_size_forward': 'Fwd Seg Size Min',
'Fwd Seg Size Min': 'Fwd Seg Size Min',
'Active Mean': 'Active Mean',
'Active Std': 'Active Std',
'Active Max': 'Active Max',
'Active Min': 'Active Min',
'Idle Mean': 'Idle Mean',
'Idle Std': 'Idle Std',
'Idle Max': 'Idle Max',
'Idle Min': 'Idle Min',
'Label': 'Label'
}

In [4]:
drop_columns = [ # this list includes all spellings across CIC NIDS datasets
    "Flow ID",    
    'Fwd Header Length.1',
    "Source IP", "Src IP",
    "Source Port", "Src Port",
    "Destination IP", "Dst IP",
    "Destination Port", "Dst Port",
    "Timestamp",
]

## Just reading the data
It's in standard CSV format

In [5]:
individual_dfs = [pd.read_csv(dsp, sep=',', encoding='utf-8') for dsp in dspaths]
[i.shape for i in individual_dfs]

[(286467, 84),
 (529918, 84),
 (225745, 84),
 (288602, 84),
 (170366, 84),
 (692703, 84),
 (191033, 84),
 (445909, 84)]

## Drops and Renames
Some columns are not intended for use because they are metadata. Flow ID, IP addresses, timestamps, etc.

If you are unsure why source and destination port are also removed you can read [Establishing the Contaminating Effect of Metadata Feature Inclusion in Machine-Learned Network Intrusion Detection Models](https://link.springer.com/chapter/10.1007/978-3-031-09484-2_2). In short: any included metadata feature will act as a (very) powerful shortcut predictor.

In [6]:
for df in individual_dfs:
    df.columns = df.columns.str.strip() # sometimes there's leading / trailing whitespace
    df.drop(columns=drop_columns, inplace=True, errors='ignore')    
    df.rename(columns=col_name_consistency, inplace=True)
    df['Label'].replace({'BENIGN': 'Benign'}, inplace=True)
[i.shape for i in individual_dfs]

[(286467, 78),
 (529918, 78),
 (225745, 78),
 (288602, 78),
 (170366, 78),
 (692703, 78),
 (191033, 78),
 (445909, 78)]

In [7]:
individual_dfs[0].dtypes

Protocol                      int64
Flow Duration                 int64
Total Fwd Packets             int64
Total Backward Packets        int64
Fwd Packets Length Total      int64
                             ...   
Idle Mean                   float64
Idle Std                    float64
Idle Max                      int64
Idle Min                      int64
Label                        object
Length: 78, dtype: object

## Downsizing
The individual frames are optimized by downsizing their types to more appropriate forms than the default float64, int64 or object (str) types. 

In [8]:
individual_dfs = parallel(f=df_shrink, items=individual_dfs, progress=True)

In [9]:
individual_dfs[0].dtypes

Protocol                        int8
Flow Duration                  int32
Total Fwd Packets              int16
Total Backward Packets         int16
Fwd Packets Length Total       int32
                              ...   
Idle Mean                    float32
Idle Std                     float32
Idle Max                       int32
Idle Min                       int32
Label                       category
Length: 78, dtype: object

## Removing NaN


In [10]:
for df in individual_dfs:
    df.replace([np.inf, -np.inf], np.nan, inplace=True)    
    # print(df.isna().any(axis=1).sum(), "rows with at least one NaN to remove")
    df.dropna(inplace=True)    
[i.shape for i in individual_dfs]

[(286096, 78),
 (529481, 78),
 (225711, 78),
 (288395, 78),
 (170231, 78),
 (691406, 78),
 (190911, 78),
 (445645, 78)]

## Dropping duplicates
There should be no duplicates because they can bias training and can lead to over-optimistic estimates of classification performance during testing.

In [11]:
for df in individual_dfs:
    print(df.duplicated().sum(), "fully duplicate rows to remove")
    df.drop_duplicates(inplace=True)
    df.reset_index(inplace=True, drop=True)
[i.shape for i in individual_dfs]

166574 fully duplicate rows to remove
70650 fully duplicate rows to remove
4447 fully duplicate rows to remove
80765 fully duplicate rows to remove
14411 fully duplicate rows to remove
106415 fully duplicate rows to remove
14873 fully duplicate rows to remove
55931 fully duplicate rows to remove


[(119522, 78),
 (458831, 78),
 (221264, 78),
 (207630, 78),
 (155820, 78),
 (584991, 78),
 (176038, 78),
 (389714, 78)]

In [12]:
for i, df in enumerate(individual_dfs):
    df.to_parquet(f"/kaggle/working/{dspaths[i].split('/')[-1].replace('.csv', '.parquet')}")

There's around a **75% reduction in disk space** used and a **97% reduction in future load times** for the same data.

In [13]:
!ls -lth /kaggle/input/cicids2017

total 1.4G
-rw-r--r-- 1 nobody nogroup 221M Aug  8 18:14 Benign-Monday-WorkingHours.pcap_ISCX.csv
-rw-r--r-- 1 nobody nogroup 270M Aug  8 18:14 DoS-Wednesday-WorkingHours.pcap_ISCX.csv
-rw-r--r-- 1 nobody nogroup 165M Aug  8 18:14 Bruteforce-Tuesday-WorkingHours.pcap_ISCX.csv
-rw-r--r-- 1 nobody nogroup  97M Aug  8 18:14 Portscan-Friday-WorkingHours-Afternoon.pcap_ISCX.csv
-rw-r--r-- 1 nobody nogroup 103M Aug  8 18:14 Infiltration-Thursday-WorkingHours-Afternoon.pcap_ISCX.csv
-rw-r--r-- 1 nobody nogroup  91M Aug  8 18:14 DDoS-Friday-WorkingHours-Afternoon.pcap_ISCX.csv
-rw-r--r-- 1 nobody nogroup  66M Aug  8 18:14 DoS-Wednesday-no-metadata.parquet
-rw-r--r-- 1 nobody nogroup  72M Aug  8 18:14 Botnet-Friday-WorkingHours-Morning.pcap_ISCX.csv
-rw-r--r-- 1 nobody nogroup  64M Aug  8 18:14 WebAttacks-Thursday-WorkingHours-Morning.pcap_ISCX.csv
-rw-r--r-- 1 nobody nogroup  55M Aug  8 18:14 Benign-Monday-no-metadata.parquet
-rw-r--r-- 1 nobody nogroup  45M Aug  8 18:14 Bruteforce-

In [14]:
!ls -lth /kaggle/working

total 259M
---------- 1 root root 32K Aug  8 18:16 __notebook__.ipynb
-rw-r--r-- 1 root root 45M Aug  8 18:16 Bruteforce-Tuesday-WorkingHours.pcap_ISCX.parquet
-rw-r--r-- 1 root root 19M Aug  8 18:16 Botnet-Friday-WorkingHours-Morning.pcap_ISCX.parquet
-rw-r--r-- 1 root root 66M Aug  8 18:16 DoS-Wednesday-WorkingHours.pcap_ISCX.parquet
-rw-r--r-- 1 root root 17M Aug  8 18:16 WebAttacks-Thursday-WorkingHours-Morning.pcap_ISCX.parquet
-rw-r--r-- 1 root root 23M Aug  8 18:16 Infiltration-Thursday-WorkingHours-Afternoon.pcap_ISCX.parquet
-rw-r--r-- 1 root root 25M Aug  8 18:16 DDoS-Friday-WorkingHours-Afternoon.pcap_ISCX.parquet
-rw-r--r-- 1 root root 55M Aug  8 18:16 Benign-Monday-WorkingHours.pcap_ISCX.parquet
-rw-r--r-- 1 root root 13M Aug  8 18:16 Portscan-Friday-WorkingHours-Afternoon.pcap_ISCX.parquet


In [15]:
%timeit pd.read_csv('/kaggle/input/cicids2017/Bruteforce-Tuesday-WorkingHours.pcap_ISCX.csv', encoding='utf-8')

4.27 s ± 243 ms per loop (mean ± std. dev. of 7 runs, 1 loop each)


In [16]:
%timeit pd.read_parquet('/kaggle/working/Bruteforce-Tuesday-WorkingHours.pcap_ISCX.parquet')

124 ms ± 14.1 ms per loop (mean ± std. dev. of 7 runs, 1 loop each)
