# Preprocessing the CERT Dataset for Model Training:

### Imports:

In [2]:
import os
import numpy as np
import pandas as pd

### Importing the CERT Dataset:

In [3]:
cert_path = r"C:\Users\loera\Documents\Datasets\Insider_Threat_Test_Dataset"

In [4]:
logons = pd.read_csv(os.path.join(cert_path, "logon.csv"))

In [8]:
logons.head()

Unnamed: 0,id,date,user,pc,activity
0,{F3X8-Y2GT43DR-4906OHBL},01/02/2010 02:19:18,DNS1758,PC-0414,Logon
1,{B4Q0-D0GM24KN-3704MAII},01/02/2010 02:31:12,DNS1758,PC-0414,Logoff
2,{T7J1-D4HK34KV-5476TCIJ},01/02/2010 02:34:02,DNS1758,PC-5313,Logon
3,{S4Y6-D8MQ05SA-0759HLIS},01/02/2010 02:53:30,DNS1758,PC-5313,Logoff
4,{F3P0-E7FH78CV-4874FRGZ},01/02/2010 04:07:31,DNS1758,PC-0012,Logon


In [6]:
files = pd.read_csv(os.path.join(cert_path, "file.csv"))

In [7]:
files.head()

Unnamed: 0,id,date,user,pc,filename,activity,to_removable_media,from_removable_media,content
0,{F3E2-X3MV05YQ-3516SZDT},01/02/2010 07:19:41,SDH2394,PC-5849,R:\60WBQE7S.doc,File Open,False,True,"D0-CF-11-E0-A1-B1-1A-E1 Ernesztin's brother, L..."
1,{I6N1-Z7VL92UY-8715ESKQ},01/02/2010 07:21:30,SDH2394,PC-5849,R:\0VGILDW8.pdf,File Write,True,False,25-50-44-46-2D ---- Bengali As do many other T...
2,{G4X5-J7MH70FV-8936QVSB},01/02/2010 07:22:11,SDH2394,PC-5849,R:\60WBQE7S.doc,File Copy,False,True,"D0-CF-11-E0-A1-B1-1A-E1 Ernesztin's brother, L..."
3,{M2M7-Z5ST21EU-6704NSKO},01/02/2010 07:24:06,SDH2394,PC-5849,R:\22B5gX4\H8Y96RRE.doc,File Write,True,False,D0-CF-11-E0-A1-B1-1A-E1 After the death of his...
4,{R0A9-O9XB25PE-9236MALV},01/02/2010 07:24:45,SDH2394,PC-5849,R:\SDH2394\7XRCV2N5.pdf,File Copy,True,False,25-50-44-46-2D Although he restored some of th...


In [9]:
devices = pd.read_csv(os.path.join(cert_path, "device.csv"))

In [10]:
devices.head()

Unnamed: 0,id,date,user,pc,file_tree,activity
0,{Z2Q8-K3AV28BE-9353JIRT},01/02/2010 07:17:18,SDH2394,PC-5849,R:\;R:\22B5gX4;R:\SDH2394,Connect
1,{C7F1-G7LE60RU-2483DAXS},01/02/2010 07:22:42,JKS2444,PC-6961,R:\;R:\JKS2444,Connect
2,{T9A4-D4RV69OF-1704NINW},01/02/2010 07:31:42,CBA1023,PC-1570,R:\;R:\42gY283;R:\48rr4y2;R:\59ntt61;R:\76xCQG...,Connect
3,{S8L0-O6QQ15NL-0636OYNV},01/02/2010 07:33:28,GNT0221,PC-6427,R:\;R:\GNT0221,Connect
4,{U0F1-R1FX27FM-6954TTVU},01/02/2010 07:33:55,JKS2444,PC-6961,,Disconnect


In [11]:
emails = pd.read_csv(os.path.join(cert_path, "email.csv"))

In [12]:
emails.head()

Unnamed: 0,id,date,user,pc,to,cc,bcc,from,activity,size,attachments,content
0,{I1O2-B4EB49RW-7379WSQW},01/02/2010 06:36:41,HDB1666,PC-6793,Louis.Bernard.Garza@dtaa.com,Emery.Ali.Holloway@dtaa.com,Hector.Donovan.Bray@dtaa.com,Hector.Donovan.Bray@dtaa.com,Send,45659,,"Now Sylvia, the object of Aminta's desire, arr..."
1,{L7E7-V4UX89RR-3036ZDHU},01/02/2010 06:40:02,HDB1666,PC-6793,Hector.Donovan.Bray@dtaa.com,,,Luke.Grant.Mcmahon@dtaa.com,View,34142,,"On May 14, they picked up 44 more Iroquois at ..."
2,{S8C2-Q8YX87DJ-0516SIWZ},01/02/2010 06:42:48,HDB1666,PC-6793,Quintessa.O.Farrell@harris.com,Hector.Donovan.Bray@dtaa.com,,Hector.Donovan.Bray@dtaa.com,Send,1310925,C:\28X79b6\0PAGXTJ8.doc(1119253);C:\11b38g6\5M...,Sylvia is notable for its mythological Arcadia...
3,{A1V9-O5BL46SW-1708NAEC},01/02/2010 06:45:42,HDB1666,PC-6793,Hector.Donovan.Bray@dtaa.com,,,Travis.Ezra.Warner@dtaa.com,View,23043,,Lanctot (1967) and Smith do not identify any s...
4,{N6R0-M2EI82DM-5583LSUM},01/02/2010 06:47:07,HDB1666,PC-6793,Hector.Donovan.Bray@dtaa.com,,,Kenyon.William.Delacruz@dtaa.com,View,25210,,Much like all the other large groups of prison...


### Normalizing Shared Columns:

In [40]:
def normalize_shared_columns(df: pd.DataFrame, remove_cols: list=["id"]) -> pd.DataFrame:
    """
    Normalizes CERT log files across commonly shared columns. Additionally drops columns that are deemed irrelevant.
    
    Args:
        df: The raw CERT dataframe (logon, file, device, or email)
        remove_cols: The columns to drop from the original CERT file
        
    Returns:
        pd.Dataframe: A normalized dataframe with consistent identifiers and fields
    """
    # Standardizing column names
    df = df.copy()
    df.columns = df.columns.str.lower()
    df.columns = df.columns.str.strip()
    df_cols = df.columns
    
    # Renaming data column
    if "date" in df_cols:
        df.rename(columns={"date":"timestamp"}, inplace=True)
        
    # Converting timestamp to datetime
    df["timestamp"] = pd.to_datetime(df["timestamp"], errors="coerce")
    
    # Dropping rows with invalid timestamps
    df.dropna(axis=0, subset=["timestamp"], inplace=True)
    
    # Creating a 'day' aggregation key column
    df["day"] = df["timestamp"].dt.floor("D")
    
    # Normalizing identifiers
    df["user"] = df["user"].astype(str)
    df["user"] = df["user"].str.lower()
    df["user"] = df["user"].str.strip()
    
    df["pc"] = df["pc"].astype(str)
    df["pc"] = df["pc"].str.lower()
    df["pc"] = df["pc"].str.strip()
    
    # Dropping unusable columns
    remove_cols = [col.lower().strip() for col in remove_cols]
    cols_to_drop = [col for col in remove_cols if col in df_cols]
    df.drop(axis=1, columns=cols_to_drop, inplace=True)
    
    # Sorting rows for consistency
    df.sort_values(by=["user", "pc", "timestamp"], inplace=True)
    
    return df

In [42]:
norm_logons = normalize_shared_columns(logons)

In [43]:
norm_logons.head()

Unnamed: 0,timestamp,user,pc,activity,day
2686,2010-01-04 07:41:00,aab0162,pc-6599,Logon,2010-01-04
10398,2010-01-04 18:46:00,aab0162,pc-6599,Logoff,2010-01-04
12559,2010-01-05 07:46:00,aab0162,pc-6599,Logon,2010-01-05
20419,2010-01-05 18:40:00,aab0162,pc-6599,Logoff,2010-01-05
22815,2010-01-06 07:45:00,aab0162,pc-6599,Logon,2010-01-06


In [44]:
norm_files = normalize_shared_columns(files)

In [45]:
norm_files.head()

Unnamed: 0,timestamp,user,pc,filename,activity,to_removable_media,from_removable_media,content,day
44760,2010-01-13 10:34:04,aab0162,pc-6599,C:\ASMWXYUP.pdf,File Open,False,False,25-50-44-46-2D If you look at the assassinatio...,2010-01-13
45574,2010-01-13 12:22:42,aab0162,pc-6599,C:\ASMWXYUP.pdf,File Open,False,False,25-50-44-46-2D If you look at the assassinatio...,2010-01-13
65488,2010-01-18 15:40:26,aab0162,pc-6599,C:\ASMWXYUP.pdf,File Open,False,False,25-50-44-46-2D If you look at the assassinatio...,2010-01-18
271634,2010-03-08 14:49:23,aab0162,pc-6599,C:\ASMWXYUP.pdf,File Open,False,False,25-50-44-46-2D If you look at the assassinatio...,2010-03-08
571486,2010-05-19 13:10:35,aab0162,pc-6599,C:\ASMWXYUP.pdf,File Open,False,False,25-50-44-46-2D If you look at the assassinatio...,2010-05-19


In [46]:
norm_devices = normalize_shared_columns(devices)

In [47]:
norm_devices.head()

Unnamed: 0,timestamp,user,pc,file_tree,activity,day
1404,2010-01-04 08:26:37,aac0610,pc-1834,R:\;R:\31j52f6;R:\44VQPl0;R:\52GqG81;R:\67Ppwr...,Connect,2010-01-04
2273,2010-01-04 10:23:08,aac0610,pc-1834,,Disconnect,2010-01-04
8162,2010-01-05 14:10:01,aac0610,pc-1834,R:\;R:\31j52f6;R:\44VQPl0;R:\52GqG81;R:\67Ppwr...,Connect,2010-01-05
8241,2010-01-05 14:20:11,aac0610,pc-1834,,Disconnect,2010-01-05
8619,2010-01-05 15:04:58,aac0610,pc-1834,R:\;R:\31j52f6;R:\44VQPl0;R:\52GqG81;R:\67Ppwr...,Connect,2010-01-05


In [48]:
norm_emails = normalize_shared_columns(emails)

In [49]:
norm_emails.head()

Unnamed: 0,timestamp,user,pc,to,cc,bcc,from,activity,size,attachments,content,day
6198,2010-01-04 08:34:26,aab0162,pc-6599,Tyrone.Axel.Prince@dtaa.com,Jeanette.Macey.Simpson@dtaa.com,,Amos.Ahmed.Burch@dtaa.com,Send,27156,,The forests and meadows of Bryce Canyon provid...,2010-01-04
6518,2010-01-04 08:40:32,aab0162,pc-6599,Amos.Ahmed.Burch@dtaa.com,,,Nicole_Moody@hp.com,View,27782,,About 35% of Ember Ridge andesite contains phe...,2010-01-04
6541,2010-01-04 08:41:06,aab0162,pc-6599,Adria.Sylvia.Flowers@dtaa.com;Xenos.Akeem.Barr...,,,Amos.Ahmed.Burch@dtaa.com,Send,2351690,C:\AAB0162\8UXAP401.doc(2129531);C:\AAB0162\GL...,"So if you killed right wing figures, you'd als...",2010-01-04
6606,2010-01-04 08:42:09,aab0162,pc-6599,Amos.Ahmed.Burch@dtaa.com,,,Raphael.Adrian.Peck@dtaa.com,View,30821,,"At that time, Harrison had never worked in Bri...",2010-01-04
6640,2010-01-04 08:42:48,aab0162,pc-6599,Amos.Ahmed.Burch@dtaa.com,,,WOB17@boeing.com,View,29378,,Sioeng also joined Fong at a meeting with then...,2010-01-04


In [59]:
# Sanity checks
files = [norm_logons, norm_files, norm_devices, norm_emails]

for file in files:
    assert file["day"].dtype == "datetime64[ns]"
    assert set(["user", "pc", "timestamp", "day"]).issubset(norm_logons.columns)