## Spark Group Assignment

Group O-2-8

Attacks fall into four main categories:

* DOS: denial-of-service, e.g. syn flood;
* R2L: unauthorized access from a remote machine, e.g. guessing password;
* U2R:  unauthorized access to local superuser (root) privileges, e.g., various buffer overflow attacks;
* probing: surveillance and other probing, e.g., port scanning.

It is important to note that the test data is not from the same probability distribution as the training data, and it includes specific attack types not in the training data.  This makes the task more realistic.  Some intrusion experts believe that most novel attacks are variants of known attacks and the "signature" of known attacks can be sufficient to catch novel variants.  The datasets contain a total of 24 training attack types, with an additional 14 types in the test data only. 

Agenda
1. Load Data
2. Inspect Data
3. Preprocess Data
4. Create A Model
5. Make Predictions
6. Evaluate Predictions

### 1. Spark Setup

In [1]:
import os
print(os.environ['SPARK_HOME'])
dataset_path="/home/ubuntu/challenge_1/"

/usr/local/software/spark


In [2]:
import pandas as pd

In [3]:
#import findspark
#findspark.init()
import pyspark

In [4]:
from pyspark.sql import SparkSession

spark = SparkSession \
    .builder \
    .master("local") \
    .appName("Dataset") \
    .getOrCreate()

In [5]:
spark.version

'2.2.0'

### 2. Data Loading

Data inspection shows that the data does not have a header.

In [20]:
# ---------
# Use SparkSession and infer schema, then add a header
# ---------

df = spark.read \
    .option("inferSchema", "true") \
    .csv("file://"+dataset_path+"full.data")

In [21]:
features=["duration", "protocol_type", "service", "flag", "src_bytes","dst_bytes", \
          "land","wrong_fragment","urgent","hot","num_failed_logins","logged_in", \
          "num_compromised","root_shell","su_attempted","num_root","num_file_creations", \
          "num_shells","num_access_files","num_outbound_cmds","is_host_login","is_guest_login", \
          "count","srv_count","serror_rate","srv_serror_rate","rerror_rate","srv_rerror_rate",\
          "same_srv_rate","diff_srv_rate","srv_diff_host_rate","dst_host_count","dst_host_srv_count", \
          "dst_host_same_srv_rate","dst_host_diff_srv_rate","dst_host_same_src_port_rate", \
          "dst_host_srv_diff_host_rate","dst_host_serror_rate","dst_host_srv_serror_rate","dst_host_rerror_rate",\
          "dst_host_srv_rerror_rate"]

target=["connection"]

fieldnames=features+target

rawnames=df.schema.names

# Create a small function
def updateColNames(df,oldnames,newnames):
    for i in range(len(newnames)):
        df=df.withColumnRenamed(oldnames[i], newnames[i])
    return df

df=updateColNames(df,rawnames,fieldnames)

In [22]:
# Adding a Boolean column for attack (=1) or normal (=0)
from pyspark.sql.functions import when

df = df.withColumn('attack', when(df["connection"] == 'normal', 0).otherwise(1))

df.select('attack').show(2)

+------+
|attack|
+------+
|     1|
|     1|
+------+
only showing top 2 rows



### 3. Data Inspection


* How many records do we have?
* What is the schema of our data?
* Is it numerical , is it categorical?
* Visualize your data

In [23]:
# Print the number of records in the data frame
print('Nb. of records  : %d' % df.count())

Nb. of records  : 4898431


In [24]:
# Check the Schema
df.printSchema()

root
 |-- duration: integer (nullable = true)
 |-- protocol_type: string (nullable = true)
 |-- service: string (nullable = true)
 |-- flag: string (nullable = true)
 |-- src_bytes: integer (nullable = true)
 |-- dst_bytes: integer (nullable = true)
 |-- land: integer (nullable = true)
 |-- wrong_fragment: integer (nullable = true)
 |-- urgent: integer (nullable = true)
 |-- hot: integer (nullable = true)
 |-- num_failed_logins: integer (nullable = true)
 |-- logged_in: integer (nullable = true)
 |-- num_compromised: integer (nullable = true)
 |-- root_shell: integer (nullable = true)
 |-- su_attempted: integer (nullable = true)
 |-- num_root: integer (nullable = true)
 |-- num_file_creations: integer (nullable = true)
 |-- num_shells: integer (nullable = true)
 |-- num_access_files: integer (nullable = true)
 |-- num_outbound_cmds: integer (nullable = true)
 |-- is_host_login: integer (nullable = true)
 |-- is_guest_login: integer (nullable = true)
 |-- count: integer (nullable = true

In [33]:
# Some stats on numerical features
df.groupBy('connection').agg({'duration': 'mean'}).orderBy("avg(duration)", ascending = False).show(30)

+----------------+--------------------+
|      connection|       avg(duration)|
+----------------+--------------------+
|      portsweep.|  2329.5862863728034|
|    warezclient.|   615.2578431372549|
|            spy.|               318.0|
|         normal.|  217.82472416710442|
|       multihop.|               184.0|
|        rootkit.|               100.8|
|buffer_overflow.|                91.7|
|           perl.|  41.333333333333336|
|     loadmodule.|   36.22222222222222|
|      ftp_write.|              32.375|
|    warezmaster.|               15.05|
|           imap.|                 6.0|
|            phf.|                 4.5|
|   guess_passwd.|  2.7169811320754715|
|        ipsweep.|  1.0455091739443956|
|           back.|  0.1289151157512483|
|          satan.|0.031462371004278886|
|        neptune.|1.865642056049484...|
|          smurf.|                 0.0|
|           land.|                 0.0|
|           nmap.|                 0.0|
|       teardrop.|                 0.0|


In [46]:
# Some stats on numerical features
df.groupBy('connection').agg({'src_bytes': 'mean'}).orderBy("avg(src_bytes)", ascending = False).show(30)

+----------------+--------------------+
|      connection|      avg(src_bytes)|
+----------------+--------------------+
|      portsweep.|  431708.31182176125|
|    warezclient.|    300219.562745098|
|           back.|  54156.355878347706|
|         normal.|  1477.8462500809535|
|            pod.|  1462.6515151515152|
|buffer_overflow.|  1400.4333333333334|
|          smurf.|    935.773096201199|
|       multihop.|  435.14285714285717|
|           imap.|   347.5833333333333|
|        rootkit.|               294.7|
|           perl.|   265.6666666666667|
|      ftp_write.|              220.75|
|            spy.|               174.5|
|     loadmodule.|  151.88888888888889|
|   guess_passwd.|  125.33962264150944|
|            phf.|                51.0|
|    warezmaster.|                49.3|
|       teardrop.|                28.0|
|           nmap.|  24.424006908462868|
|        ipsweep.|  10.436583607082765|
|          satan.|  0.9987415051598288|
|        neptune.|0.009994244494257088|


In [47]:
df.groupBy('connection').agg({'dst_bytes': 'mean'}).orderBy("avg(dst_bytes)", ascending = False).show(30)

+----------------+--------------------+
|      connection|      avg(dst_bytes)|
+----------------+--------------------+
|    warezmaster.|           3922087.7|
|       multihop.|   213016.2857142857|
|      portsweep.|  202681.31643138384|
|           imap.|  54948.666666666664|
|           back.|   8232.649568769859|
|            phf.|              8127.0|
|buffer_overflow.|   6339.833333333333|
|      ftp_write.|             5382.25|
|        rootkit.|              4276.6|
|         normal.|  3234.6501113816985|
|     loadmodule.|  3009.8888888888887|
|           perl.|              2444.0|
|            spy.|              1193.5|
|    warezclient.|   719.3176470588236|
|   guess_passwd.|  216.18867924528303|
|        ipsweep.|   4.394359426328019|
|          satan.|   2.127485527309338|
|           nmap.| 0.13255613126079446|
|       teardrop.| 0.05720122574055159|
|        neptune.|8.208825046617731E-4|
|            pod.|                 0.0|
|          smurf.|                 0.0|


In [49]:
# Some stats on numerical features
df.groupBy('connection').agg({'wrong_fragment': 'mean'}).orderBy("avg(wrong_fragment)", ascending = False).show(30)

+----------------+-------------------+
|      connection|avg(wrong_fragment)|
+----------------+-------------------+
|       teardrop.| 2.9816138917262514|
|            pod.| 0.9810606060606061|
|    warezmaster.|                0.0|
|          smurf.|                0.0|
|           nmap.|                0.0|
|   guess_passwd.|                0.0|
|           imap.|                0.0|
|      ftp_write.|                0.0|
|        ipsweep.|                0.0|
|          satan.|                0.0|
|      portsweep.|                0.0|
|           land.|                0.0|
|     loadmodule.|                0.0|
|        rootkit.|                0.0|
|buffer_overflow.|                0.0|
|    warezclient.|                0.0|
|           perl.|                0.0|
|            phf.|                0.0|
|       multihop.|                0.0|
|        neptune.|                0.0|
|           back.|                0.0|
|            spy.|                0.0|
|         normal.|       

In [50]:
# Some stats on numerical features
df.groupBy('connection').agg({'hot': 'mean'}).orderBy("avg(hot)", ascending = False).show(30)

+----------------+--------------------+
|      connection|            avg(hot)|
+----------------+--------------------+
|    warezclient.|   8.049019607843137|
|       multihop.|                 3.0|
|buffer_overflow.|   2.066666666666667|
|            phf.|                 2.0|
|           back.|  1.9632319564230594|
|   guess_passwd.|  1.0566037735849056|
|     loadmodule.|                 1.0|
|    warezmaster.|                 0.9|
|      ftp_write.|                 0.5|
|           imap.|  0.3333333333333333|
|        rootkit.|                 0.2|
|         normal.| 0.04953530136793379|
|      portsweep.|7.682704311917795E-4|
|          satan.|6.921721620941354E-4|
|          smurf.|                 0.0|
|           nmap.|                 0.0|
|            pod.|                 0.0|
|       teardrop.|                 0.0|
|           land.|                 0.0|
|        ipsweep.|                 0.0|
|           perl.|                 0.0|
|        neptune.|                 0.0|


In [51]:
# Some stats on numerical features
df.groupBy('connection').agg({'num_failed_logins': 'mean'}).orderBy("avg(num_failed_logins)", ascending = False).show(30)

+----------------+----------------------+
|      connection|avg(num_failed_logins)|
+----------------+----------------------+
|   guess_passwd.|    1.0566037735849056|
|        rootkit.|                   0.1|
|          satan.|  2.516989680342311E-4|
|         normal.|   9.86861379899484E-5|
|    warezmaster.|                   0.0|
|          smurf.|                   0.0|
|           imap.|                   0.0|
|           nmap.|                   0.0|
|            pod.|                   0.0|
|        ipsweep.|                   0.0|
|    warezclient.|                   0.0|
|      portsweep.|                   0.0|
|           perl.|                   0.0|
|           land.|                   0.0|
|     loadmodule.|                   0.0|
|buffer_overflow.|                   0.0|
|      ftp_write.|                   0.0|
|       teardrop.|                   0.0|
|            phf.|                   0.0|
|       multihop.|                   0.0|
|        neptune.|                

In [35]:
# Some stats on numerical features
df.select("duration").describe().show()

+-------+-----------------+
|summary|         duration|
+-------+-----------------+
|  count|          4898431|
|   mean|48.34243046395876|
| stddev|723.3298112546812|
|    min|                0|
|    max|            58329|
+-------+-----------------+



In [None]:
# Create a table for SQL access
# df.registerTempTable("train_data")

In [None]:
# df.describe().toPandas().to_csv("data_summary")

### Exploring the categorical variables

* protocol_type
* service
* flag
* connection

in term of the number of categories and count()

In [52]:
# How many distict flags we have
df.groupby('protocol_type').count().show()

+-------------+-------+
|protocol_type|  count|
+-------------+-------+
|          tcp|1870598|
|          udp| 194288|
|         icmp|2833545|
+-------------+-------+



In [53]:
# How many distict services we have
df.groupby('service').count().show()

+---------+-----+
|  service|count|
+---------+-----+
|   telnet| 4277|
|      ftp| 5214|
|     auth| 3382|
| iso_tsap| 1052|
|   systat| 1056|
|     name| 1067|
|  sql_net| 1052|
|    ntp_u| 3833|
|      X11|  135|
|    pop_3| 1981|
|     ldap| 1041|
|  discard| 1059|
|   tftp_u|    3|
|   Z39_50| 1078|
|  daytime| 1056|
| domain_u|57782|
|    login| 1045|
|     smtp|96554|
|http_2784|    1|
|      mtp| 1076|
+---------+-----+
only showing top 20 rows



In [54]:
# How many distict flags we have
df.groupby('flag').count().show()

+------+-------+
|  flag|  count|
+------+-------+
|RSTOS0|    122|
|    S3|     50|
|    SF|3744328|
|    S0| 869829|
|   OTH|     57|
|   REJ| 268874|
|  RSTO|   5344|
|  RSTR|   8094|
|    SH|   1040|
|    S2|    161|
|    S1|    532|
+------+-------+



In [55]:
df.groupby('connection').count()\
    .orderBy('count', ascending =False)\
    .show(100)

+----------------+-------+
|      connection|  count|
+----------------+-------+
|          smurf.|2807886|
|        neptune.|1072017|
|         normal.| 972781|
|          satan.|  15892|
|        ipsweep.|  12481|
|      portsweep.|  10413|
|           nmap.|   2316|
|           back.|   2203|
|    warezclient.|   1020|
|       teardrop.|    979|
|            pod.|    264|
|   guess_passwd.|     53|
|buffer_overflow.|     30|
|           land.|     21|
|    warezmaster.|     20|
|           imap.|     12|
|        rootkit.|     10|
|     loadmodule.|      9|
|      ftp_write.|      8|
|       multihop.|      7|
|            phf.|      4|
|           perl.|      3|
|            spy.|      2|
+----------------+-------+



### Data Visualizations

tbd

In [None]:
# 3a. Create a in-memory DataFrame 
# df2.registerTempTable("network_data")

In [None]:
# num_features = [
    "duration","src_bytes",
    "dst_bytes","land","wrong_fragment","urgent","hot","num_failed_logins",
    "logged_in","num_compromised","root_shell","su_attempted","num_root",
    "num_file_creations","num_shells","num_access_files","num_outbound_cmds",
    "is_host_login","is_guest_login","count","srv_count","serror_rate",
    "srv_serror_rate","rerror_rate","srv_rerror_rate","same_srv_rate",
    "diff_srv_rate","srv_diff_host_rate","dst_host_count","dst_host_srv_count",
    "dst_host_same_srv_rate","dst_host_diff_srv_rate","dst_host_same_src_port_rate",
    "dst_host_srv_diff_host_rate","dst_host_serror_rate","dst_host_srv_serror_rate",
    "dst_host_rerror_rate","dst_host_srv_rerror_rate"
#]
#features = df[num_features]
#features.describe()


### Preprocess Data

The data inspetion shows that our dataset contains three categorical variables:

* protocol_type
* service
* flag

#### Feature Transformation

Since models work over nunmerical values we have to transform  these variables into numeric representation. For this transformation process ( categorical -> numerical ) we will use the following 'functions':

 1. **StringIndexer** 
     https://spark.apache.org/docs/2.2.1/ml-features.html#stringindexer
     StringIndexer encodes a string column of labels to a column of label indices.

 2. **OneHotEncoder**: 
     https://spark.apache.org/docs/2.2.1/ml-features.html#onehotencoder
     OneHotEncoder maps a column of label indices to a column of binary vectors, with at most a single one-value.
     This encoding allows algorithms which expect continuous features, such as Logistic Regression, 
     to use categorical features.Each categorical column will be indexed using the StringIndexer, 
     and then converted nto one-hot encoded variables using the One-Hot encoder. 
     The resulting output has the binary vectors appended to the end of each row.
   
 3. **VectorAssembler**: 
     https://spark.apache.org/docs/2.2.1/ml-features.html#vectorassembler
     TBW

 4. **Pipelines** : 
    We will have more than 1 'process' or stage in our transforamtion so we use a **Pipeline** 
    to put stages   together. This greately 'cleans' the code elaboration.

In [101]:
from pyspark.ml.feature import OneHotEncoder, StringIndexer, VectorAssembler

In [102]:
from pyspark.ml import Pipeline

categoricalColumns = [ \
           "protocol_type", "service", "flag"]

stages = [] # stages in our Pipeline
for col in categoricalColumns:
  
  # Category Indexing with StringIndexer
  indexer = StringIndexer(inputCol=col, outputCol=col+"_index")
   
  # Use OneHotEncoder to convert categorical variables into binary SparseVectors
  encoder = OneHotEncoder(inputCol=col+"_index", outputCol=col+"_vector")
  
  # Add stages.  These are not run here, but will run all at once later on.
  stages += [indexer, encoder]

In [103]:
# @ADOLFO: The professor uses this in Lab 4. I don't think we have to do it since our target variable (=attack)
#          has already been transformed into a Boolean. What do you think?

# Use StringIndexer to encode ALSO our target (income) to label indices.
# Convert label into label indices using the StringIndexer
# label_stringIdx = StringIndexer(inputCol = "outcome", outputCol = "label")
# stages += [label_stringIdx]

In [104]:
# Use StringIndexer to encode ALSO our target (income) to label indices.
# Convert label into label indices using the StringIndexer
label_stringIdx = StringIndexer(inputCol = "attack", outputCol = "label")
stages += [label_stringIdx]

#### VectorAssembler 
combine all the feature columns into a single vector column. 
Vector assembler can be used to combine raw features and features generated by different feature transformers 
into a single feature vector, in order to train ML models like logistic regression 
This output will include both the numeric columns and the one-hot encoded binary vector columns in our dataset.

In [105]:
numericCols_all = [
    "duration","src_bytes",
    "dst_bytes","land","wrong_fragment","urgent","hot","num_failed_logins",
    "logged_in","num_compromised","root_shell","su_attempted","num_root",
    "num_file_creations","num_shells","num_access_files","num_outbound_cmds",
    "is_host_login","is_guest_login","count","srv_count","serror_rate",
    "srv_serror_rate","rerror_rate","srv_rerror_rate","same_srv_rate",
    "diff_srv_rate","srv_diff_host_rate","dst_host_count","dst_host_srv_count",
    "dst_host_same_srv_rate","dst_host_diff_srv_rate","dst_host_same_src_port_rate",
    "dst_host_srv_diff_host_rate","dst_host_serror_rate","dst_host_srv_serror_rate",
    "dst_host_rerror_rate","dst_host_srv_rerror_rate"
]

In [106]:
# Transform all numerical features into a vector using VectorAssembler

numericCols_model = ["duration","src_bytes","dst_bytes","land","wrong_fragment","urgent"]

assemblerInputs = [ col + "_vector" for col in categoricalColumns ] + numericCols_model
assembler = VectorAssembler(inputCols=assemblerInputs, outputCol="features")
stages += [assembler]

In [107]:
print(assemblerInputs)

['protocol_type_vector', 'service_vector', 'flag_vector', 'duration', 'src_bytes', 'dst_bytes', 'land', 'wrong_fragment', 'urgent']


In [108]:
# Check the stages of our pipeline
n=0
for s in stages:
    print('stage number %d %s' %(n,s.getOutputCol()))
    n+=1 

stage number 0 protocol_type_index
stage number 1 protocol_type_vector
stage number 2 service_index
stage number 3 service_vector
stage number 4 flag_index
stage number 5 flag_vector
stage number 6 label
stage number 7 features


### Make Model
 * Create a Pipeline object to group together the stages we defined ( feature transformations )
 * Create the model
 * Split data into train and test data
 * Train the model with train data
 * Test model predictions with test data

In [116]:
from pyspark.ml import Pipeline
# Create a Pipeline.
pipeline = Pipeline(stages=stages)

# Run the feature transformations.
#  - fit() computes feature statistics as needed.
#  - transform() actually transforms the features.

transformer = pipeline.fit(df)
transformed_df = transformer.transform(df)

# Keep relevant columns
selection = ["label", "features", "duration", "src_bytes"] + assemblerInputs
dataset = transformed_df.select(selection)

In [117]:
### Randomly split data into training (70%) and test (30%) sets. set seed for reproducibility
(train_data, test_data) = dataset.randomSplit([0.7, 0.3], seed = 123)
print('Training records : %d' % train_data.count())
print('Test records : %d ' % test_data.count())
train_data.cache()

Training records : 3427798
Test records : 1470633 


DataFrame[label: double, features: vector, duration: int, src_bytes: int, protocol_type_vector: vector, service_vector: vector, flag_vector: vector, duration: int, src_bytes: int, dst_bytes: int, land: int, wrong_fragment: int, urgent: int]

In [118]:
from pyspark.ml.classification import LogisticRegression

# Create initial LogisticRegression model
lr = LogisticRegression(labelCol="label", featuresCol="features", maxIter=10)

# Train model with Training Data
model = lr.fit(train_data)

In [119]:
# Make predictions on test data using the transform() method.
# LogisticRegression.transform() will only use the 'features' column.

predictions = model.transform(test_data)

In [120]:
# See model's predictions and probabilities of each prediction class
# You can select any columns in the above schema to view as well. 
# For example's sake we will choose age & occupation
# selected = predictions.select("label", "prediction", "duration","src_bytes")

In [121]:
# Probability : 
# Here the probability column specifies the probability that the label is 0 (<=50K/yr) or 1 (>50K/yr)
# The algorithm selects (= predicts) the outcome with the highest probability
# selected.toPandas()

#### Evaluation Metrics:
https://spark.apache.org/docs/2.2.1/mllib-evaluation-metrics.html

In [122]:
from pyspark.ml.evaluation import BinaryClassificationEvaluator

# Evaluate model
evaluator = BinaryClassificationEvaluator(rawPredictionCol="rawPrediction")
score = evaluator.evaluate(predictions)
print('Score is : %03f' % score )

Score is : 0.000000
