# Supervised ML for anomaly detection in IOT to enahnce network security
## Part 1 - DATA CLEANING

The IoT-23 dataset is a collection of network traffic from Internet of Things (IoT) devices. It includes 20 malware captures executed in IoT devices, and 3 hotspot captures for benign IoT devices traffic12. The 3 hotspot captures are not being included in the data cleaning because this feature was not considered relevant for the specific analysis being performed.

In this notebook, we load the raw dataset file and implement initial cleaning to prepare it for the next processing phase.

> **INPUT:** downloaded the raw dataset file from its original source. <br>
> **OUTPUT:** a cleaned version of the dataset stored to an intermediate csv file.

***

### 1. INITIALIZATION

In [1]:
# Import necessary libraries and modules
import pandas as pd
import glob
import os

In [2]:
# Set display options
pd.set_option('display.max_columns', None)
pd.set_option('future.no_silent_downcasting', True)

In [3]:
# Initialize required variables to read from the data file
for dirname, _, filenames in os.walk('../CSV-data/raw/'):
    for filename in filenames:
        print(os.path.join(dirname, filename))

../CSV-data/raw/conn.log9_1.labeled
../CSV-data/raw/conn.log35_1.labeled
../CSV-data/raw/conn.log33_1.labeled
../CSV-data/raw/conn.log34_1.labeled
../CSV-data/raw/conn.log21_1.labeled
../CSV-data/raw/conn.log43_1.labeled
../CSV-data/raw/conn.log8_1.labeled
../CSV-data/raw/conn.log7_1.labeled
../CSV-data/raw/conn.log42_1.labeled
../CSV-data/raw/conn.log44_1.labeled
../CSV-data/raw/conn.log48_1.labeled
../CSV-data/raw/conn.log20_1.labeled
../CSV-data/raw/conn.log60_1.labeled
../CSV-data/raw/conn.log36_1.labeled
../CSV-data/raw/conn.log39_1.labeled
../CSV-data/raw/conn.log17_1.labeled
../CSV-data/raw/conn.log52_1.labeled
../CSV-data/raw/conn.log49_1.labeled
../CSV-data/raw/conn.log1_1.labeled
../CSV-data/raw/conn.log3_1.labeled


### 2. LOADING DATASET FILE

In [4]:
# Get a list of all the .labeled files
labeled_files = glob.glob('../CSV-data/raw/*.labeled')

# Create an empty list to hold dataframes
dfs = []

# Loop over the list of .labeled files
for labeled_file in labeled_files:    
    # Column names are included in the file in a commented line, so we need to read the corresponding line separately and remove the first description word.
    data_columns = pd.read_csv(labeled_file, sep='\t', skiprows=6, nrows=1, header=None).iloc[0][1:]
    
    # Read the actual dataset
    data_df = pd.read_csv(labeled_file, sep='\t', nrows=100000, comment="#", header=None)
    
    # Set column names
    data_df.columns = data_columns
    
    # Read each .labeled file into a dataframe and append to the list
    # df = pd.read_csv(labeled_file, skiprows=6, nrows=100000)
    dfs.append(data_df)

# Concatenate all dataframes in the list
combined_df = pd.concat(dfs, ignore_index=True)

# Write the combined dataframe to a new csv file
combined_df.to_csv('../CSV-data/raw/combined.labeled_files.csv', index=False)

In [5]:
combined_df 

Unnamed: 0,ts,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,proto,service,duration,orig_bytes,resp_bytes,conn_state,local_orig,local_resp,missed_bytes,history,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes,tunnel_parents label detailed-label
0,1.532510e+09,CnR6zKxrWbFw26ua7,192.168.100.111,40008,46.28.110.244,123,udp,-,0.004751,48,48,SF,-,-,0,Dd,1,76,1,76,(empty) Benign -
1,1.532511e+09,CcfURS3zgEMzX0RqTc,192.168.100.102,57849,192.168.100.111,22,tcp,-,108.421563,2376,96,OTH,-,-,0,DAd,5,332,2,200,(empty) Benign -
2,1.532512e+09,CPhAqD1EhNOoPVA6ha,192.168.100.102,59670,192.168.100.111,22,tcp,-,0.001244,21,0,S0,-,-,0,SAD,3,189,0,0,(empty) Benign -
3,1.532512e+09,CFr56iYeYk4YZXrPf,192.168.100.102,59701,192.168.100.111,22,tcp,-,0.000738,21,0,S0,-,-,0,SAD,3,189,0,0,(empty) Benign -
4,1.532512e+09,C8a9xW23hF8nDgeNtj,192.168.100.111,36199,192.168.100.1,53,udp,dns,-,-,-,S0,-,-,0,D,1,58,0,0,(empty) Benign -
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
1444701,1.526839e+09,CNQtKh2f13DGGkK3mh,192.168.2.5,41559,219.22.220.94,22,tcp,-,-,-,-,S0,-,-,0,S,1,60,0,0,(empty) Malicious PartOfAHorizontalPortScan
1444702,1.526839e+09,CqVjkD4OAMG0eTfemf,192.168.2.5,33619,219.150.110.230,22,tcp,-,2.999363,0,0,S0,-,-,0,S,3,180,0,0,(empty) Malicious PartOfAHorizontalPortScan
1444703,1.526839e+09,C0jtkak5GZPsh8mia,192.168.2.5,48481,219.34.35.98,22,tcp,-,-,-,-,S0,-,-,0,S,1,60,0,0,(empty) Malicious PartOfAHorizontalPortScan
1444704,1.526839e+09,CBKQOe5k5wGQ5b6v,192.168.2.5,54243,219.122.26.35,22,tcp,-,2.997674,0,0,S0,-,-,0,S,3,180,0,0,(empty) Malicious PartOfAHorizontalPortScan


There are a couple of issues that need to be fixed in this phase:
- We notice here that the last column contains several values, this is due to an unmatched delimiter in the original dataset file.
- We also notice some fields with '-', which means the field is unset according to the dataset documentation.

In [6]:
# Check dataset shape
combined_df.shape

(1444706, 21)

In [7]:
# Check dataset summary
combined_df.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 1444706 entries, 0 to 1444705
Data columns (total 21 columns):
 #   Column                                   Non-Null Count    Dtype  
---  ------                                   --------------    -----  
 0   ts                                       1444706 non-null  float64
 1   uid                                      1444706 non-null  object 
 2   id.orig_h                                1444706 non-null  object 
 3   id.orig_p                                1444706 non-null  int64  
 4   id.resp_h                                1444706 non-null  object 
 5   id.resp_p                                1444706 non-null  int64  
 6   proto                                    1444706 non-null  object 
 7   service                                  1444706 non-null  object 
 8   duration                                 1444706 non-null  object 
 9   orig_bytes                               1444706 non-null  object 
 10  resp_bytes        

- This summary says there are no missing values which is inaccurate (due to the unset fields with '-' values).
- Some numerical fields are misidentified as "object" (strings) which will also be fixed later.

### 3. DATA CLEANING

#### Fix combined columns

The last column in the dataset contains three separate values and needs to be unpacked into three corresponding columns. This is due to unmatched separators in the original data file.

In [8]:
# Split the last combined column into three ones
tunnel_parents_column = combined_df.iloc[:,-1].apply(lambda x: x.split()[0])
label_column = combined_df.iloc[:,-1].apply(lambda x: x.split()[1])
detailed_label_column = combined_df.iloc[:,-1].apply(lambda x: x.split()[2])

In [9]:
# Drop the combined column
combined_df.drop(["tunnel_parents   label   detailed-label"], axis=1, inplace=True)

In [10]:
# Add newly created columns to the dataset
combined_df["tunnel_parents"] = tunnel_parents_column
combined_df["label"] = label_column
combined_df["detailed_label"] = detailed_label_column

In [11]:
# Check the dataset
combined_df

Unnamed: 0,ts,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,proto,service,duration,orig_bytes,resp_bytes,conn_state,local_orig,local_resp,missed_bytes,history,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes,tunnel_parents,label,detailed_label
0,1.532510e+09,CnR6zKxrWbFw26ua7,192.168.100.111,40008,46.28.110.244,123,udp,-,0.004751,48,48,SF,-,-,0,Dd,1,76,1,76,(empty),Benign,-
1,1.532511e+09,CcfURS3zgEMzX0RqTc,192.168.100.102,57849,192.168.100.111,22,tcp,-,108.421563,2376,96,OTH,-,-,0,DAd,5,332,2,200,(empty),Benign,-
2,1.532512e+09,CPhAqD1EhNOoPVA6ha,192.168.100.102,59670,192.168.100.111,22,tcp,-,0.001244,21,0,S0,-,-,0,SAD,3,189,0,0,(empty),Benign,-
3,1.532512e+09,CFr56iYeYk4YZXrPf,192.168.100.102,59701,192.168.100.111,22,tcp,-,0.000738,21,0,S0,-,-,0,SAD,3,189,0,0,(empty),Benign,-
4,1.532512e+09,C8a9xW23hF8nDgeNtj,192.168.100.111,36199,192.168.100.1,53,udp,dns,-,-,-,S0,-,-,0,D,1,58,0,0,(empty),Benign,-
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
1444701,1.526839e+09,CNQtKh2f13DGGkK3mh,192.168.2.5,41559,219.22.220.94,22,tcp,-,-,-,-,S0,-,-,0,S,1,60,0,0,(empty),Malicious,PartOfAHorizontalPortScan
1444702,1.526839e+09,CqVjkD4OAMG0eTfemf,192.168.2.5,33619,219.150.110.230,22,tcp,-,2.999363,0,0,S0,-,-,0,S,3,180,0,0,(empty),Malicious,PartOfAHorizontalPortScan
1444703,1.526839e+09,C0jtkak5GZPsh8mia,192.168.2.5,48481,219.34.35.98,22,tcp,-,-,-,-,S0,-,-,0,S,1,60,0,0,(empty),Malicious,PartOfAHorizontalPortScan
1444704,1.526839e+09,CBKQOe5k5wGQ5b6v,192.168.2.5,54243,219.122.26.35,22,tcp,-,2.997674,0,0,S0,-,-,0,S,3,180,0,0,(empty),Malicious,PartOfAHorizontalPortScan


In [12]:
# Change (-) in detailed_label to Benign
combined_df.loc[(combined_df.detailed_label == '-'), 'detailed_label'] = 'Benign'

In [13]:
# Check the number of unique values in each column
combined_df['detailed_label'].unique()

array(['Benign', 'PartOfAHorizontalPortScan', 'C&C', 'C&C-FileDownload',
       'Okiru', 'C&C-HeartBeat', 'DDoS', 'C&C-Torii', 'FileDownload',
       'C&C-HeartBeat-FileDownload', 'Attack', 'C&C-Mirai'], dtype=object)

In [14]:
# Check the number of unique values in each column
combined_df.nunique().sort_values(ascending=False)

0
ts                1444706
uid               1444706
id.resp_h         1096054
id.orig_p           62278
duration            58590
id.resp_p           29263
id.orig_h            3266
resp_ip_bytes         932
orig_ip_bytes         928
resp_bytes            514
orig_bytes            301
orig_pkts             176
history               145
resp_pkts             134
missed_bytes           21
conn_state             13
detailed_label         12
service                 7
proto                   3
tunnel_parents          2
label                   2
local_resp              1
local_orig              1
dtype: int64

In [15]:
# Two columns have only unique values and three columns have only one value, so we should drop them.
combined_df.drop(columns=["ts","uid",'id.orig_h',"id.orig_p","id.resp_h","id.resp_p",
"service","local_resp","local_orig","history","tunnel_parents"], inplace=True)

In [16]:
# Check the dataset
combined_df

Unnamed: 0,proto,duration,orig_bytes,resp_bytes,conn_state,missed_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes,label,detailed_label
0,udp,0.004751,48,48,SF,0,1,76,1,76,Benign,Benign
1,tcp,108.421563,2376,96,OTH,0,5,332,2,200,Benign,Benign
2,tcp,0.001244,21,0,S0,0,3,189,0,0,Benign,Benign
3,tcp,0.000738,21,0,S0,0,3,189,0,0,Benign,Benign
4,udp,-,-,-,S0,0,1,58,0,0,Benign,Benign
...,...,...,...,...,...,...,...,...,...,...,...,...
1444701,tcp,-,-,-,S0,0,1,60,0,0,Malicious,PartOfAHorizontalPortScan
1444702,tcp,2.999363,0,0,S0,0,3,180,0,0,Malicious,PartOfAHorizontalPortScan
1444703,tcp,-,-,-,S0,0,1,60,0,0,Malicious,PartOfAHorizontalPortScan
1444704,tcp,2.997674,0,0,S0,0,3,180,0,0,Malicious,PartOfAHorizontalPortScan


In [17]:
# Replace all occurrences of empty/unset cells with null values
combined_df.replace({'-':0, "(empty)":0}, inplace=True)

In [18]:
# Fix data types of the misinterpreted columns
dtype_convert_dict = {
    "duration": float,
    "orig_bytes": float,
    "resp_bytes": float
}
combined_df = combined_df.astype(dtype_convert_dict)

### 4. STORING CLEANED DATASET

#### Check the cleaned version of the dataset

In [19]:
# Check the dataset summary
combined_df.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 1444706 entries, 0 to 1444705
Data columns (total 12 columns):
 #   Column          Non-Null Count    Dtype  
---  ------          --------------    -----  
 0   proto           1444706 non-null  object 
 1   duration        1444706 non-null  float64
 2   orig_bytes      1444706 non-null  float64
 3   resp_bytes      1444706 non-null  float64
 4   conn_state      1444706 non-null  object 
 5   missed_bytes    1444706 non-null  int64  
 6   orig_pkts       1444706 non-null  int64  
 7   orig_ip_bytes   1444706 non-null  int64  
 8   resp_pkts       1444706 non-null  int64  
 9   resp_ip_bytes   1444706 non-null  int64  
 10  label           1444706 non-null  object 
 11  detailed_label  1444706 non-null  object 
dtypes: float64(3), int64(5), object(4)
memory usage: 132.3+ MB


In [20]:
# Check the cleaned version of the dataset
combined_df

Unnamed: 0,proto,duration,orig_bytes,resp_bytes,conn_state,missed_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes,label,detailed_label
0,udp,0.004751,48.0,48.0,SF,0,1,76,1,76,Benign,Benign
1,tcp,108.421563,2376.0,96.0,OTH,0,5,332,2,200,Benign,Benign
2,tcp,0.001244,21.0,0.0,S0,0,3,189,0,0,Benign,Benign
3,tcp,0.000738,21.0,0.0,S0,0,3,189,0,0,Benign,Benign
4,udp,0.000000,0.0,0.0,S0,0,1,58,0,0,Benign,Benign
...,...,...,...,...,...,...,...,...,...,...,...,...
1444701,tcp,0.000000,0.0,0.0,S0,0,1,60,0,0,Malicious,PartOfAHorizontalPortScan
1444702,tcp,2.999363,0.0,0.0,S0,0,3,180,0,0,Malicious,PartOfAHorizontalPortScan
1444703,tcp,0.000000,0.0,0.0,S0,0,1,60,0,0,Malicious,PartOfAHorizontalPortScan
1444704,tcp,2.997674,0.0,0.0,S0,0,3,180,0,0,Malicious,PartOfAHorizontalPortScan


#### Store cleaned dataset to a csv file

In [21]:
# Store cleaned dataset to a csv file
combined_df.to_csv('../CSV-data/interim/iot23_combined.csv')