# Web attack detection using CICIDS2017 dataset
Based on Thesis of Kahraman Kostas, <br> 
Anomaly Detection in Networks Using Machine Learning <br>
Link : https://www.researchgate.net/profile/Kahraman-Kostas/publication/328512658_Anomaly_Detection_in_Networks_Using_Machine_Learning/links/5bd1d1bf458515343d58eddc/Anomaly-Detection-in-Networks-Using-Machine-Learning.pdf


### Preparing Datasets.

In [1]:
import pandas as pd
import numpy as np
from sklearn import preprocessing
import matplotlib.pyplot as plt
%matplotlib inline
from sklearn.ensemble import RandomForestClassifier


In [2]:
df = pd.read_csv('Dataset/Thursday-WorkingHours-Morning-WebAttacks.pcap_ISCX.csv', engine='python', encoding='latin1')

In [3]:
df.shape

(458968, 85)

In [4]:
df.head()

Unnamed: 0,Flow ID,Source IP,Source Port,Destination IP,Destination Port,Protocol,Timestamp,Flow Duration,Total Fwd Packets,Total Backward Packets,...,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min,Label
0,192.168.10.3-192.168.10.50-389-33898-6,192.168.10.50,33898.0,192.168.10.3,389.0,6.0,6/7/2017 8:59,113095465.0,48.0,24.0,...,32.0,203985.5,575837.3,1629110.0,379.0,13800000.0,4277541.0,16500000.0,6737603.0,BENIGN
1,192.168.10.3-192.168.10.50-389-33904-6,192.168.10.50,33904.0,192.168.10.3,389.0,6.0,6/7/2017 8:59,113473706.0,68.0,40.0,...,32.0,178326.875,503426.9,1424245.0,325.0,13800000.0,4229413.0,16500000.0,6945512.0,BENIGN
2,8.0.6.4-8.6.0.1-0-0-0,8.6.0.1,0.0,8.0.6.4,0.0,0.0,6/7/2017 8:59,119945515.0,150.0,0.0,...,0.0,6909777.333,11700000.0,20400000.0,6.0,24400000.0,24300000.0,60100000.0,5702188.0,BENIGN
3,192.168.10.14-65.55.44.109-59135-443-6,192.168.10.14,59135.0,65.55.44.109,443.0,6.0,6/7/2017 8:59,60261928.0,9.0,7.0,...,20.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,BENIGN
4,192.168.10.3-192.168.10.14-53-59555-17,192.168.10.14,59555.0,192.168.10.3,53.0,17.0,6/7/2017 8:59,269.0,2.0,2.0,...,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,BENIGN


In [5]:
df

Unnamed: 0,Flow ID,Source IP,Source Port,Destination IP,Destination Port,Protocol,Timestamp,Flow Duration,Total Fwd Packets,Total Backward Packets,...,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min,Label
0,192.168.10.3-192.168.10.50-389-33898-6,192.168.10.50,33898.0,192.168.10.3,389.0,6.0,6/7/2017 8:59,113095465.0,48.0,24.0,...,32.0,203985.500,5.758373e+05,1629110.0,379.0,13800000.0,4.277541e+06,16500000.0,6737603.0,BENIGN
1,192.168.10.3-192.168.10.50-389-33904-6,192.168.10.50,33904.0,192.168.10.3,389.0,6.0,6/7/2017 8:59,113473706.0,68.0,40.0,...,32.0,178326.875,5.034269e+05,1424245.0,325.0,13800000.0,4.229413e+06,16500000.0,6945512.0,BENIGN
2,8.0.6.4-8.6.0.1-0-0-0,8.6.0.1,0.0,8.0.6.4,0.0,0.0,6/7/2017 8:59,119945515.0,150.0,0.0,...,0.0,6909777.333,1.170000e+07,20400000.0,6.0,24400000.0,2.430000e+07,60100000.0,5702188.0,BENIGN
3,192.168.10.14-65.55.44.109-59135-443-6,192.168.10.14,59135.0,65.55.44.109,443.0,6.0,6/7/2017 8:59,60261928.0,9.0,7.0,...,20.0,0.000,0.000000e+00,0.0,0.0,0.0,0.000000e+00,0.0,0.0,BENIGN
4,192.168.10.3-192.168.10.14-53-59555-17,192.168.10.14,59555.0,192.168.10.3,53.0,17.0,6/7/2017 8:59,269.0,2.0,2.0,...,32.0,0.000,0.000000e+00,0.0,0.0,0.0,0.000000e+00,0.0,0.0,BENIGN
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
458963,,,,,,,,,,,...,,,,,,,,,,
458964,,,,,,,,,,,...,,,,,,,,,,
458965,,,,,,,,,,,...,,,,,,,,,,
458966,,,,,,,,,,,...,,,,,,,,,,


In [6]:
df_sqli = df[df[' Label'].str.contains('sql', case=False, na=False)]
df_sqli.head()

Unnamed: 0,Flow ID,Source IP,Source Port,Destination IP,Destination Port,Protocol,Timestamp,Flow Duration,Total Fwd Packets,Total Backward Packets,...,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min,Label
90293,172.16.0.1-192.168.10.50-36196-80-6,172.16.0.1,36196.0,192.168.10.50,80.0,6.0,6/7/2017 10:40,5006127.0,4.0,4.0,...,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,Web Attack  Sql Injection
90328,172.16.0.1-192.168.10.50-36196-80-6,172.16.0.1,36196.0,192.168.10.50,80.0,6.0,6/7/2017 10:40,508.0,2.0,1.0,...,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,Web Attack  Sql Injection
90329,172.16.0.1-192.168.10.50-36198-80-6,172.16.0.1,36198.0,192.168.10.50,80.0,6.0,6/7/2017 10:40,5069927.0,4.0,4.0,...,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,Web Attack  Sql Injection
90351,172.16.0.1-192.168.10.50-36198-80-6,172.16.0.1,36198.0,192.168.10.50,80.0,6.0,6/7/2017 10:40,42.0,1.0,1.0,...,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,Web Attack  Sql Injection
90370,172.16.0.1-192.168.10.50-36200-80-6,172.16.0.1,36200.0,192.168.10.50,80.0,6.0,6/7/2017 10:40,5038618.0,4.0,4.0,...,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,Web Attack  Sql Injection


In [7]:
df_xss=df[df[' Label'].str.contains('xss', case=False, na=False)]
df_xss.head()

Unnamed: 0,Flow ID,Source IP,Source Port,Destination IP,Destination Port,Protocol,Timestamp,Flow Duration,Total Fwd Packets,Total Backward Packets,...,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min,Label
72134,172.16.0.1-192.168.10.50-52120-80-6,172.16.0.1,52120.0,192.168.10.50,80.0,6.0,6/7/2017 10:15,5638432.0,3.0,1.0,...,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,Web Attack  XSS
72135,172.16.0.1-192.168.10.50-52118-80-6,172.16.0.1,52118.0,192.168.10.50,80.0,6.0,6/7/2017 10:15,5638527.0,3.0,1.0,...,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,Web Attack  XSS
72136,172.16.0.1-192.168.10.50-52100-80-6,172.16.0.1,52100.0,192.168.10.50,80.0,6.0,6/7/2017 10:15,5945704.0,3.0,1.0,...,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,Web Attack  XSS
72137,172.16.0.1-192.168.10.50-52098-80-6,172.16.0.1,52098.0,192.168.10.50,80.0,6.0,6/7/2017 10:15,6075117.0,16.0,12.0,...,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,Web Attack  XSS
72175,172.16.0.1-192.168.10.50-52098-80-6,172.16.0.1,52098.0,192.168.10.50,80.0,6.0,6/7/2017 10:15,34.0,1.0,1.0,...,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,Web Attack  XSS


## Merging of the Dataset
### Loading Our Database
Web Attack – LFI, It's a small dataset to know it's imapct on the whole model and to see if it can really impact the model by merging more attacks hence improving it's attack detection techniques.

In [8]:
df_own = pd.read_csv('Dataset/LFIAttackDB.csv', engine='python', encoding='latin1')

In [9]:
df_own.shape

(59, 82)

In [10]:
Label_LFI = 'Web Attack – LFI'

In [11]:
df_own['Label'] = Label_LFI

In [12]:
df_own

Unnamed: 0,source ip,destination ip,source port,destination port,protocol,timestamp,flow duration,flow bytes/s,flow packets/s,fwd packets/s,...,fwd avg bulk rate,bwd avg bulk rate,avg fwd segment size,avg bwd segment size,cwe flag count,subflow fwd packets,subflow bwd packets,subflow fwd bytes,subflow bwd bytes,Label
0,192.168.1.9,192.168.1.51,63959,80,6,2023-12-01 10:17:14,7453870.0,489.6785,1.878219,1.073268,...,0.0,0.0,169.875,381.833333,0,8,6,1359,2291,Web Attack – LFI
1,192.168.1.9,192.168.1.51,63960,80,6,2023-12-01 10:17:14,14485330.0,707.6125,2.209132,1.380707,...,0.0,0.0,255.45,428.416667,0,20,12,5109,5141,Web Attack – LFI
2,192.168.1.9,192.168.1.51,63962,80,6,2023-12-01 10:17:30,3276.0,524420.0,3357.753358,1831.501832,...,0.0,0.0,149.0,164.8,0,6,5,894,824,Web Attack – LFI
3,192.168.1.9,192.168.1.51,63963,80,6,2023-12-01 10:17:33,121380688.0,576.1295,1.474699,0.980387,...,0.0,0.0,315.478992,539.816667,0,119,60,37542,32389,Web Attack – LFI
4,192.168.1.51,192.168.1.9,80,63963,6,2023-12-01 10:19:35,84041092.0,601.2416,1.57066,0.535452,...,0.0,0.0,533.222222,304.988506,0,45,87,23995,26534,Web Attack – LFI
5,192.168.1.9,192.168.1.51,63965,80,6,2023-12-01 10:21:01,120332851.0,594.6173,1.46261,0.972303,...,0.0,0.0,339.478632,539.542373,0,117,59,39719,31833,Web Attack – LFI
6,192.168.1.51,192.168.1.9,80,63965,6,2023-12-01 10:23:01,90998901.0,592.7984,1.483534,0.505501,...,0.0,0.0,533.717391,330.258427,0,46,89,24551,29393,Web Attack – LFI
7,192.168.1.9,192.168.1.51,63970,80,6,2023-12-01 10:24:34,14150213.0,686.4208,2.049439,1.272066,...,0.0,0.0,308.444444,378.272727,0,18,11,5552,4161,Web Attack – LFI
8,192.168.1.9,192.168.1.51,63971,80,6,2023-12-01 10:24:49,2425.0,712989.7,4536.082474,2474.226804,...,0.0,0.0,150.833333,164.8,0,6,5,905,824,Web Attack – LFI
9,192.168.1.9,192.168.1.51,63972,80,6,2023-12-01 10:24:51,2312.0,751730.1,4757.785467,2595.155709,...,0.0,0.0,152.333333,164.8,0,6,5,914,824,Web Attack – LFI


In [13]:
# Inserting a new column of Flow ID i.e, index no
df_own['Flow ID'] = range(0, len(df_own))
#df_own = df_own.set_index('Flow ID')

In [14]:
df_own

Unnamed: 0,source ip,destination ip,source port,destination port,protocol,timestamp,flow duration,flow bytes/s,flow packets/s,fwd packets/s,...,bwd avg bulk rate,avg fwd segment size,avg bwd segment size,cwe flag count,subflow fwd packets,subflow bwd packets,subflow fwd bytes,subflow bwd bytes,Label,Flow ID
0,192.168.1.9,192.168.1.51,63959,80,6,2023-12-01 10:17:14,7453870.0,489.6785,1.878219,1.073268,...,0.0,169.875,381.833333,0,8,6,1359,2291,Web Attack – LFI,0
1,192.168.1.9,192.168.1.51,63960,80,6,2023-12-01 10:17:14,14485330.0,707.6125,2.209132,1.380707,...,0.0,255.45,428.416667,0,20,12,5109,5141,Web Attack – LFI,1
2,192.168.1.9,192.168.1.51,63962,80,6,2023-12-01 10:17:30,3276.0,524420.0,3357.753358,1831.501832,...,0.0,149.0,164.8,0,6,5,894,824,Web Attack – LFI,2
3,192.168.1.9,192.168.1.51,63963,80,6,2023-12-01 10:17:33,121380688.0,576.1295,1.474699,0.980387,...,0.0,315.478992,539.816667,0,119,60,37542,32389,Web Attack – LFI,3
4,192.168.1.51,192.168.1.9,80,63963,6,2023-12-01 10:19:35,84041092.0,601.2416,1.57066,0.535452,...,0.0,533.222222,304.988506,0,45,87,23995,26534,Web Attack – LFI,4
5,192.168.1.9,192.168.1.51,63965,80,6,2023-12-01 10:21:01,120332851.0,594.6173,1.46261,0.972303,...,0.0,339.478632,539.542373,0,117,59,39719,31833,Web Attack – LFI,5
6,192.168.1.51,192.168.1.9,80,63965,6,2023-12-01 10:23:01,90998901.0,592.7984,1.483534,0.505501,...,0.0,533.717391,330.258427,0,46,89,24551,29393,Web Attack – LFI,6
7,192.168.1.9,192.168.1.51,63970,80,6,2023-12-01 10:24:34,14150213.0,686.4208,2.049439,1.272066,...,0.0,308.444444,378.272727,0,18,11,5552,4161,Web Attack – LFI,7
8,192.168.1.9,192.168.1.51,63971,80,6,2023-12-01 10:24:49,2425.0,712989.7,4536.082474,2474.226804,...,0.0,150.833333,164.8,0,6,5,905,824,Web Attack – LFI,8
9,192.168.1.9,192.168.1.51,63972,80,6,2023-12-01 10:24:51,2312.0,751730.1,4757.785467,2595.155709,...,0.0,152.333333,164.8,0,6,5,914,824,Web Attack – LFI,9


In [15]:
# Our database instead of space uses undersocre, so we've to replace it with space then 
#Taking set difference to see which columns are not in the second dataset, by converting both to lowercase.
df_own.columns = df_own.columns.str.replace('_', ' ').str.lower()

In [16]:
df.columns = df.columns.str.replace('_', ' ').str.lower()

In [17]:
df.columns = df.columns.str.strip()

In [18]:
columns_only_in_df = set(df.columns.str.lower()) - set(df_own.columns.str.lower())
columns_only_in_df

{'fwd header length.1'}

In [19]:
df.loc[pd.to_numeric(df['fwd header length'], errors='coerce').notna(), 'fwd header length']

0         1536.0
1         2176.0
2            0.0
3          192.0
4           64.0
           ...  
170361      20.0
170362      64.0
170363    1328.0
170364      32.0
170365      32.0
Name: fwd header length, Length: 170366, dtype: float64

In [20]:
df.loc[pd.to_numeric(df['fwd header length.1'], errors='coerce').notna(), 'fwd header length.1']

0         1536.0
1         2176.0
2            0.0
3          192.0
4           64.0
           ...  
170361      20.0
170362      64.0
170363    1328.0
170364      32.0
170365      32.0
Name: fwd header length.1, Length: 170366, dtype: float64

In [21]:
df.columns = df.columns.str.strip()
df = df.drop(columns=['fwd header length.1'])
df.shape

(458968, 84)

### Merging the Database !!!
#### The above two columns are identical and don't know why they're included so removing them, and merging both the datasets.

In [22]:
string_columns = df.select_dtypes(include='object').columns
df[string_columns] = df[string_columns].apply(lambda x: x.str.strip())

df_own = df_own[df.columns]

# Concatenate DataFrames vertically
dfo = pd.concat([df, df_own], ignore_index=True)


dfo['source ip']

In [23]:
dfo

Unnamed: 0,flow id,source ip,source port,destination ip,destination port,protocol,timestamp,flow duration,total fwd packets,total backward packets,...,min seg size forward,active mean,active std,active max,active min,idle mean,idle std,idle max,idle min,label
0,192.168.10.3-192.168.10.50-389-33898-6,192.168.10.50,33898.0,192.168.10.3,389.0,6.0,6/7/2017 8:59,113095465.0,48.0,24.0,...,32.0,2.039855e+05,5.758373e+05,1629110.0,379.0,1.380000e+07,4.277541e+06,16500000.0,6737603.0,BENIGN
1,192.168.10.3-192.168.10.50-389-33904-6,192.168.10.50,33904.0,192.168.10.3,389.0,6.0,6/7/2017 8:59,113473706.0,68.0,40.0,...,32.0,1.783269e+05,5.034269e+05,1424245.0,325.0,1.380000e+07,4.229413e+06,16500000.0,6945512.0,BENIGN
2,8.0.6.4-8.6.0.1-0-0-0,8.6.0.1,0.0,8.0.6.4,0.0,0.0,6/7/2017 8:59,119945515.0,150.0,0.0,...,0.0,6.909777e+06,1.170000e+07,20400000.0,6.0,2.440000e+07,2.430000e+07,60100000.0,5702188.0,BENIGN
3,192.168.10.14-65.55.44.109-59135-443-6,192.168.10.14,59135.0,65.55.44.109,443.0,6.0,6/7/2017 8:59,60261928.0,9.0,7.0,...,20.0,0.000000e+00,0.000000e+00,0.0,0.0,0.000000e+00,0.000000e+00,0.0,0.0,BENIGN
4,192.168.10.3-192.168.10.14-53-59555-17,192.168.10.14,59555.0,192.168.10.3,53.0,17.0,6/7/2017 8:59,269.0,2.0,2.0,...,32.0,0.000000e+00,0.000000e+00,0.0,0.0,0.000000e+00,0.000000e+00,0.0,0.0,BENIGN
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
459022,54,192.168.1.9,64020.0,192.168.1.51,80.0,6.0,2023-12-01 10:26:22,1353.0,6.0,5.0,...,0.0,0.000000e+00,0.000000e+00,0.0,0.0,0.000000e+00,0.000000e+00,0.0,0.0,Web Attack – LFI
459023,55,192.168.1.9,64021.0,192.168.1.51,80.0,6.0,2023-12-01 10:26:24,65817323.0,74.0,38.0,...,0.0,1.878264e+06,8.343255e+05,3023701.0,283.0,1.879264e+06,8.321040e+05,3023697.0,35163.0,Web Attack – LFI
459024,56,192.168.1.9,64032.0,192.168.1.51,80.0,6.0,2023-12-01 10:27:33,1903172.0,6.0,4.0,...,0.0,3.820100e+04,4.896448e+04,107346.0,387.0,6.334550e+05,8.160172e+05,1786042.0,7327.0,Web Attack – LFI
459025,57,192.168.1.9,64033.0,192.168.1.51,80.0,6.0,2023-12-01 10:27:33,1795493.0,4.0,2.0,...,0.0,0.000000e+00,0.000000e+00,0.0,0.0,0.000000e+00,0.000000e+00,0.0,0.0,Web Attack – LFI


## Data Pre-Processing
### Starting with Data Cleaning as instructed in Thesis paperwork of Web Attack Detection using IDS 

In [24]:
#Deleting blank records
dfo = dfo.drop(df[pd.isnull(df['flow id'])].index)
dfo.shape

(170425, 84)

In [25]:
#Replace the non-numeric values.
dfo.replace('infinity', -1, inplace=True)
dfo[["flow bytes/s", "flow packets/s"]] = df[["flow bytes/s", "flow packets/s"]].apply(pd.to_numeric)

In [26]:
# Replacing NAN and infity values with -1.
dfo.replace([np.inf, -np.inf, np.nan], -1, inplace=True)

In [27]:
dfo

Unnamed: 0,flow id,source ip,source port,destination ip,destination port,protocol,timestamp,flow duration,total fwd packets,total backward packets,...,min seg size forward,active mean,active std,active max,active min,idle mean,idle std,idle max,idle min,label
0,192.168.10.3-192.168.10.50-389-33898-6,192.168.10.50,33898.0,192.168.10.3,389.0,6.0,6/7/2017 8:59,113095465.0,48.0,24.0,...,32.0,2.039855e+05,5.758373e+05,1629110.0,379.0,1.380000e+07,4.277541e+06,16500000.0,6737603.0,BENIGN
1,192.168.10.3-192.168.10.50-389-33904-6,192.168.10.50,33904.0,192.168.10.3,389.0,6.0,6/7/2017 8:59,113473706.0,68.0,40.0,...,32.0,1.783269e+05,5.034269e+05,1424245.0,325.0,1.380000e+07,4.229413e+06,16500000.0,6945512.0,BENIGN
2,8.0.6.4-8.6.0.1-0-0-0,8.6.0.1,0.0,8.0.6.4,0.0,0.0,6/7/2017 8:59,119945515.0,150.0,0.0,...,0.0,6.909777e+06,1.170000e+07,20400000.0,6.0,2.440000e+07,2.430000e+07,60100000.0,5702188.0,BENIGN
3,192.168.10.14-65.55.44.109-59135-443-6,192.168.10.14,59135.0,65.55.44.109,443.0,6.0,6/7/2017 8:59,60261928.0,9.0,7.0,...,20.0,0.000000e+00,0.000000e+00,0.0,0.0,0.000000e+00,0.000000e+00,0.0,0.0,BENIGN
4,192.168.10.3-192.168.10.14-53-59555-17,192.168.10.14,59555.0,192.168.10.3,53.0,17.0,6/7/2017 8:59,269.0,2.0,2.0,...,32.0,0.000000e+00,0.000000e+00,0.0,0.0,0.000000e+00,0.000000e+00,0.0,0.0,BENIGN
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
459022,54,192.168.1.9,64020.0,192.168.1.51,80.0,6.0,2023-12-01 10:26:22,1353.0,6.0,5.0,...,0.0,0.000000e+00,0.000000e+00,0.0,0.0,0.000000e+00,0.000000e+00,0.0,0.0,Web Attack – LFI
459023,55,192.168.1.9,64021.0,192.168.1.51,80.0,6.0,2023-12-01 10:26:24,65817323.0,74.0,38.0,...,0.0,1.878264e+06,8.343255e+05,3023701.0,283.0,1.879264e+06,8.321040e+05,3023697.0,35163.0,Web Attack – LFI
459024,56,192.168.1.9,64032.0,192.168.1.51,80.0,6.0,2023-12-01 10:27:33,1903172.0,6.0,4.0,...,0.0,3.820100e+04,4.896448e+04,107346.0,387.0,6.334550e+05,8.160172e+05,1786042.0,7327.0,Web Attack – LFI
459025,57,192.168.1.9,64033.0,192.168.1.51,80.0,6.0,2023-12-01 10:27:33,1795493.0,4.0,2.0,...,0.0,0.000000e+00,0.000000e+00,0.0,0.0,0.000000e+00,0.000000e+00,0.0,0.0,Web Attack – LFI


In [28]:
# Converting String character to numericals.
string_features = list(dfo.select_dtypes(include=['object']).columns)
string_features.remove('label')
string_features

['flow id', 'source ip', 'destination ip', 'timestamp']

In [29]:
#converting unique string values only.
unique_values = dfo[string_features].apply(lambda col: col.unique())
unique_values

flow id           [192.168.10.3-192.168.10.50-389-33898-6, 192.1...
source ip         [192.168.10.50, 8.6.0.1, 192.168.10.14, 65.55....
destination ip    [192.168.10.3, 8.0.6.4, 65.55.44.109, 129.6.15...
timestamp         [6/7/2017 8:59, 6/7/2017 9:00, 6/7/2017 9:01, ...
dtype: object

In [30]:
#Removing the gap between both of the merged datasets.
#This Does the job perfectly.
dfo = dfo.reset_index(drop=True)

In [31]:
dfo

Unnamed: 0,flow id,source ip,source port,destination ip,destination port,protocol,timestamp,flow duration,total fwd packets,total backward packets,...,min seg size forward,active mean,active std,active max,active min,idle mean,idle std,idle max,idle min,label
0,192.168.10.3-192.168.10.50-389-33898-6,192.168.10.50,33898.0,192.168.10.3,389.0,6.0,6/7/2017 8:59,113095465.0,48.0,24.0,...,32.0,2.039855e+05,5.758373e+05,1629110.0,379.0,1.380000e+07,4.277541e+06,16500000.0,6737603.0,BENIGN
1,192.168.10.3-192.168.10.50-389-33904-6,192.168.10.50,33904.0,192.168.10.3,389.0,6.0,6/7/2017 8:59,113473706.0,68.0,40.0,...,32.0,1.783269e+05,5.034269e+05,1424245.0,325.0,1.380000e+07,4.229413e+06,16500000.0,6945512.0,BENIGN
2,8.0.6.4-8.6.0.1-0-0-0,8.6.0.1,0.0,8.0.6.4,0.0,0.0,6/7/2017 8:59,119945515.0,150.0,0.0,...,0.0,6.909777e+06,1.170000e+07,20400000.0,6.0,2.440000e+07,2.430000e+07,60100000.0,5702188.0,BENIGN
3,192.168.10.14-65.55.44.109-59135-443-6,192.168.10.14,59135.0,65.55.44.109,443.0,6.0,6/7/2017 8:59,60261928.0,9.0,7.0,...,20.0,0.000000e+00,0.000000e+00,0.0,0.0,0.000000e+00,0.000000e+00,0.0,0.0,BENIGN
4,192.168.10.3-192.168.10.14-53-59555-17,192.168.10.14,59555.0,192.168.10.3,53.0,17.0,6/7/2017 8:59,269.0,2.0,2.0,...,32.0,0.000000e+00,0.000000e+00,0.0,0.0,0.000000e+00,0.000000e+00,0.0,0.0,BENIGN
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
170420,54,192.168.1.9,64020.0,192.168.1.51,80.0,6.0,2023-12-01 10:26:22,1353.0,6.0,5.0,...,0.0,0.000000e+00,0.000000e+00,0.0,0.0,0.000000e+00,0.000000e+00,0.0,0.0,Web Attack – LFI
170421,55,192.168.1.9,64021.0,192.168.1.51,80.0,6.0,2023-12-01 10:26:24,65817323.0,74.0,38.0,...,0.0,1.878264e+06,8.343255e+05,3023701.0,283.0,1.879264e+06,8.321040e+05,3023697.0,35163.0,Web Attack – LFI
170422,56,192.168.1.9,64032.0,192.168.1.51,80.0,6.0,2023-12-01 10:27:33,1903172.0,6.0,4.0,...,0.0,3.820100e+04,4.896448e+04,107346.0,387.0,6.334550e+05,8.160172e+05,1786042.0,7327.0,Web Attack – LFI
170423,57,192.168.1.9,64033.0,192.168.1.51,80.0,6.0,2023-12-01 10:27:33,1795493.0,4.0,2.0,...,0.0,0.000000e+00,0.000000e+00,0.0,0.0,0.000000e+00,0.000000e+00,0.0,0.0,Web Attack – LFI


In [32]:
#Saving the merged dataset.
dfo.to_csv('Dataset/MergedDatasetFromPD.csv', index=False)

In [33]:
le = preprocessing.LabelEncoder()
# The following method is giving error of having int values as well, so have to debug individually
# to find out the int contaning columns.
# dfo[string_features] = dfo[string_features].apply(lambda col: le.fit_transform(col))

In [34]:
dfo['source ip'] = le.fit_transform(dfo['source ip'])
#flow id is causing errors.
#source ip working correctly

In [35]:
dfo['destination ip'] = le.fit_transform(dfo['destination ip'])
#destination ip working correctly too.

In [36]:
dfo['timestamp'] = le.fit_transform(dfo['timestamp'])
#timestamp working correctly too, so the problem lies in flow id.

In [37]:
dfo.head()

Unnamed: 0,flow id,source ip,source port,destination ip,destination port,protocol,timestamp,flow duration,total fwd packets,total backward packets,...,min seg size forward,active mean,active std,active max,active min,idle mean,idle std,idle max,idle min,label
0,192.168.10.3-192.168.10.50-389-33898-6,1267,33898.0,1601,389.0,6.0,237,113095465.0,48.0,24.0,...,32.0,203985.5,575837.3,1629110.0,379.0,13800000.0,4277541.0,16500000.0,6737603.0,BENIGN
1,192.168.10.3-192.168.10.50-389-33904-6,1267,33904.0,1601,389.0,6.0,237,113473706.0,68.0,40.0,...,32.0,178326.875,503426.9,1424245.0,325.0,13800000.0,4229413.0,16500000.0,6945512.0,BENIGN
2,8.0.6.4-8.6.0.1-0-0-0,4040,0.0,4915,0.0,0.0,237,119945515.0,150.0,0.0,...,0.0,6909777.333,11700000.0,20400000.0,6.0,24400000.0,24300000.0,60100000.0,5702188.0,BENIGN
3,192.168.10.14-65.55.44.109-59135-443-6,1259,59135.0,4596,443.0,6.0,237,60261928.0,9.0,7.0,...,20.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,BENIGN
4,192.168.10.3-192.168.10.14-53-59555-17,1259,59555.0,1601,53.0,17.0,237,269.0,2.0,2.0,...,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,BENIGN


### Not including and deleting IP and port headers.
As mentioned in the thesis, while choosing the attribute importance of the attack, it will be much more
effective to eliminate the misleading features such as IP address, Port number, Timestamp, use
more generic and invariant attributes to define the attack. Because the shape of the data will
give much more information about whether or not it is an attack.

In [38]:
excluded = ['Flow ID', 'Source IP', 'Source Port', 'Destination IP', 'Destination Port', 'Protocol', 'Timestamp']
excluded = [item.lower() for item in excluded]
dfo = dfo.drop(columns=excluded, errors='ignore')
dfo

Unnamed: 0,flow duration,total fwd packets,total backward packets,total length of fwd packets,total length of bwd packets,fwd packet length max,fwd packet length min,fwd packet length mean,fwd packet length std,bwd packet length max,...,min seg size forward,active mean,active std,active max,active min,idle mean,idle std,idle max,idle min,label
0,113095465.0,48.0,24.0,9668.0,10012.0,403.0,0.0,201.416667,203.548293,923.0,...,32.0,2.039855e+05,5.758373e+05,1629110.0,379.0,1.380000e+07,4.277541e+06,16500000.0,6737603.0,BENIGN
1,113473706.0,68.0,40.0,11364.0,12718.0,403.0,0.0,167.117647,171.919413,1139.0,...,32.0,1.783269e+05,5.034269e+05,1424245.0,325.0,1.380000e+07,4.229413e+06,16500000.0,6945512.0,BENIGN
2,119945515.0,150.0,0.0,0.0,0.0,0.0,0.0,0.000000,0.000000,0.0,...,0.0,6.909777e+06,1.170000e+07,20400000.0,6.0,2.440000e+07,2.430000e+07,60100000.0,5702188.0,BENIGN
3,60261928.0,9.0,7.0,2330.0,4221.0,1093.0,0.0,258.888889,409.702161,1460.0,...,20.0,0.000000e+00,0.000000e+00,0.0,0.0,0.000000e+00,0.000000e+00,0.0,0.0,BENIGN
4,269.0,2.0,2.0,102.0,322.0,51.0,51.0,51.000000,0.000000,161.0,...,32.0,0.000000e+00,0.000000e+00,0.0,0.0,0.000000e+00,0.000000e+00,0.0,0.0,BENIGN
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
170420,1353.0,6.0,5.0,1055.0,824.0,713.0,66.0,175.833333,240.268195,552.0,...,0.0,0.000000e+00,0.000000e+00,0.0,0.0,0.000000e+00,0.000000e+00,0.0,0.0,Web Attack – LFI
170421,65817323.0,74.0,38.0,22398.0,19667.0,598.0,66.0,302.675676,249.777528,557.0,...,0.0,1.878264e+06,8.343255e+05,3023701.0,283.0,1.879264e+06,8.321040e+05,3023697.0,35163.0,Web Attack – LFI
170422,1903172.0,6.0,4.0,967.0,1038.0,625.0,66.0,161.166667,207.478848,832.0,...,0.0,3.820100e+04,4.896448e+04,107346.0,387.0,6.334550e+05,8.160172e+05,1786042.0,7327.0,Web Attack – LFI
170423,1795493.0,4.0,2.0,276.0,140.0,78.0,66.0,69.000000,5.196152,74.0,...,0.0,0.000000e+00,0.000000e+00,0.0,0.0,0.000000e+00,0.000000e+00,0.0,0.0,Web Attack – LFI


In [39]:
df_lfi = dfo[dfo['label'].str.contains('lfi', case=False, na=False)]
df_sqli.head()

Unnamed: 0,Flow ID,Source IP,Source Port,Destination IP,Destination Port,Protocol,Timestamp,Flow Duration,Total Fwd Packets,Total Backward Packets,...,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min,Label
90293,172.16.0.1-192.168.10.50-36196-80-6,172.16.0.1,36196.0,192.168.10.50,80.0,6.0,6/7/2017 10:40,5006127.0,4.0,4.0,...,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,Web Attack  Sql Injection
90328,172.16.0.1-192.168.10.50-36196-80-6,172.16.0.1,36196.0,192.168.10.50,80.0,6.0,6/7/2017 10:40,508.0,2.0,1.0,...,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,Web Attack  Sql Injection
90329,172.16.0.1-192.168.10.50-36198-80-6,172.16.0.1,36198.0,192.168.10.50,80.0,6.0,6/7/2017 10:40,5069927.0,4.0,4.0,...,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,Web Attack  Sql Injection
90351,172.16.0.1-192.168.10.50-36198-80-6,172.16.0.1,36198.0,192.168.10.50,80.0,6.0,6/7/2017 10:40,42.0,1.0,1.0,...,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,Web Attack  Sql Injection
90370,172.16.0.1-192.168.10.50-36200-80-6,172.16.0.1,36200.0,192.168.10.50,80.0,6.0,6/7/2017 10:40,5038618.0,4.0,4.0,...,32.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,Web Attack  Sql Injection


### Undersampling against unbalance

Dataset is unbalanced: total records = 170366, "BENIGN" records = 168186, records with attacks much less: 1507 + 652 + 21 = 2180.

Method specified by - <br>
https://colab.research.google.com/github/fisher85/ml-cybersecurity/blob/master/python-web-attack-detection/web-attack-detection.ipynb#scrollTo=nVs_xEHFjY5q

In [40]:
benign_total = len(dfo[dfo['label'] == "BENIGN"])
benign_total

168186

In [41]:
attack_total = len(dfo[dfo['label'] != "BENIGN"])
attack_total

2239

In [42]:
dfo.to_csv("Dataset/web_attacks_unbalanced.csv", index=False)
dfo['label'].value_counts()

label
BENIGN                        168186
Web Attack  Brute Force        1507
Web Attack  XSS                 652
Web Attack – LFI                  59
Web Attack  Sql Injection        21
Name: count, dtype: int64

We use **undersampling** to correct class imbalances: we remove most of the "BENIGN" records.

Form a balanced dataset web_attacks_balanced.csv in proportion: 30% attack (2239 records), 70% benign data (2239 / 30 * 70 ~ = 5224 records).

Algorithm to form a balanced df_balanced dataset:

* All the records with the attacks are copied to the new dataset.
* There are two conditions for copying "BENIGN" records to the new dataset:
 
     1. The next record is copyied with the benign_inc_probability.
     2. The total number of "BENIGN" records must not exceed the limit of 5087 records.

Algorith By - @MastersThesis{kostas2018,
    author = {Kostas,Kahraman},
    title = {{Anomaly Detection in Networks Using Machine Learning}},
    institution = {Computer Science and Electronic Engineering - CSEE},
    school = {University of Essex},
    address= {Colchester, UK},
    year={2018}
    }

In [43]:
#Сalculate the probability of copying a "BENIGN" record. The enlargement multiplier is used to get exactly 70% benign data (5087 records).

enlargement = 1.1
benign_included_max = attack_total / 30 * 70
benign_inc_probability = (benign_included_max / benign_total) * enlargement
print(benign_included_max, benign_inc_probability)

5224.333333333334 0.03416911435355302


Copy records from df to df_balanced, save dataset **web_attacks_balanced.csv**.

In [44]:
import random
indexes = []
benign_included_count = 0
for index, row in dfo.iterrows():
    if (row['label'] != "BENIGN"):
        indexes.append(index)
    else:
        # Copying with benign_inc_probability
        if random.random() > benign_inc_probability: continue
        # Have we achieved 70% (5087 records)?
        if benign_included_count > benign_included_max: continue
        benign_included_count += 1
        indexes.append(index)
df_balanced = dfo.loc[indexes]

In [45]:
df_balanced['label'].value_counts()

label
BENIGN                        5225
Web Attack  Brute Force      1507
Web Attack  XSS               652
Web Attack – LFI                59
Web Attack  Sql Injection      21
Name: count, dtype: int64

In [46]:
df_balanced.to_csv("Dataset/web_attacks_balanced.csv", index=False)

## Preparing Dataset (The Balanced One) for training

In [47]:
df = pd.read_csv('Dataset/web_attacks_balanced.csv')
df['label'] = df['label'].apply(lambda x: 0 if x == 'BENIGN' else 1)

In [48]:
# Dropping the features according to thesis overview that are not giving much to prediction, so the necessary 
# or the remaining one are - 
""" ['Average Packet Size',
 'Flow Bytes/s',
 'Max Packet Length',
 'Fwd Packet Length Mean',
 'Fwd IAT Min',
 'Total Length of Fwd Packets',
 'Flow IAT Mean',
 'Fwd Packet Length Max',
 'Fwd IAT Std',
 'Fwd Header Length'] """

" ['Average Packet Size',\n 'Flow Bytes/s',\n 'Max Packet Length',\n 'Fwd Packet Length Mean',\n 'Fwd IAT Min',\n 'Total Length of Fwd Packets',\n 'Flow IAT Mean',\n 'Fwd Packet Length Max',\n 'Fwd IAT Std',\n 'Fwd Header Length'] "

In [49]:
columns_to_keep = ['Average Packet Size', 'Flow Bytes/s', 'Max Packet Length',
                    'Fwd Packet Length Mean', 'Fwd IAT Min',
                    'Total Length of Fwd Packets', 'Flow IAT Mean',
                    'Fwd Packet Length Max', 'Fwd IAT Std', 'Fwd Header Length','label']
columns_to_keep = [item.lower() for item in columns_to_keep]


df = dfo[columns_to_keep]
df

Unnamed: 0,average packet size,flow bytes/s,max packet length,fwd packet length mean,fwd iat min,total length of fwd packets,flow iat mean,fwd packet length max,fwd iat std,fwd header length,label
0,278.930556,1.740123e+02,923.0,201.416667,3.0,9668.0,1.592894e+06,403.0,5.491986e+06,1536.0,BENIGN
1,226.712963,2.122254e+02,1139.0,167.117647,2.0,11364.0,1.060502e+06,403.0,4.719143e+06,2176.0,BENIGN
2,0.000000,0.000000e+00,0.0,0.000000,0.0,0.0,8.050035e+05,0.0,5.277837e+06,0.0,BENIGN
3,409.437500,1.087088e+02,1460.0,258.888889,311.0,2330.0,4.017462e+06,1093.0,2.120000e+07,192.0,BENIGN
4,118.750000,1.576208e+06,161.0,51.000000,4.0,102.0,8.966667e+01,51.0,0.000000e+00,64.0,BENIGN
...,...,...,...,...,...,...,...,...,...,...,...
170420,170.818182,-1.000000e+00,713.0,175.833333,1.0,1055.0,1.353000e+02,713.0,2.238952e+02,120.0,Web Attack – LFI
170421,375.580357,-1.000000e+00,598.0,302.675676,98.0,22398.0,5.929489e+05,598.0,1.101366e+06,1480.0,Web Attack – LFI
170422,200.500000,-1.000000e+00,832.0,161.166667,488.0,967.0,2.114636e+05,625.0,7.041154e+05,120.0,Web Attack – LFI
170423,69.333333,-1.000000e+00,78.0,69.000000,571.0,276.0,3.590986e+05,78.0,8.453846e+05,80.0,Web Attack – LFI


In [50]:
y = df['label'].values
X = df.drop(columns=['label'])
print(X.shape, y.shape)

(170425, 10) (170425,)


In [51]:
from sklearn.model_selection import train_test_split
X_train, X_test, y_train, y_test = train_test_split(X, y, test_size=0.3, random_state=42)

unique, counts = np.unique(y_train, return_counts=True)
dict(zip(unique, counts))

{'BENIGN': 117744,
 'Web Attack \x96 Brute Force': 1045,
 'Web Attack \x96 Sql Injection': 17,
 'Web Attack \x96 XSS': 446,
 'Web Attack – LFI': 45}

In [52]:
X_train, X_test, y_train, y_test = train_test_split(X, y, test_size=0.3, random_state=42)
print(X_train.shape, y_train.shape)
print(X_test.shape, y_test.shape)

(119297, 10) (119297,)
(51128, 10) (51128,)


In [53]:
rfc = RandomForestClassifier(max_depth=17, max_features=10, min_samples_leaf=3, n_estimators=50, random_state=42, oob_score=True)
# rfc = RandomForestClassifier(n_estimators=250, random_state=1)
rfc.fit(X_train, y_train)

In [54]:
features = X.columns
importances = rfc.feature_importances_
indices = np.argsort(importances)[::-1]
    
for index, i in enumerate(indices[:10]):
    print('{}.\t#{}\t{:.3f}\t{}'.format(index + 1, i, importances[i], features[i]))

1.	#8	0.475	fwd iat std
2.	#4	0.276	fwd iat min
3.	#1	0.084	flow bytes/s
4.	#6	0.047	flow iat mean
5.	#0	0.040	average packet size
6.	#5	0.027	total length of fwd packets
7.	#3	0.017	fwd packet length mean
8.	#2	0.015	max packet length
9.	#7	0.011	fwd packet length max
10.	#9	0.008	fwd header length


In [55]:
from sklearn.metrics import confusion_matrix

In [56]:
y_pred = rfc.predict(X_test)
confusion_matrix(y_test, y_pred)

array([[50442,     0,     0,     0,     0],
       [   43,   370,     0,    49,     0],
       [    2,     0,     2,     0,     0],
       [   16,   136,     0,    54,     0],
       [    1,     0,     0,     0,    13]])

In [57]:
import sklearn.metrics as metrics
accuracy = metrics.accuracy_score(y_test, y_pred)
# precision = metrics.precision_score(y_test, y_pred)
# recall = metrics.recall_score(y_test, y_pred)
# f1 = metrics.f1_score(y_test, y_pred)
print('Accuracy =', accuracy)
# print('Precision =', precision)
# print('Recall =', recall)
# print('F1 =', f1)

Accuracy = 0.9951689876388672


In [58]:
import pickle
with open('Model/webattack_detection_rf_model.pkl', 'wb') as f:
    pickle.dump(rfc, f)