In [2]:
from __future__ import absolute_import
from __future__ import division
from __future__ import print_function

import ipaddress
import json
import random

import matplotlib.pyplot as plt
import pandas as pd
#import tensorflow.keras.layers as layers
#from tensorflow.keras.models import Model
import numpy as np
from sklearn import decomposition
from sklearn.cluster import KMeans
from sklearn.metrics.pairwise import cosine_similarity

from resources.firewall_rule import FirewallRule

In [9]:
# PCA Visualization

pd.set_option('display.max_columns', 500)
pd.set_option('display.max_colwidth', -1)

def dimensionality_reduce(dataset, n_components):
    """Reduce the input feature set to lower dimension space
    Args:
      dataset(Array): Input numpy array
      n_components(int): Number of dimensions to decompose

    Returns:
      principal_components: Dataset in reduced dimension space
    """
    principal_components = decomposition.PCA(n_components=n_components)
    return principal_components, principal_components.fit_transform(dataset)


def get_data_by_indexes(dataset, indexes=[]):
    """
    Get data by indexes.
    Args:
        dataset (Dataframe): A dataset.
        indexes (list): A list of index.
    """
    if not indexes:
        return None
    return dataset.iloc[indexes]


def visualize_2d(dataset, cmap=None):
    """
    Visualize the low dimesional space image
    Args:
      dataset(array): 3 dimensional input dataset
      cmap(str): Colormap for visualization
    """
    assert (dataset.shape[1] == 3), "Dataset must have only 2 feature columns and 1 index column."
    
    %matplotlib notebook
    
    cmap = plt.cm.RdYlGn

    mp = {}
    for i in range(0, dataset.shape[0]):
        key = str(dataset.loc[i, 0]) + " " + str(dataset.loc[i, 1])
        mp[key] = dataset.loc[i, 'identifier']
    fig ,ax = plt.subplots(figsize=(10, 10))

    sc = plt.scatter(dataset[[0]], dataset[[1]], gid=dataset[['identifier']], s=100, cmap=cmap)

    offset_list = []
    for x in range(-50, 50, 12):
        offset_list.append(x)
    # print (offset_list)
    for i in range(0, dataset.shape[0]):
        offset_x = offset_list[random.randint(0, len(offset_list)-1)]
        offset_y = offset_list[random.randint(0, len(offset_list)-1)]
        at = ax.annotate("", 
                    xy=(dataset.loc[i, 0], dataset.loc[i, 1]),
                    textcoords="offset points",
                    bbox=dict(boxstyle="round", fc="w"),
                    xytext=(offset_x, offset_y),
                    arrowprops=dict(arrowstyle="->"))
        at.set_text(i)
    
    annot = ax.annotate("", xy=(0,0), xytext=(-20,10),textcoords="offset points",
                        bbox=dict(boxstyle="round", fc="w"),
                        arrowprops=dict(arrowstyle="->"))
    annot.set_visible(False)

    def update_annot(ind):
        pos = sc.get_offsets()[ind["ind"][0]]
        annot.xy = pos
        key = str(dataset.loc[ind["ind"][0], 0]) + " " + str(dataset.loc[ind["ind"][0], 1])
        text = mp[key]
        annot.set_text(text)
        annot.get_bbox_patch().set_alpha(0.4)

    def hover(event):
        vis = annot.get_visible()
        if event.inaxes == ax:
            cont, ind = sc.contains(event)
            if cont:
                update_annot(ind)
                annot.set_visible(True)
                fig.canvas.draw_idle()
            else:
                if vis:
                    annot.set_visible(False)
                    fig.canvas.draw_idle()

    fig.canvas.mpl_connect("motion_notify_event", hover)

    plt.show()

def principal_components(pca, dataset):
    """
    Returns the most important components when Dimensionality is reduced.
    pca: PCA object
    dataset:
    :return:
     Varaiance:
     (n * 1 array) Matrix of Variance of the Matrices
     (d*n array) d principal components fed into original feature space
     (Covariance Matrix): Matrix of pairwise feature co-relation
    """
    pca.fit_transform(dataset)
    return (pca.explained_variance_, pca.components_, np.cov(dataset.T))


# Read file.
with open('gflock_fw_data.json') as firewall_dataset:
    firewall_rules = json.load(firewall_dataset)

    flattened_firewall_rules = FirewallRule.flatten_firewall_rules(firewall_rules)

    flattened_firewall_rules_dict = [i.to_dict() for i in flattened_firewall_rules]

    

def k_means(data, num_clusters, max_iter, seed=0):
    """Creates and fits the k-means model with dataset.

    Args:
       seed: Seed with which cluster centroids are
           initialized to track experiments
       data: Array/sparse-matrix each column representing a
           feature and row an instance
       num_clusters: Number of cluster and centroids to create
       max_iter: The maximum number of iterations for a single run

    Returns:
      kmeans: Model which has clustered the dataset
   """
    kmeans = KMeans(n_clusters=num_clusters, random_state=seed,
                    max_iter=max_iter).fit(data)
    return kmeans


def kmeans_visualize(data, num_clusters, max_iter, seed=0):
    
    k_means_model = k_means(data, num_clusters, max_iter, seed=0)
    print ("The labels for each data point is: ", k_means_model.labels_)
    print ("Number of positive labels", sum(k_means_model.labels_))
    print (" Total number of  labels", len(k_means_model.labels_))
    
    return list(np.where(k_means_model.labels_ == 0)[0])


In [10]:
# Data processing / Feature engineering

# Approach #1, treats everything as categorical values

def pre_process_firewall_data(resource_data_json):
    """Pre process resource data.

    Args:
        resource_data_json (list): A list of resource data in json format.
        selected_features (list): A list of selected features, if the
            list is empty, we will include all the features.

    Returns:
        DataFrame: DataFrame table with all the resource_data.
        str: Full name column.
        str: Name of the firewall rule.
    """
    df = pd.DataFrame(resource_data_json)
    full_name_column, name = df['full_name'], df['name']

    df['creation_timestamp'] = df['creation_timestamp'].astype('category').cat.codes
    df['direction'] = df['direction'].astype('category').cat.codes
    df['action'] = df['action'].astype('category').cat.codes
    df['disabled'] = df['disabled'].astype('category').cat.codes
    df['ip_protocol'] = df['ip_protocol'].astype('category').cat.codes
    df['ports'] = df['ports'].astype('category').cat.codes
    df['org_id'] = df['org_id'].astype('category').cat.codes
    df['source_ip_addr'] = df['source_ip_addr'].astype('category').cat.codes
    df['dest_ip_addr'] = df['dest_ip_addr'].astype('category').cat.codes
    df['service_account'] = df['service_account'].astype('category').cat.codes
    df['tag'] = df['tag'].astype('category').cat.codes
    df['full_name'] = df['full_name'].astype('category').cat.codes
    df['ip_protocol'] = df['ip_protocol'].astype('category').cat.codes
    df['network'] = df['network'].astype('category').cat.codes
    df['source_service_account'] = df['source_service_account'].astype('category').cat.codes
    df['source_tag'] = df['source_tag'].astype('category').cat.codes
    df['name'] = df['name'].astype('category').cat.codes
    return df, full_name_column, name


df_filtered, full_name_col, name_col = pre_process_firewall_data(
    flattened_firewall_rules_dict)
print (df_filtered.iloc[0])
    
    
pca, pca_2 = dimensionality_reduce(df_filtered, 2)

print (pd.DataFrame(pca.components_,columns=df_filtered.columns,index = ['PC-1','PC-2']))

# weighted_dimension, components, covariance_matrix = principal_components(pca, df_filtered)
# print ("Explained Variance:", weighted_dimension, "Covariance Matrix:", covariance_matrix)
# print ("COMPONENTS SPREAD", components)
# print ("SHAPE OF COVARIANCE MATRIX", covariance_matrix.shape)

# pca_2 = pd.DataFrame(pca_2)

# pca_2['full_name'] = full_name_col

# visualize_2d(pca_2)
print ("")
print ("====== Using similarity matrix ========")

sim_matrix = cosine_similarity(df_filtered)

pca, pca_2 = dimensionality_reduce(sim_matrix, 2)

pca_2 = pd.DataFrame(pca_2)

pca_2['full_name'] = full_name_col
pca_2['name'] = name_col

# pca_2['identifier'] = pca_2['full_name'].map(lambda x: str(x) + ' ') + pca_2['name']
pca_2['identifier'] = pca_2['name']

pca_2 = pca_2.drop(columns=['full_name', 'name'])

visualize_2d(pca_2)

anomalies = get_data_by_indexes(pd.DataFrame(flattened_firewall_rules_dict), [])

print (anomalies)



action                    0  
creation_timestamp        687
dest_ip_addr             -1  
direction                 1  
disabled                  0  
full_name                 461
ip_protocol               0  
name                      184
network                   103
org_id                    0  
ports                     19 
service_account          -1  
source_ip_addr            151
source_service_account   -1  
source_tag               -1  
tag                       92 
Name: 0, dtype: int16
        action  creation_timestamp  dest_ip_addr  direction      disabled  \
PC-1 -0.000008 -0.400574            0.000025     -0.000012  -1.058791e-22   
PC-2 -0.000005 -0.852127           -0.000019      0.000008  -0.000000e+00   

      full_name  ip_protocol      name   network  org_id     ports  \
PC-1  0.839155  -0.000152     0.313955  0.191468 -0.0     0.002913   
PC-2 -0.461412  -0.000153     0.211226 -0.105769 -0.0    -0.009953   

      service_account  source_ip_addr  source_service_a

<IPython.core.display.Javascript object>

None


In [11]:
# Approach #2, penalized looser subnet exponentially

def pre_process_firewall_data(resource_data_json):
    """Pre process resource data.

    Args:
        resource_data_json (list): A list of resource data in json format.
        selected_features (list): A list of selected features, if the
            list is empty, we will include all the features.

    Returns:
        DataFrame: DataFrame table with all the resource_data.
        str: Full name column.
        str: Name of the firewall rule.
    """

    def subnet_count(ip_addr):
        """Covert ip address."""
        if ip_addr and '/' in ip_addr:
            _, subnet = ip_addr.split('/')
            return 2 ** (32 - int(subnet))
        return -1

    df = pd.DataFrame(resource_data_json)
    full_name_column, name_column = df['full_name'], df['name']

    df['creation_timestamp'] = df['creation_timestamp'].astype('category').cat.codes
    df['direction'] = df['direction'].astype('category').cat.codes
    df['action'] = df['action'].astype('category').cat.codes
    df['disabled'] = df['disabled'].astype('category').cat.codes
    df['ip_protocol'] = df['ip_protocol'].astype('category').cat.codes
    df['ports'] = df['ports'].astype('category').cat.codes

    df['source_subnet_count'] = df['source_ip_addr'].apply(subnet_count)
    source_ips = df['source_ip_addr'].str.replace('/', '').str.split('.', expand = True)
    df['source_ip_offset_1'] = source_ips[0] if len(source_ips.columns) > 1 else ''
    df['source_ip_offset_1'] = df['source_ip_offset_1'].astype('category').cat.codes
    df['source_ip_offset_2'] = source_ips[1] if len(source_ips.columns) > 1 else ''
    df['source_ip_offset_2'] = df['source_ip_offset_2'].astype('category').cat.codes
    df['source_ip_offset_3'] = source_ips[2] if len(source_ips.columns) > 1 else ''
    df['source_ip_offset_3'] = df['source_ip_offset_3'].astype('category').cat.codes
    df['source_ip_offset_4'] = source_ips[3] if len(source_ips.columns) > 1 else ''
    df['source_ip_offset_4'] = df['source_ip_offset_4'].astype('category').cat.codes

    df['dest_subnet_count'] = df['dest_ip_addr'].apply(subnet_count)
    dest_ips = df['dest_ip_addr'].str.replace('/', '').str.split('.', expand = True)
    df['dest_ip_offset_1'] = dest_ips[0] if len(dest_ips.columns) > 1 else ''
    df['dest_ip_offset_1'] = df['dest_ip_offset_1'].astype('category').cat.codes
    df['dest_ip_offset_2'] = dest_ips[1] if len(dest_ips.columns) > 1 else ''
    df['dest_ip_offset_2'] = df['dest_ip_offset_2'].astype('category').cat.codes
    df['dest_ip_offset_3'] = dest_ips[2] if len(dest_ips.columns) > 1 else ''
    df['dest_ip_offset_3'] = df['dest_ip_offset_3'].astype('category').cat.codes
    df['dest_ip_offset_4'] = dest_ips[3] if len(dest_ips.columns) > 1 else ''
    df['dest_ip_offset_4'] = df['dest_ip_offset_4'].astype('category').cat.codes

    df = df.drop(columns=['source_ip_addr', 'dest_ip_addr', 'org_id', 'name'])

    df['service_account'] = df['service_account'].astype('category').cat.codes
    df['tag'] = df['tag'].astype('category').cat.codes
    df['full_name'] = df['full_name'].astype('category').cat.codes
    df['ip_protocol'] = df['ip_protocol'].astype('category').cat.codes
    df['network'] = df['network'].astype('category').cat.codes
    df['source_service_account'] = df['source_service_account'].astype('category').cat.codes
    df['source_tag'] = df['source_tag'].astype('category').cat.codes

    return df, full_name_column, name_column


df_filtered, full_name_col, name_col = pre_process_firewall_data(
    flattened_firewall_rules_dict)
print (df_filtered.iloc[0])

pca, pca_2 = dimensionality_reduce(df_filtered, 2)

print (pd.DataFrame(pca.components_,columns=df_filtered.columns,index = ['PC-1','PC-2']))

# weighted_dimension, components, covariance_matrix = principal_components(pca, df_filtered)
# print ("Explained Variance:", weighted_dimension, "Covariance Matrix:", covariance_matrix)
# print ("COMPONENTS SPREAD", components)
# print ("SHAPE OF COVARIANCE MATRIX", covariance_matrix.shape)

# pca_2 = pd.DataFrame(pca_2)

# pca_2['full_name'] = full_name_col

# visualize_2d(pca_2)
print ("")
print ("====== Using similarity matrix ========")

sim_matrix = cosine_similarity(df_filtered)

pca, pca_2 = dimensionality_reduce(sim_matrix, 2)

pca_2 = pd.DataFrame(pca_2)

pca_2['full_name'] = full_name_col
pca_2['name'] = name_col

pca_2['identifier'] = pca_2['full_name'].map(lambda x: str(x) + ' ') + pca_2['name']

pca_2 = pca_2.drop(columns=['full_name', 'name'])

visualize_2d(pca_2)

anomalies = get_data_by_indexes(pd.DataFrame(flattened_firewall_rules_dict), [])

print (anomalies)

indices = kmeans_visualize(df_filtered, num_clusters=2, max_iter=10, seed=0)
print ("INDICES", indices)
anomalies_2 = get_data_by_indexes(pd.DataFrame(flattened_firewall_rules_dict), indices)
print ("ANOMALIES ARE: " , anomalies_2)

action                    0  
creation_timestamp        687
direction                 1  
disabled                  0  
full_name                 461
ip_protocol               0  
network                   103
ports                     19 
service_account          -1  
source_service_account   -1  
source_tag               -1  
tag                       92 
source_subnet_count       1  
source_ip_offset_1        12 
source_ip_offset_2        40 
source_ip_offset_3        29 
source_ip_offset_4        78 
dest_subnet_count        -1  
dest_ip_offset_1         -1  
dest_ip_offset_2         -1  
dest_ip_offset_3         -1  
dest_ip_offset_4         -1  
Name: 0, dtype: int64
            action  creation_timestamp     direction      disabled  \
PC-1  1.185274e-12 -6.491795e-09        1.490469e-12 -0.000000e+00   
PC-2  1.532956e-15  6.419403e-09       -2.315527e-10 -1.323598e-34   

         full_name   ip_protocol       network         ports  service_account  \
PC-1 -4.118160e-09 -3.6285

<IPython.core.display.Javascript object>

None
The labels for each data point is:  [1 0 1 ... 0 0 0]
Number of positive labels 1096
 Total number of  labels 1489
INDICES [1, 35, 36, 46, 47, 49, 50, 53, 58, 59, 60, 67, 68, 78, 101, 104, 108, 109, 110, 116, 117, 118, 122, 123, 126, 131, 132, 133, 138, 144, 160, 162, 177, 178, 179, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 195, 200, 201, 207, 208, 209, 210, 211, 212, 217, 218, 221, 222, 225, 226, 230, 236, 237, 238, 239, 240, 241, 246, 247, 250, 260, 263, 264, 273, 274, 275, 276, 277, 278, 279, 280, 281, 294, 302, 304, 305, 310, 312, 325, 326, 338, 339, 350, 353, 354, 355, 356, 372, 373, 378, 379, 380, 383, 386, 387, 392, 393, 394, 399, 400, 403, 404, 408, 409, 410, 412, 413, 419, 456, 457, 463, 465, 468, 472, 502, 503, 504, 506, 512, 517, 518, 519, 520, 521, 526, 527, 528, 529, 530, 541, 553, 554, 560, 561, 562, 571, 572, 573, 574, 575, 576, 581, 584, 588, 596, 597, 600, 601, 606, 607, 608, 623, 632, 654, 655, 660, 665, 666, 671, 674, 675, 676, 677, 682, 683, 684, 685, 6

In [102]:
# Approach #3, penalized looser subnet with a multiple of 10
def pre_process_firewall_data(resource_data_json):
    """Pre process resource data.

    Args:
        resource_data_json (list): A list of resource data in json format.
        selected_features (list): A list of selected features, if the
            list is empty, we will include all the features.

    Returns:
        DataFrame: DataFrame table with all the resource_data.
        str: Full name column.
        str: Name of the firewall rule.
    """

    def subnet_count(ip_addr):
        """Covert ip address."""
        if ip_addr and '/' in ip_addr:
            _, subnet = ip_addr.split('/')
            return 10 * (32 - int(subnet))
        return -1

    df = pd.DataFrame(resource_data_json)
    full_name_column, name_column = df['full_name'], df['name']

    df['creation_timestamp'] = df['creation_timestamp'].astype('category').cat.codes
    df['direction'] = df['direction'].astype('category').cat.codes
    df['action'] = df['action'].astype('category').cat.codes
    df['disabled'] = df['disabled'].astype('category').cat.codes
    df['ip_protocol'] = df['ip_protocol'].astype('category').cat.codes
    df['ports'] = df['ports'].astype('category').cat.codes

    df['source_subnet_count'] = df['source_ip_addr'].apply(subnet_count)
    source_ips = df['source_ip_addr'].str.replace('/', '.').str.split('.', expand = True)
    df['source_ip_offset_1'] = source_ips[0] if len(source_ips.columns) > 1 else ''
    df['source_ip_offset_1'] = df['source_ip_offset_1'].astype('category').cat.codes
    df['source_ip_offset_2'] = source_ips[1] if len(source_ips.columns) > 1 else ''
    df['source_ip_offset_2'] = df['source_ip_offset_2'].astype('category').cat.codes
    df['source_ip_offset_3'] = source_ips[2] if len(source_ips.columns) > 1 else ''
    df['source_ip_offset_3'] = df['source_ip_offset_3'].astype('category').cat.codes
    df['source_ip_offset_4'] = source_ips[3] if len(source_ips.columns) > 1 else ''
    df['source_ip_offset_4'] = df['source_ip_offset_4'].astype('category').cat.codes

    df['dest_subnet_count'] = df['dest_ip_addr'].apply(subnet_count)
    dest_ips = df['dest_ip_addr'].str.replace('/', '').str.split('.', expand = True)
    df['dest_ip_offset_1'] = dest_ips[0] if len(dest_ips.columns) > 1 else ''
    df['dest_ip_offset_1'] = df['dest_ip_offset_1'].astype('category').cat.codes
    df['dest_ip_offset_2'] = dest_ips[1] if len(dest_ips.columns) > 1 else ''
    df['dest_ip_offset_2'] = df['dest_ip_offset_2'].astype('category').cat.codes
    df['dest_ip_offset_3'] = dest_ips[2] if len(dest_ips.columns) > 1 else ''
    df['dest_ip_offset_3'] = df['dest_ip_offset_3'].astype('category').cat.codes
    df['dest_ip_offset_4'] = dest_ips[3] if len(dest_ips.columns) > 1 else ''
    df['dest_ip_offset_4'] = df['dest_ip_offset_4'].astype('category').cat.codes

    df = df.drop(columns=['source_ip_addr', 'dest_ip_addr', 'org_id', 'name', 'creation_timestamp'])

    df['service_account'] = df['service_account'].astype('category').cat.codes
    df['tag'] = df['tag'].astype('category').cat.codes
    df['full_name'] = df['full_name'].astype('category').cat.codes
    df['ip_protocol'] = df['ip_protocol'].astype('category').cat.codes
    df['network'] = df['network'].astype('category').cat.codes
    df['source_service_account'] = df['source_service_account'].astype('category').cat.codes
    df['source_tag'] = df['source_tag'].astype('category').cat.codes
    return df, full_name_column, name_column

df_filtered, full_name_col, name_col = pre_process_firewall_data(
    flattened_firewall_rules_dict)
print (df_filtered.iloc[0])
    
    
pca, pca_2 = dimensionality_reduce(df_filtered, 2)

print (pd.DataFrame(pca.components_,columns=df_filtered.columns,index = ['PC-1','PC-2']))

# weighted_dimension, components, covariance_matrix = principal_components(pca, df_filtered)
# print ("Explained Variance:", weighted_dimension, "Covariance Matrix:", covariance_matrix)
# print ("COMPONENTS SPREAD", components)
# print ("SHAPE OF COVARIANCE MATRIX", covariance_matrix.shape)

# pca_2 = pd.DataFrame(pca_2)

# pca_2['full_name'] = full_name_col

# visualize_2d(pca_2)
print ("")
print ("====== Using similarity matrix ========")

sim_matrix = cosine_similarity(df_filtered)

pca, pca_2 = dimensionality_reduce(sim_matrix, 2)

pca_2 = pd.DataFrame(pca_2)

pca_2['full_name'] = full_name_col
pca_2['name'] = name_col

# pca_2['identifier'] = pca_2['full_name'].map(lambda x: str(x) + ' ') + pca_2['name']
pca_2['identifier'] = pca_2['name']

pca_2 = pca_2.drop(columns=['full_name', 'name'])

visualize_2d(pca_2)

anomalies = get_data_by_indexes(pd.DataFrame(flattened_firewall_rules_dict), [161, 348, 643, 1240, 735, 1399, 692, 340, 1212, 13, 341, 542, 595, 1288, 259, 953, 139, 1046, 12, 977, 337])

print (anomalies)


action                    0  
direction                 1  
disabled                  0  
full_name                 461
ip_protocol               0  
network                   103
ports                     19 
service_account          -1  
source_service_account   -1  
source_tag               -1  
tag                       92 
source_subnet_count       0  
source_ip_offset_1        12 
source_ip_offset_2        40 
source_ip_offset_3        29 
source_ip_offset_4        66 
dest_subnet_count        -1  
dest_ip_offset_1         -1  
dest_ip_offset_2         -1  
dest_ip_offset_3         -1  
dest_ip_offset_4         -1  
Name: 0, dtype: int64
        action  direction      disabled  full_name  ip_protocol   network  \
PC-1  0.000006  0.000009   1.033976e-25 -0.972324   0.000021    -0.221896   
PC-2 -0.000014 -0.000060   1.355253e-20 -0.061549   0.000041    -0.014094   

         ports  service_account  source_service_account  source_tag       tag  \
PC-1 -0.006310 -0.000217        -0.

<IPython.core.display.Javascript object>

       action             creation_timestamp dest_ip_addr direction  disabled  \
161   allowed  2018-07-17T14:18:15.078-07:00  None         INGRESS   True       
348   allowed  2018-10-14T19:47:59.812-07:00  None         INGRESS   True       
643   allowed  2018-10-08T08:53:32.312-07:00  None         INGRESS   True       
1240  allowed  2018-08-22T10:55:53.264-07:00  None         INGRESS   True       
735   allowed  2018-10-14T22:54:11.759-07:00  None         INGRESS   True       
1399  allowed  2018-08-16T14:38:08.663-07:00  0.0.0.0/0    EGRESS    True       
692   allowed  2018-10-09T18:43:31.900-07:00  None         INGRESS   True       
340   allowed  2018-10-12T11:05:53.896-07:00  None         INGRESS   True       
1212  allowed  2018-10-16T19:51:48.015-07:00  None         INGRESS   True       
13    allowed  2018-08-21T19:51:30.284-07:00  None         INGRESS   True       
341   allowed  2018-09-07T20:15:03.947-07:00  None         INGRESS   True       
542   allowed  2018-09-19T10

In [26]:
# Approach #4, using supernet as an additional feature and ignore the subnet.

def pre_process_firewall_data(resource_data_json):
    """Pre process resource data.

    Args:
        resource_data_json (list): A list of resource data in json format.
        selected_features (list): A list of selected features, if the
            list is empty, we will include all the features.

    Returns:
        DataFrame: DataFrame table with all the resource_data.
        str: Full name column.
        str: Name of the firewall rule.
    """

    def ip_extraction(x):
        """Pre process ip data.
        Args:
            ip address (string): An ip address with subnet as a string.
        Returns:
            ip: IP extracted from the network.
            supernet: Supernet Ip network form the available ip network.
        """
        if not x:
            return '', ''
        l = []
        ip_add = ipaddress.IPv4Interface(x)
        ip_supernet = ipaddress.ip_network(x).supernet()
        return ip_add.ip, ip_supernet
    
    df = pd.DataFrame(resource_data_json)
    full_name_column, name_column = df['full_name'], df['name']

    df['creation_timestamp'] = df['creation_timestamp'].astype('category').cat.codes
    df['direction'] = df['direction'].astype('category').cat.codes
    df['action'] = df['action'].astype('category').cat.codes
    df['disabled'] = df['disabled'].astype('category').cat.codes
    df['ip_protocol'] = df['ip_protocol'].astype('category').cat.codes
    df['ports'] = df['ports'].astype('category').cat.codes

    df[['source_ip','source_ip_supernet']] = df['source_ip_addr'].apply(lambda x: pd.Series([ip_extraction(x)[0],ip_extraction(x)[1]]))
    df[['dest_ip','dest_ip_supernet']] = df['dest_ip_addr'].apply(lambda x: pd.Series([ip_extraction(x)[0],ip_extraction(x)[1]]))
    df['source_ip'] = df['source_ip'].astype('category').cat.codes
    df['source_ip_supernet'] = df['source_ip_supernet'].astype('category').cat.codes
    df['dest_ip'] = df['dest_ip'].astype('category').cat.codes
    df['dest_ip_supernet'] = df['dest_ip_supernet'].astype('category').cat.codes

    df['service_account'] = df['service_account'].astype('category').cat.codes
    df['tag'] = df['tag'].astype('category').cat.codes
    df['full_name'] = df['full_name'].astype('category').cat.codes
    df['ip_protocol'] = df['ip_protocol'].astype('category').cat.codes
    df['network'] = df['network'].astype('category').cat.codes
    df['source_service_account'] = df['source_service_account'].astype('category').cat.codes
    df['source_tag'] = df['source_tag'].astype('category').cat.codes
    #df['creation_timestamp'] = df['creation_timestamp'].astype('category').cat.codes
    df = df.drop(columns=['source_ip_addr', 'dest_ip_addr', 'org_id', 'creation_timestamp', 'name', 'full_name'])
    return df, full_name_column, name_column


df_filtered, full_name_col, name_col = pre_process_firewall_data(
    flattened_firewall_rules_dict)
print (df_filtered.iloc[0])
    
    # seaborn lib, clustermap
    # heatmap
    
pca, pca_2 = dimensionality_reduce(df_filtered, 2)

print (pd.DataFrame(pca.components_,columns=df_filtered.columns,index = ['PC-1','PC-2']))

# weighted_dimension, components, covariance_matrix = principal_components(pca, df_filtered)
# print ("Explained Variance:", weighted_dimension, "Covariance Matrix:", covariance_matrix)
# print ("COMPONENTS SPREAD", components)
# print ("SHAPE OF COVARIANCE MATRIX", covariance_matrix.shape)

# pca_2 = pd.DataFrame(pca_2)

# pca_2['full_name'] = full_name_col

# visualize_2d(pca_2)
print ("")
print ("====== Using similarity matrix ========")

sim_matrix = cosine_similarity(df_filtered)

pca, pca_2 = dimensionality_reduce(sim_matrix, 2)

pca_2 = pd.DataFrame(pca_2)

pca_2['full_name'] = full_name_col
pca_2['name'] = name_col

# pca_2['identifier'] = pca_2['full_name'].map(lambda x: str(x) + ' ') + pca_2['name']
pca_2['identifier'] = pca_2['name']

pca_2 = pca_2.drop(columns=['full_name', 'name'])

visualize_2d(pca_2)

anomalies = get_data_by_indexes(pd.DataFrame(flattened_firewall_rules_dict), [])

print (anomalies)

action                      0
direction                   1
disabled                    0
ip_protocol                 0
network                   103
ports                      19
service_account            -1
source_service_account     -1
source_tag                 -1
tag                        92
source_ip                 119
source_ip_supernet        126
dest_ip                     2
dest_ip_supernet            2
Name: 0, dtype: int16
        action  direction  disabled  ip_protocol   network     ports  \
PC-1 -0.000012  -0.000078      -0.0    -0.000736  0.018881 -0.110658   
PC-2 -0.000040  -0.000039       0.0    -0.001026  0.154153  0.090883   

      service_account  source_service_account  source_tag       tag  \
PC-1         0.000063                0.000075   -0.001403 -0.070783   
PC-2        -0.002586               -0.000271   -0.005979  0.980780   

      source_ip  source_ip_supernet   dest_ip  dest_ip_supernet  
PC-1   0.678843            0.722189 -0.000090         -0.0000

<IPython.core.display.Javascript object>

In [25]:
# Approach #5, using supernet as an additional feature and ignore the subnet.
# Drop timestamp, fullname and network columns.

def pre_process_firewall_data(resource_data_json):
    """Pre process resource data.

    Args:
        resource_data_json (list): A list of resource data in json format.
        selected_features (list): A list of selected features, if the
            list is empty, we will include all the features.

    Returns:
        DataFrame: DataFrame table with all the resource_data.
    """

    def ip_extraction(x):
        """Pre process ip data.
        Args:
            ip address (string): An ip address with subnet as a string.
        Returns:
            ip: IP extracted from the network.
            supernet: Supernet Ip network form the available ip network.
        """
        if not x:
            return '', ''
        l = []
        ip_add = ipaddress.IPv4Interface(x)
        ip_supernet = ipaddress.ip_network(x).supernet()
        return ip_add.ip, ip_supernet
    
    df = pd.DataFrame(resource_data_json)
    full_name_column, name_column = df['full_name'], df['name']

    #df['creation_timestamp'] = df['creation_timestamp'].astype('category').cat.codes
    df['direction'] = df['direction'].astype('category').cat.codes
    df['action'] = df['action'].astype('category').cat.codes
    df['disabled'] = df['disabled'].astype('category').cat.codes
    df['ip_protocol'] = df['ip_protocol'].astype('category').cat.codes
    df['ports'] = df['ports'].astype('category').cat.codes

    df[['source_ip','source_ip_supernet']] = df['source_ip_addr'].apply(lambda x: pd.Series([ip_extraction(x)[0],ip_extraction(x)[1]]))
    df[['dest_ip','dest_ip_supernet']] = df['dest_ip_addr'].apply(lambda x: pd.Series([ip_extraction(x)[0],ip_extraction(x)[1]]))
    df['source_ip'] = df['source_ip'].astype('category').cat.codes
    df['source_ip_supernet'] = df['source_ip_supernet'].astype('category').cat.codes
    df['dest_ip'] = df['dest_ip'].astype('category').cat.codes
    df['dest_ip_supernet'] = df['dest_ip_supernet'].astype('category').cat.codes
    df = df.drop(columns=['source_ip_addr', 
                          'dest_ip_addr', 
                          'org_id', 
                          'creation_timestamp', 
                          'network', 
                          'full_name',
                          'name'])

    df['service_account'] = df['service_account'].astype('category').cat.codes
    df['tag'] = df['tag'].astype('category').cat.codes
    #df['full_name'] = df['full_name'].astype('category').cat.codes
    df['ip_protocol'] = df['ip_protocol'].astype('category').cat.codes
    #df['network'] = df['network'].astype('category').cat.codes
    df['source_service_account'] = df['source_service_account'].astype('category').cat.codes
    df['source_tag'] = df['source_tag'].astype('category').cat.codes
    return df, full_name_column, name_column


df_filtered, full_name_col, name_col = pre_process_firewall_data(
    flattened_firewall_rules_dict)
print (df_filtered.iloc[0])

pca, pca_2 = dimensionality_reduce(df_filtered, 2)

print (pd.DataFrame(pca.components_,columns=df_filtered.columns,index = ['PC-1','PC-2']))

# weighted_dimension, components, covariance_matrix = principal_components(pca, df_filtered)
# print ("Explained Variance:", weighted_dimension, "Covariance Matrix:", covariance_matrix)
# print ("COMPONENTS SPREAD", components)
# print ("SHAPE OF COVARIANCE MATRIX", covariance_matrix.shape)

# pca_2 = pd.DataFrame(pca_2)

# pca_2['full_name'] = full_name_col

# visualize_2d(pca_2)
print ("")
print ("====== Using similarity matrix ========")

sim_matrix = cosine_similarity(df_filtered)

pca, pca_2 = dimensionality_reduce(sim_matrix, 2)

pca_2 = pd.DataFrame(pca_2)

pca_2['full_name'] = full_name_col
pca_2['name'] = name_col

# pca_2['identifier'] = pca_2['full_name'].map(lambda x: str(x) + ' ') + pca_2['name']
pca_2['identifier'] = pca_2['name']
pca_2 = pca_2.drop(columns=['full_name', 'name'])

visualize_2d(pca_2)

anomalies = get_data_by_indexes(pd.DataFrame(flattened_firewall_rules_dict), [])

print (anomalies)

action                     0
direction                  0
disabled                   0
ip_protocol                0
ports                      3
service_account           11
source_service_account    -1
source_tag                -1
tag                       -1
source_ip                  1
source_ip_supernet         1
dest_ip                    0
dest_ip_supernet           0
Name: 0, dtype: int8
      action     direction      disabled  ip_protocol     ports  \
PC-1    -0.0 -0.000000e+00  5.551115e-17     0.000995  0.013872   
PC-2     0.0  2.220446e-16 -1.110223e-16    -0.000718 -0.021909   

      service_account  source_service_account    source_tag       tag  \
PC-1        -0.402033                    -0.0 -3.831675e-47  0.915501   
PC-2         0.915256                     0.0  1.642147e-47  0.402271   

      source_ip  source_ip_supernet  dest_ip  dest_ip_supernet  
PC-1   0.004135            0.004135     -0.0              -0.0  
PC-2  -0.001492           -0.001492      0.0      

<IPython.core.display.Javascript object>

In [8]:
# K means
def k_means(data, num_clusters, max_iter, seed=0):
    """Creates and fits the k-means model with dataset.

    Args:
       seed: Seed with which cluster centroids are
           initialized to track experiments
       data: Array/sparse-matrix each column representing a
           feature and row an instance
       num_clusters: Number of cluster and centroids to create
       max_iter: The maximum number of iterations for a single run

    Returns:
      kmeans: Model which has clustered the dataset
   """
    kmeans = KMeans(n_clusters=num_clusters, random_state=seed,
                    max_iter=max_iter).fit(data)
    return kmeans

m = k_means(df_filtered, 3, max_iter=100, seed=0)

In [None]:
# Autoencoder
def autoencoder_model(input_shape):
    """
    The model function which computes the embedding.

    This is based on the implementation mentioned here:
    https://arxiv.org/pdf/1511.06335.pdf

    """
    input_layer = layers.Input(shape=input_shape)
    encoder_1 = layers.Dense(500, act='relu', name="encoder_1")(input_layer)
    encoder_2 = layers.Dense(500, act='relu', name="encoder_2")(encoder_1)
    encoder_3 = layers.Dense(2000, act='relu', name="encoder_3")(encoder_2)
    encoder_4 = layers.Dense(10, act='relu', name="encoder_4")(encoder_3)

    hidden = layers.Dense(10, act='relu', name="hidden")(encoder_4)

    decoder_1 = layers.Dense(10, act='relu', name="decoder_1")(hidden)
    decoder_2 = layers.Dense(2000, act='relu', name="decoder_2")(decoder_1)
    decoder_3 = layers.Dense(500, act='relu', name="decoder_3")(decoder_2)
    decoder_4 = layers.Dense(500, act='relu', name="decoder_4")(decoder_3)

    output_layer = layers.Dense(input_shape, name="output_layer")(decoder_4)
    model = Model(inputs=input_layer, outputs=output_layer)

    return model


def embedding_model(model):
    """Returns the Trained model which gives the embeddings as the output.

    Args:
        model: Trained autoencoder model

    Returns:
        intermediate model: Model split till the hidden layer

    """
    intermediate_model = model(
        inputs=[model.input],
        outputs=[model.get_layer("hidden").output])

    return intermediate_model