# **DDoS Data Cleaning**
---

## **Imports and Configuration**
---

In [1]:
import numpy as np
import os
import pandas as pd
import warnings

In [2]:
# Ignore warnings
warnings.filterwarnings('ignore')

In [3]:
# Data paths
dataset_name = '75-20-05-udplag.syn'

input_path = 'data/raw'
output_path = os.path.join('data/clean', dataset_name)

## **Load Data (Same Amount)**
---

In [4]:
# Create empty final dataframe
df = pd.DataFrame()

# Load several samples (300000) from every individual csv dataset and concatenate to final dataframe
for root in ['01-12', '03-11']:
    for filename in os.listdir(os.path.join(input_path, root)):
        df = pd.concat([df, pd.read_csv(os.path.join(input_path, root, filename), nrows=300000)])
        print(f'Load {filename} slice. Total loaded rows = {len(df)}')

# Show dataframe head
df.head()

Load DrDoS_DNS.csv slice. Total loaded rows = 300000
Load DrDoS_LDAP.csv slice. Total loaded rows = 600000
Load DrDoS_MSSQL.csv slice. Total loaded rows = 900000
Load DrDoS_NetBIOS.csv slice. Total loaded rows = 1200000
Load DrDoS_NTP.csv slice. Total loaded rows = 1500000
Load DrDoS_SNMP.csv slice. Total loaded rows = 1800000
Load DrDoS_SSDP.csv slice. Total loaded rows = 2100000
Load DrDoS_UDP.csv slice. Total loaded rows = 2400000
Load Syn.csv slice. Total loaded rows = 2700000
Load TFTP.csv slice. Total loaded rows = 3000000
Load UDPLag.csv slice. Total loaded rows = 3300000
Load LDAP.csv slice. Total loaded rows = 3600000
Load MSSQL.csv slice. Total loaded rows = 3900000
Load NetBIOS.csv slice. Total loaded rows = 4200000
Load Portmap.csv slice. Total loaded rows = 4391694
Load Syn.csv slice. Total loaded rows = 4691694
Load UDP.csv slice. Total loaded rows = 4991694
Load UDPLag.csv slice. Total loaded rows = 5291694


Unnamed: 0.1,Unnamed: 0,Flow ID,Source IP,Source Port,Destination IP,Destination Port,Protocol,Timestamp,Flow Duration,Total Fwd Packets,...,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min,SimillarHTTP,Inbound,Label
0,425,172.16.0.5-192.168.50.1-634-60495-17,172.16.0.5,634,192.168.50.1,60495,17,2018-12-01 10:51:39.813448,28415,97,...,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0,1,DrDoS_DNS
1,430,172.16.0.5-192.168.50.1-60495-634-17,192.168.50.1,634,172.16.0.5,60495,17,2018-12-01 10:51:39.820842,2,2,...,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0,0,DrDoS_DNS
2,1654,172.16.0.5-192.168.50.1-634-46391-17,172.16.0.5,634,192.168.50.1,46391,17,2018-12-01 10:51:39.852499,48549,200,...,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0,1,DrDoS_DNS
3,2927,172.16.0.5-192.168.50.1-634-11894-17,172.16.0.5,634,192.168.50.1,11894,17,2018-12-01 10:51:39.890213,48337,200,...,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0,1,DrDoS_DNS
4,694,172.16.0.5-192.168.50.1-634-27878-17,172.16.0.5,634,192.168.50.1,27878,17,2018-12-01 10:51:39.941151,32026,200,...,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0,1,DrDoS_DNS


## **Load Data (Proportional/Max Amount)**
---

In [4]:
# Define quantities to load
quantities = list(map(lambda x: x * 1000, [350, 350, 500, 425, 1000, 1000, 350, 350, 500, 1000, 1000, 350, 500, 425, 1000, 500, 350, 1000]))

# Save filenames in a list
filepaths = []
for root in ['01-12', '03-11']:
    for filename in os.listdir(os.path.join(input_path, root)):
        filepaths.append(os.path.join(input_path, root, filename))

# Create empty final dataframe
df = pd.DataFrame()

# Load samples from every individual csv dataset and concatenate to final dataframe
for filepath, quantity in zip(filepaths, quantities):
    df = pd.concat([df, pd.read_csv(filepath, nrows=quantity)])
    print(f'Load {os.path.basename(filepath)} slice. Total loaded rows = {len(df)}')

# Show dataframe head
df.head()

Load DrDoS_DNS.csv slice. Total loaded rows = 350000
Load DrDoS_LDAP.csv slice. Total loaded rows = 700000
Load DrDoS_MSSQL.csv slice. Total loaded rows = 1200000
Load DrDoS_NetBIOS.csv slice. Total loaded rows = 1625000
Load DrDoS_NTP.csv slice. Total loaded rows = 2625000
Load DrDoS_SNMP.csv slice. Total loaded rows = 3625000
Load DrDoS_SSDP.csv slice. Total loaded rows = 3975000
Load DrDoS_UDP.csv slice. Total loaded rows = 4325000
Load Syn.csv slice. Total loaded rows = 4825000
Load TFTP.csv slice. Total loaded rows = 5825000
Load UDPLag.csv slice. Total loaded rows = 6195605
Load LDAP.csv slice. Total loaded rows = 6545605
Load MSSQL.csv slice. Total loaded rows = 7045605
Load NetBIOS.csv slice. Total loaded rows = 7470605
Load Portmap.csv slice. Total loaded rows = 7662299
Load Syn.csv slice. Total loaded rows = 8162299
Load UDP.csv slice. Total loaded rows = 8512299
Load UDPLag.csv slice. Total loaded rows = 9237464


Unnamed: 0.1,Unnamed: 0,Flow ID,Source IP,Source Port,Destination IP,Destination Port,Protocol,Timestamp,Flow Duration,Total Fwd Packets,...,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min,SimillarHTTP,Inbound,Label
0,425,172.16.0.5-192.168.50.1-634-60495-17,172.16.0.5,634,192.168.50.1,60495,17,2018-12-01 10:51:39.813448,28415,97,...,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0,1,DrDoS_DNS
1,430,172.16.0.5-192.168.50.1-60495-634-17,192.168.50.1,634,172.16.0.5,60495,17,2018-12-01 10:51:39.820842,2,2,...,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0,0,DrDoS_DNS
2,1654,172.16.0.5-192.168.50.1-634-46391-17,172.16.0.5,634,192.168.50.1,46391,17,2018-12-01 10:51:39.852499,48549,200,...,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0,1,DrDoS_DNS
3,2927,172.16.0.5-192.168.50.1-634-11894-17,172.16.0.5,634,192.168.50.1,11894,17,2018-12-01 10:51:39.890213,48337,200,...,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0,1,DrDoS_DNS
4,694,172.16.0.5-192.168.50.1-634-27878-17,172.16.0.5,634,192.168.50.1,27878,17,2018-12-01 10:51:39.941151,32026,200,...,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0,1,DrDoS_DNS


## **Clean Data**
---

In [5]:
# Columns to drop (based on MSc. thesis)
drop_columns = [
    'Unnamed: 0',
    'Flow ID',
    'Source IP',
    'Source Port',
    'Destination IP',
    'Destination Port',
    'Timestamp',
    'SimillarHTTP',
    'Inbound'
]

# Strip column names to remove blank spaces at start and end
df.columns = map(str.strip, df.columns)

# Drop columns
df.drop(columns=drop_columns, inplace=True)

# Show dataframe head
df.head()

Unnamed: 0,Protocol,Flow Duration,Total Fwd Packets,Total Backward Packets,Total Length of Fwd Packets,Total Length of Bwd Packets,Fwd Packet Length Max,Fwd Packet Length Min,Fwd Packet Length Mean,Fwd Packet Length Std,...,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min,Label
0,17,28415,97,0,42680.0,0.0,440.0,440.0,440.0,0.0,...,-1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,DrDoS_DNS
1,17,2,2,0,880.0,0.0,440.0,440.0,440.0,0.0,...,-1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,DrDoS_DNS
2,17,48549,200,0,88000.0,0.0,440.0,440.0,440.0,0.0,...,-1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,DrDoS_DNS
3,17,48337,200,0,88000.0,0.0,440.0,440.0,440.0,0.0,...,-1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,DrDoS_DNS
4,17,32026,200,0,88000.0,0.0,440.0,440.0,440.0,0.0,...,-1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,DrDoS_DNS


In [6]:
# Show label distribution
df['Label'].value_counts()

Label
Syn              1587064
DrDoS_SNMP        999296
TFTP              998834
DrDoS_NTP         986449
NetBIOS           627874
MSSQL             513714
DrDoS_MSSQL       499154
UDP               436346
DrDoS_NetBIOS     424396
UDP-lag           366461
DrDoS_LDAP        349945
DrDoS_SSDP        349877
DrDoS_UDP         349020
DrDoS_DNS         348145
Portmap           186960
LDAP              154055
BENIGN             57562
UDPLag              1873
WebDDoS              439
Name: count, dtype: int64

In [7]:
# Drop NaN and Inf values
df.replace([np.inf, -np.inf], np.nan, inplace=True)
df.dropna(inplace=True)

# Drop WebDDoS and UDPLag labels
df.drop(df[df['Label'] == 'WebDDoS'].index, inplace=True)
df.drop(df[df['Label'] == 'UDPLag'].index, inplace=True)

# Replace labels
df.replace({
    'NetBIOS': 'NetBIOS/Portmap',
    'UDP': 'SSDP/UDP',
    'DrDoS_LDAP': 'DNS/LDAP',
    'DrDoS_SNMP': 'SNMP',
    'DrDoS_SSDP': 'SSDP/UDP',
    'DrDoS_NetBIOS': 'NetBIOS/Portmap',
    'DrDoS_MSSQL': 'MSSQL',
    'DrDoS_UDP': 'SSDP/UDP',
    'DrDoS_DNS': 'DNS/LDAP',
    'UDP-lag': 'Syn/UDPLag',
    'Portmap': 'NetBIOS/Portmap',
    'DrDoS_NTP': 'NTP',
    'LDAP': 'DNS/LDAP',
    'Syn': 'Syn/UDPLag'
}, inplace=True)

# Show label distribution
df['Label'].value_counts()

Label
Syn/UDPLag         1764050
NetBIOS/Portmap    1178457
SSDP/UDP           1114215
SNMP                991717
NTP                 978664
TFTP                977602
MSSQL               968182
DNS/LDAP            823020
BENIGN               56934
Name: count, dtype: int64

In [8]:
df.to_csv(os.path.join(output_path, 'ddos-data-clean.csv'), index=False)