# Intrusion detection system (IDS)
# Single file investigation
---

The **CSE-CIC-IDS2018** dataset needs to be cleaned before it can be consumed for training the dataset. In its original structure the dataset has ten separate csv files, every one of them has network traffic logged for a specific day of working.

An individual investigation of the dataset using one file is created.



Connect and load single CSV file to colabs for investigation

In [2]:
import numpy as np
import pandas as pd
import os

home_path = os.path.dirname(os.path.abspath(''))

data_path = 'data/Thursday-01-03-2018_TrafficForML_CICFlowMeter.csv'
file_path = os.path.join(home_path, data_path)

df = pd.read_csv(file_path)

  exec(code_obj, self.user_global_ns, self.user_ns)


In [3]:
df.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 331125 entries, 0 to 331124
Data columns (total 80 columns):
 #   Column             Non-Null Count   Dtype 
---  ------             --------------   ----- 
 0   Dst Port           331125 non-null  object
 1   Protocol           331125 non-null  object
 2   Timestamp          331125 non-null  object
 3   Flow Duration      331125 non-null  object
 4   Tot Fwd Pkts       331125 non-null  object
 5   Tot Bwd Pkts       331125 non-null  object
 6   TotLen Fwd Pkts    331125 non-null  object
 7   TotLen Bwd Pkts    331125 non-null  object
 8   Fwd Pkt Len Max    331125 non-null  object
 9   Fwd Pkt Len Min    331125 non-null  object
 10  Fwd Pkt Len Mean   331125 non-null  object
 11  Fwd Pkt Len Std    331125 non-null  object
 12  Bwd Pkt Len Max    331125 non-null  object
 13  Bwd Pkt Len Min    331125 non-null  object
 14  Bwd Pkt Len Mean   331125 non-null  object
 15  Bwd Pkt Len Std    331125 non-null  object
 16  Flow Byts/s        3

A manual inspection of the file shows that the title of the columns exist many times as duplicates within the file rows. This implies that each individual file was joined using many csv files that resulted in replication of the column titles in the creation of one file. To solve this problem, all rows containing the duplicate titles are removed. Additionally, the title names are changed to remove spaces and enforce a lowercase format for simpler retrieval of the columns.

In [4]:
import re
df = df.drop_duplicates(keep=False)
df.reset_index(drop=True, inplace = True)

column_name_regex = re.compile(r"\W", re.IGNORECASE)
df.columns = [column_name_regex.sub('_', c.lower()) for c in df.columns]

Pandas `read_csv()` method cannot parse “Infinity” values correctly as the Pandas will only accept infinity values in the “inf” format. As such, all incidents containing “infinity” are substituted with the string “inf”. We also change the types of the columns so as to load the dataset more efficiently.

In [5]:
df = df.replace('Infinity', 'inf')
#downcasting integer types
df[['dst_port', 'protocol', 'flow_duration', 'tot_fwd_pkts', 'tot_bwd_pkts', 'totlen_fwd_pkts', 'totlen_bwd_pkts', 'fwd_pkt_len_max', 'fwd_pkt_len_min', 'bwd_pkt_len_max', 'bwd_pkt_len_min', 'flow_iat_max', 'flow_iat_min', 'fwd_iat_tot', 'fwd_iat_max', 'fwd_iat_min', 'bwd_iat_tot', 'bwd_iat_max', 'bwd_iat_min', 'fwd_psh_flags', 'bwd_psh_flags', 'fwd_urg_flags', 'bwd_urg_flags', 'fwd_header_len', 'bwd_header_len', 'pkt_len_min', 'pkt_len_max', 'fin_flag_cnt', 'syn_flag_cnt', 'rst_flag_cnt', 'psh_flag_cnt', 'ack_flag_cnt', 'urg_flag_cnt', 'cwe_flag_count', 'ece_flag_cnt', 'down_up_ratio', 'fwd_byts_b_avg', 'fwd_pkts_b_avg', 'fwd_blk_rate_avg', 'bwd_byts_b_avg', 'bwd_pkts_b_avg', 'bwd_blk_rate_avg', 'subflow_fwd_pkts', 'subflow_fwd_byts', 'subflow_bwd_pkts', 'subflow_bwd_byts', 'init_fwd_win_byts', 'init_bwd_win_byts', 'fwd_act_data_pkts', 'fwd_seg_size_min', 'active_max', 'active_min', 'idle_max', 'idle_min']] = df[['dst_port', 'protocol', 'flow_duration', 'tot_fwd_pkts', 'tot_bwd_pkts', 'totlen_fwd_pkts', 'totlen_bwd_pkts', 'fwd_pkt_len_max', 'fwd_pkt_len_min', 'bwd_pkt_len_max', 'bwd_pkt_len_min', 'flow_iat_max', 'flow_iat_min', 'fwd_iat_tot', 'fwd_iat_max', 'fwd_iat_min', 'bwd_iat_tot', 'bwd_iat_max', 'bwd_iat_min', 'fwd_psh_flags', 'bwd_psh_flags', 'fwd_urg_flags', 'bwd_urg_flags', 'fwd_header_len', 'bwd_header_len', 'pkt_len_min', 'pkt_len_max', 'fin_flag_cnt', 'syn_flag_cnt', 'rst_flag_cnt', 'psh_flag_cnt', 'ack_flag_cnt', 'urg_flag_cnt', 'cwe_flag_count', 'ece_flag_cnt', 'down_up_ratio', 'fwd_byts_b_avg', 'fwd_pkts_b_avg', 'fwd_blk_rate_avg', 'bwd_byts_b_avg', 'bwd_pkts_b_avg', 'bwd_blk_rate_avg', 'subflow_fwd_pkts', 'subflow_fwd_byts', 'subflow_bwd_pkts', 'subflow_bwd_byts', 'init_fwd_win_byts', 'init_bwd_win_byts', 'fwd_act_data_pkts', 'fwd_seg_size_min', 'active_max', 'active_min', 'idle_max', 'idle_min']].apply(pd.to_numeric, downcast = 'integer')

#downcasting float types
df[['fwd_pkt_len_mean', 'fwd_pkt_len_std', 'bwd_pkt_len_mean', 'bwd_pkt_len_std', 'flow_byts_s', 'flow_pkts_s', 'flow_iat_mean', 'flow_iat_std', 'fwd_iat_mean', 'fwd_iat_std', 'bwd_iat_mean', 'bwd_iat_std', 'fwd_pkts_s', 'bwd_pkts_s', 'pkt_len_mean', 'pkt_len_std', 'pkt_len_var', 'pkt_size_avg', 'fwd_seg_size_avg', 'bwd_seg_size_avg', 'active_mean', 'active_std', 'idle_mean', 'idle_std']] = df[['fwd_pkt_len_mean', 'fwd_pkt_len_std', 'bwd_pkt_len_mean', 'bwd_pkt_len_std', 'flow_byts_s', 'flow_pkts_s', 'flow_iat_mean', 'flow_iat_std', 'fwd_iat_mean', 'fwd_iat_std', 'bwd_iat_mean', 'bwd_iat_std', 'fwd_pkts_s', 'bwd_pkts_s', 'pkt_len_mean', 'pkt_len_std', 'pkt_len_var', 'pkt_size_avg', 'fwd_seg_size_avg', 'bwd_seg_size_avg', 'active_mean', 'active_std', 'idle_mean', 'idle_std']].apply(pd.to_numeric, downcast = 'float') 

df.dtypes #check that types have changed

#df = df.apply(pd.to_numeric, errors='ignore') standard type change, loads at 200mb, by downcasting this is reduced to 75mb+ 

dst_port           int32
protocol            int8
timestamp         object
flow_duration      int32
tot_fwd_pkts       int16
                  ...   
idle_mean        float32
idle_std         float32
idle_max           int32
idle_min           int32
label             object
Length: 80, dtype: object

We have finished looking at a single file next we move on to loading all the files and creating one combined dataset.

In [6]:
import glob
home_path = os.path.dirname(os.path.abspath(''))
files = [file for file in glob.glob(home_path + "/data/*.csv", recursive=True)]
print(files) # check all files are listed.

# place all datasets into dataframes

df = [pd.read_csv(f) for f in files]

# #check they have same number of columns 
for d in df:
    print(d.shape)


['/home/am520/MSc2021/data/Thursday-15-02-2018_TrafficForML_CICFlowMeter.csv', '/home/am520/MSc2021/data/Wednesday-14-02-2018_TrafficForML_CICFlowMeter.csv', '/home/am520/MSc2021/data/Friday-02-03-2018_TrafficForML_CICFlowMeter.csv', '/home/am520/MSc2021/data/Thuesday-20-02-2018_TrafficForML_CICFlowMeter.csv', '/home/am520/MSc2021/data/Friday-23-02-2018_TrafficForML_CICFlowMeter.csv', '/home/am520/MSc2021/data/Thursday-01-03-2018_TrafficForML_CICFlowMeter.csv', '/home/am520/MSc2021/data/Friday-16-02-2018_TrafficForML_CICFlowMeter.csv', '/home/am520/MSc2021/data/Thursday-22-02-2018_TrafficForML_CICFlowMeter.csv', '/home/am520/MSc2021/data/Wednesday-21-02-2018_TrafficForML_CICFlowMeter.csv', '/home/am520/MSc2021/data/Wednesday-28-02-2018_TrafficForML_CICFlowMeter.csv']


  df = [pd.read_csv(f) for f in files]


(1048575, 80)
(1048575, 80)
(1048575, 80)
(7948748, 84)
(1048575, 80)
(331125, 80)
(1048575, 80)
(1048575, 80)
(1048575, 80)
(613104, 80)


Of note, the file Thuesday-20-02-2018_TrafficForML_CICFlowMeter.csv has four columns Src IP, Src Port, Flow ID and Dst IP which are not included in the other files. As these files are not needed, they are removed from the file. This can be seen in file four with shape (7948748, 84).

In [7]:
df[3] = df[3].drop(['Src IP', 'Src Port', 'Flow ID' ,'Dst IP'], axis=1)
df[3].shape

(7948748, 80)

Once the singulr example has been run, we run garbage collect to free up memory before working on all the files. 

In [8]:
import gc
del df
gc.collect()

8

# All files comined and cleaned

In short, the next stages are used to clean all the files in the dataset:

1. Eliminate duplicate titles/headers of each column

2. Replace Infinity values with inf

3. Change column titles to lowercase and remove spaces.

4. Change types of the variables to numeric

5. Combine all files

Of note, the file Thuesday-20-02-2018_TrafficForML_CICFlowMeter.csv has four columns Src IP, Src Port, Flow ID and Dst IP which are not included in the other files. As these files are not needed, they are removed from the file.

In [11]:
import re 
import pandas as pd
import os
import glob
import fastparquet
import gc 

def remove_duplicate_headers(d):    
    return d[~d['Timestamp'].str.contains('Timestamp', na=False)]

def substitute_infinity(d):
    return df.replace('Infinity', 'inf')

def transform_headers(d):
    column_name_regex = re.compile(r"\W", re.IGNORECASE)
    return [column_name_regex.sub('_', c.lower()) for c in df.columns]

def transform_type(df):
    #downcasting integer types
    df[['dst_port', 'protocol', 'flow_duration', 'tot_fwd_pkts', 'tot_bwd_pkts', 'totlen_fwd_pkts', 'totlen_bwd_pkts', 'fwd_pkt_len_max', 'fwd_pkt_len_min', 'bwd_pkt_len_max', 'bwd_pkt_len_min', 'flow_iat_max', 'flow_iat_min', 'fwd_iat_tot', 'fwd_iat_max', 'fwd_iat_min', 'bwd_iat_tot', 'bwd_iat_max', 'bwd_iat_min', 'fwd_psh_flags', 'bwd_psh_flags', 'fwd_urg_flags', 'bwd_urg_flags', 'fwd_header_len', 'bwd_header_len', 'pkt_len_min', 'pkt_len_max', 'fin_flag_cnt', 'syn_flag_cnt', 'rst_flag_cnt', 'psh_flag_cnt', 'ack_flag_cnt', 'urg_flag_cnt', 'cwe_flag_count', 'ece_flag_cnt', 'down_up_ratio', 'fwd_byts_b_avg', 'fwd_pkts_b_avg', 'fwd_blk_rate_avg', 'bwd_byts_b_avg', 'bwd_pkts_b_avg', 'bwd_blk_rate_avg', 'subflow_fwd_pkts', 'subflow_fwd_byts', 'subflow_bwd_pkts', 'subflow_bwd_byts', 'init_fwd_win_byts', 'init_bwd_win_byts', 'fwd_act_data_pkts', 'fwd_seg_size_min', 'active_max', 'active_min', 'idle_max', 'idle_min']] = df[['dst_port', 'protocol', 'flow_duration', 'tot_fwd_pkts', 'tot_bwd_pkts', 'totlen_fwd_pkts', 'totlen_bwd_pkts', 'fwd_pkt_len_max', 'fwd_pkt_len_min', 'bwd_pkt_len_max', 'bwd_pkt_len_min', 'flow_iat_max', 'flow_iat_min', 'fwd_iat_tot', 'fwd_iat_max', 'fwd_iat_min', 'bwd_iat_tot', 'bwd_iat_max', 'bwd_iat_min', 'fwd_psh_flags', 'bwd_psh_flags', 'fwd_urg_flags', 'bwd_urg_flags', 'fwd_header_len', 'bwd_header_len', 'pkt_len_min', 'pkt_len_max', 'fin_flag_cnt', 'syn_flag_cnt', 'rst_flag_cnt', 'psh_flag_cnt', 'ack_flag_cnt', 'urg_flag_cnt', 'cwe_flag_count', 'ece_flag_cnt', 'down_up_ratio', 'fwd_byts_b_avg', 'fwd_pkts_b_avg', 'fwd_blk_rate_avg', 'bwd_byts_b_avg', 'bwd_pkts_b_avg', 'bwd_blk_rate_avg', 'subflow_fwd_pkts', 'subflow_fwd_byts', 'subflow_bwd_pkts', 'subflow_bwd_byts', 'init_fwd_win_byts', 'init_bwd_win_byts', 'fwd_act_data_pkts', 'fwd_seg_size_min', 'active_max', 'active_min', 'idle_max', 'idle_min']].apply(pd.to_numeric, downcast = 'integer')
    #downcasting float types
    df[['fwd_pkt_len_mean', 'fwd_pkt_len_std', 'bwd_pkt_len_mean', 'bwd_pkt_len_std', 'flow_byts_s', 'flow_pkts_s', 'flow_iat_mean', 'flow_iat_std', 'fwd_iat_mean', 'fwd_iat_std', 'bwd_iat_mean', 'bwd_iat_std', 'fwd_pkts_s', 'bwd_pkts_s', 'pkt_len_mean', 'pkt_len_std', 'pkt_len_var', 'pkt_size_avg', 'fwd_seg_size_avg', 'bwd_seg_size_avg', 'active_mean', 'active_std', 'idle_mean', 'idle_std']] = df[['fwd_pkt_len_mean', 'fwd_pkt_len_std', 'bwd_pkt_len_mean', 'bwd_pkt_len_std', 'flow_byts_s', 'flow_pkts_s', 'flow_iat_mean', 'flow_iat_std', 'fwd_iat_mean', 'fwd_iat_std', 'bwd_iat_mean', 'bwd_iat_std', 'fwd_pkts_s', 'bwd_pkts_s', 'pkt_len_mean', 'pkt_len_std', 'pkt_len_var', 'pkt_size_avg', 'fwd_seg_size_avg', 'bwd_seg_size_avg', 'active_mean', 'active_std', 'idle_mean', 'idle_std']].apply(pd.to_numeric, downcast = 'float') 
    return df

def check_dir_exists():
    out_path = os.path.join(data_path, processed)
    if not os.path.exists(out_path):
        os.mkdir(out_path)


processed = 'pre-clean/'
data_path = os.path.dirname(os.path.abspath('')) + "/data/"
check_dir_exists()


files={
'Wednesday-28-02-2018_TrafficForML_CICFlowMeter.csv' : '28-02-2018.parquet',
 'Thursday-01-03-2018_TrafficForML_CICFlowMeter.csv' : '01-03-2018.parquet',
 'Friday-02-03-2018_TrafficForML_CICFlowMeter.csv' : '02-03-2018.parquet',
 'Thursday-22-02-2018_TrafficForML_CICFlowMeter.csv' : '22-02-2018.parquet',
 'Thursday-15-02-2018_TrafficForML_CICFlowMeter.csv' : '15-02-2018.parquet',
 'Thuesday-20-02-2018_TrafficForML_CICFlowMeter.csv' : '20-02-2018.parquet',
 'Wednesday-21-02-2018_TrafficForML_CICFlowMeter.csv' : '21-02-2018.parquet',
 'Wednesday-14-02-2018_TrafficForML_CICFlowMeter.csv' : '14-02-2018.parquet',
 'Friday-16-02-2018_TrafficForML_CICFlowMeter.csv' : '16-02-2018.parquet',
 'Friday-23-02-2018_TrafficForML_CICFlowMeter.csv' : '23-02-2018.parquet'
}

for i, out in files.items():
    path = os.path.join(data_path, i)
    out_path = os.path.join(data_path, processed, out)
    df = pd.read_csv(path, dtype=str).drop(columns=['Flow ID', 'Src IP', 'Dst IP', 'Src Port'], errors='ignore')
    df = remove_duplicate_headers(df)
    df = substitute_infinity(df)
    df.columns = transform_headers(df)
    df = transform_type(df)
    df.to_parquet(out_path, engine='fastparquet')

del df
gc.collect()

#combine all files and create combined output file using optimal file format

clean_data_path = os.path.dirname(os.path.abspath('')) + "/data/pre-clean/"
output_data_path = os.path.dirname(os.path.abspath('')) + "/data/combined/"
files = [file for file in glob.glob(clean_data_path + "**/*.parquet", recursive=True)]
df = [pd.read_parquet(f) for f in files]

# #check they have same number of columns 
# for d in df:
#     print(d.shape)

processed = 'combined/'
check_dir_exists()


df = pd.concat([d for d in df])
df.reset_index(drop=True, inplace = True)
df = transform_type(df)
df.to_parquet(output_data_path+'combined1.parquet', engine='fastparquet')
df.to_feather(output_data_path+'combined1.feather')
df.to_pickle(output_data_path+'combined1.pickle')

We created three different types of file saves to address the size of the combined file namely, parquet, pickle and feather. In the following section we load each of these files and test their memory usage. Based on the best result, we will use that type going forward. In this case, we are going to use pickle as it had the best performance in regards to RAM.

In [12]:
import os, psutil
import pandas as pd
process = psutil.Process(os.getpid())
output_data_path = os.path.dirname(os.path.abspath('')) + "/data/combined/"

df = pd.read_feather(output_data_path+'combined1.feather')
print("Feather", process.memory_info().rss)
print('RAM memory % used:', psutil.virtual_memory()[2])
print(psutil.getloadavg())

df = pd.read_pickle(output_data_path+'combined1.pickle')
print("Pickle", process.memory_info().rss)
print('RAM memory % used:', psutil.virtual_memory()[2])
print(psutil.getloadavg())

df = pd.read_parquet(output_data_path+'combined1.parquet')
print("Parquet", process.memory_info().rss)
print('RAM memory % used:', psutil.virtual_memory()[2])
print(psutil.getloadavg())

Feather 15999307776
RAM memory % used: 51.1
(0.13, 0.14, 0.41)
Pickle 14645739520
RAM memory % used: 47.1
(0.44, 0.2, 0.42)
Parquet 16192724992
RAM memory % used: 51.1
(0.89, 0.3, 0.45)
