# Caso Practico: Support Vector Machine (SVM)

## Description

The Web has long become a major platform for online criminal activities. URLs are used as the main vehicle in this domain. To counter this issues security community focused its efforts on developing techniques for mostly blacklisting of malicious URLs.

While successful in protecting users from known malicious domains, this approach only solves part of the problem. The new malicious URLs that sprang up all over the web in masses commonly get a head start in this race. Besides that, Alexa ranked, trusted websites may convey compromised fraudulent URLs called defacement URL.

We explore a lightweight approach to detection and categorization of the malicious URLs according to their attack type and show that lexical analysis is effective and efficient for proactive detection of these URLs. We also study the effect of the obfuscation techniques on malicious URLs to figure out the type of obfuscation technique targeted at specific type of malicious URL. We study mainly five different types of URLs:

Benign URLs: Over 35,300 benign URLs were collected from Alexa top websites. The domains have been passed through a Heritrix web crawler to extract the URLs. Around half a million unique URLs are crawled initially and then passed to remove duplicate and domain only URLs. Later the extracted URLs have been checked through Virustotal to filter the benign URLs.

Spam URLs: Around 12,000 spam URLs were collected from the publicly available WEBSPAM-UK2007 dataset.

Phishing URLs: Around 10,000 phishing URLs were taken from OpenPhish which is a repository of active phishing sites.

Malware URLs: More than 11,500 URLs related to malware websites were obtained from DNS-BH which is a project that maintain list of malware sites.

Defacement URLs: More than 45,450 URLs belong to Defacement URL category. They are Alexa ranked trusted websites hosting fraudulent or hidden URL that contains both malicious web pages.

Obfuscation is used as a common method for masking malicious URLs. An attacker intending to evade static analysis on lexical URL features use obfuscation techniques so that malicious URLs become statistically like the benign ones. The obfuscation techniques on URLs is analyzed for the intent of malicious activity in this research. We analyzed mainly Spam, Phishing and Malware URLs to see what kind of obfuscation techniques applied on the URLs.

The full research paper outlining the details of the dataset and its underlying principles:

Mohammad Saiful Islam Mamun, Mohammad Ahmad Rathore, Arash Habibi Lashkari, Natalia Stakhanova and Ali A. Ghorbani, "Detecting Malicious URLs Using Lexical Analysis", Network and System Security, Springer International Publishing, pp. 467-482, 2016.

[URL's Malignas](https://www.unb.ca/cic/datasets/url-2016.html)

In [1]:
## Imports

In [4]:
%matplotlib inline
import matplotlib.pyplot as plt
import numpy as numpy
import pandas as pd
from sklearn.model_selection import train_test_split
from sklearn.metrics import f1_score
from sklearn.preprocessing import StandardScaler, RobustScaler
from sklearn.pipeline import Pipeline

### Crear una funcion que realice el particionado

In [None]:
#  Construccion de una funcion que realice el particionado 
def train_val_test_split(df, rstate=42, shuffle=True, stratify=None):
    strat = df[stratify] if stratify else None
    train_set, test_set = train_test_split(
        df, test_size=0.4, random_state=rstate, shuffle=shuffle, stratify=strat)
    strat = test_set[stratify] if stratify else None
    val_set, test_set = train_test_split(
        test_set, test_size=0.5, random_state=rstate, shuffle=shuffle, stratify=strat)
    return (train_set, val_set, test_set)

#### Representación Gráfica de limite de decisión

In [None]:
def plot_svc_decision_boundary(svm_clf, xmin, xmax):
    w = svm_clf.coef_[0]
    b = svm_clf.intercept_[0] # Ecuacion de recepcion

    # A the decesion boundary, w0 *x0 + w1 * x1 +b = 0
    # => X1 = -w0 / w1 * x0 - b / w1 
    x0 = np.linspace(xmin, xmax, 200)
    decision_boundary = -w[0] / w[1] * x0 -b / w[1]
    margin = 1 / w[1]
    gutter_up = decision_boundary + margin  # borde superior de nuestro margen de decision
    gutter_down = decision_boundary - margin  # borde inferior de nuestro margen de decision

    svs = svm_clf.support_vectors_
    plt.scatter(svs[:, 0], svs[:, 1], s=180, facecolors= '#FFAAAA' )
    plt.plot(x0, decision_boundary, "k-", linewidth = 2)
    plt.plot(x0, gutter_up, "k--", linewidth = 2)
    plt.plot(x0, gutter_down, "k--", linewidth = 2)


## 1.- Lectura del Dataset

In [None]:
df = pd.read_csv("datasets/datasets/FinalDataset/Phishing.csv")

# 2.- Visualización de DataSet

In [None]:
df.head(10)

In [None]:
df.describe()

In [None]:
df.info

In [None]:
df["URL_Type_obf_Type"].value_counts()

In [None]:
# Comprobar si existen valores nulos
is_null = df.isna().any()
is_null[is_null]


In [None]:
# Comprobar si existen valores infinitos
is_inf = df.isin([np.inf, -np.inf]).any()
is_inf[is_inf]

In [None]:
# Representaciń gráfica de dos carácteristicas
plt.figure(figsize=(12,6))

plt.scatter(df["domainUrlRatio"][df["URL_Type_obf_Type"] == "phishing"], df["domainlength"][df["URL_Type_obf_Type"] == "phishing"], c="r", marker=".")
plt.scatter(df["domainUrlRatio"][df["URL_Type_obf_Type"] == "benign"], df["domainlength"][df["URL_Type_obf_Type"] == "benign"], c="g", marker="x") 
plt.xlabel("domainUrlratio", fontsize=14)
plt.ylabel("domainlength", fontsize=14)
plt.show()

## 3.- División del Dataset

In [None]:
# División del dataset 
train_set, val_set, test_set = train_val_test_split(df)

X_train = train_set.drop("URL_Type_obf_Type", axis=1)
y_train = train_set["URL_Type_obf_Type"].copy()

X_val = val_set.drop("URL_Type_obf_Type", axis=1)
y_val = val_set["URL_Type_obf_Type"].copy()

X_test = test_set.drop("URL_Type_obf_Type", axis=1)
y_test = test_set["URL_Type_obf_Type"].copy()


## 4.- Preparación del dataset 

In [None]:
# Eliminar los atributos que tienen valores infinitos
X_train = X_train.drop("argPathRatio", axis=1)
X_val = X_val.drop("argPathRatio", axis=1)
X_test = X_test.drop("argPathRatio", axis=1)

In [None]:
# Rellenar los valores nulos con la mediana
from sklearn.impute import SimpleImputer
imputer = SimpleImputer(strategy="median")

In [None]:
# Rellenar los valores nulos
X_train_prep = imputer.fit_transform(X_train)
X_val_prep = imputer.fit_transform(X_val)
X_test_prep = imputer.fit_transform(X_test)

In [None]:
# Transformar el resultado en un DataFrame de Pandas
# Transformar el resultado a un DataFrame de pandas 
X_train_prep = pd.DataFrame(X_train_prep, columns=X_train.columns, index=y_train.index)
X_val_prep = pd.DataFrame(X_val_prep, columns=X_val.columns, index=y_val.index)
X_test_prep = pd.DataFrame(X_test_prep, columns=X_test.columns, index=y_test.index)

In [None]:
X_train_prep.head(10)

In [None]:
# Comprobar si existen valores nulos en el DataSet de enterenamiento
is_null = X_train_prep.isna().any()
is_null[is_null]

### SVM: Kernel lineal

#### 5.1 DataSet reducido

Entrenamiento del algoirtmo con un dataset reducido

In [None]:
# Reduccion del Dataset para representarlo gráficamente
X_train_reduced = X_train_prep[["domainUrlRatio", "domainlength"]].copy()
X_val_reduced = X_val_prep[["domainUrlRatio", "domainlength"]].copy()

In [None]:
X_train_reduced

In [None]:
from sklearn.svm import SVC

# SVM Large Margin Classification
svm_clf = SVC(kernel="linear", C=50) # Factor de regularizacion # Se utilza para clasificadores lineales (spam o no) # 50: binario 1 o 0
svm_clf.fit(X_train_reduced, y_train)

# Representación del limite de deición 

In [None]:
def plot_svc_decision_boundary(svm_clf, xmin, xmax):
    w = svm_clf.coef_[0]
    b = svm_clf.intercept_[0]
    x0 = np.linspace(xmin, xmax, 200)
    decision_boundary = -w[0]/w[1] * x0 -b/w[1]

    margin = 1 / w[1]
    gutter_up = decision_boundary + margin
    gutter_down = decision_boundary - margin

    svs = svm_clf.support_vectors_
    plt.scatter(svs[:, 0], svs[:, 1], s = 180, facecolors = '#FFAAAA')
    plt.plot(x0, decision_boundary, "k-", linewidth=2)
    plt.plot(x0, gutter_up, "k--", linewidth=2)
    plt.plot(x0, gutter_down, "k--", linewidth=2)

In [None]:
plt.figure(figsize = (12,6))
plt.plot(X_train_reduced.values[:, 0][y_train=="phishing"], X_train_reduced.values[:, 1] [y_train=="phishing"],"g^")
plt.plot(X_train_reduced.values[:, 0][y_train=="benign"], X_train_reduced.values[:, 1] [y_train=="benign"],"bs")
plot_svc_decision_boundary(svm_clf, 0,1)
plt.title("$C = {}$".format(svm_clf.C), fontsize=16)
plt.axis([0, 1, -100, 250])
plt.xlabel("domainUrlRatio", fontsize=13)
plt.ylabel("domainlength", fontsize=13)
plt.show()

#### Prediccion con un Dataset Reducido

In [None]:
y_pred = svm_clf.predict(X_val_reduced)

In [None]:
print("F1 Score: ", f1_score(y_pred, y_val, pos_label='phishing'))

Como se verá más adelante en determinados kernels es muy importante escalar el Dataset. En este caso, para el kernel lineal no es tan relevante, aunque es **"posible"**, que proporcione mejores recultados

In [None]:
svm_clf_sc = Pipeline([
        ("scaler", RobustScaler()),
        ("linear_svc", SVC(kernel = "linear", C=50)),    
    ])
svm_clf_sc.fit(X_train_reduced, y_train)

In [None]:
# Hacer lo mismo pero con un kernel reducido
y_pred = svm_clf_sc.predict(X_val_reduced)
print("F1 Score:", f1_score(y_pred, y_val, pos_label = 'phishing'))

#### 5.2 DataSet completo

In [None]:
# Entrenamiento con todo el dataset completo
from sklearn.svm import SVC
# Reglas de Reuso = escalar
svm_clf = SVC(kernel="linear", C=1)
svm_clf.fit(X_train_prep, y_train)

In [None]:
# Hacer lo mismo pero con un kernel reducido
y_pred = svm_clf.predict(X_val_prep)
print("F1 Score:", f1_score(y_pred, y_val, pos_label = 'phishing'))

### 6.- SVM: Kernel no lineal

#### 6.- Polynomial Kernel (I)
Entrenamiento del algoritmo con un DataSet reducido 

In [None]:
# Para representar el límite de decisión se tiene que pasar la variable objetivo a numérica.
y_train_num = y_train.factorize()[0]
y_val_num = y_val.factorize()[0]

In [None]:
from sklearn.datasets import make_moons # Genera dos clases que entrelazan como dos medias lunas
from sklearn.preprocessing import PolynomialFeatures # TLU UMBRAL (x*w)+b
from sklearn.svm import LinearSVC  
# SEPARABILIDAD # LOs datos que esten por debajo del umbral son inhibidos(falsos positivos) y los que pase el umbral, son exitados
# Aprendizaje SUPERVIZADO
polynomial_svm_clf = Pipeline([
    ("poly_features", PolynomialFeatures(degree=3)),
    ("scaler", StandardScaler()),
    ("svm_clf", LinearSVC(C=20, loss="hinge", random_state= 42, max_iter = 100000)) # C es la separabilidad # hinge =  funcion de perdida
    ])

polynomial_svm_clf.fit(X_train_reduced, y_train_num)


### Representación del límite de decisión 

def plot_dataset(X, y,):
    plt.plot(X[:,0][y==1], X[:,1][y==1], "g.")
    plt.plot(X[:,0][y==0], X[:,1][y==0], "b.")

In [None]:
def plot_predictions(clf, axes):
    x0s = np.linspace(axes[0], axes[1], 100)
    x1s = np.linspace(axes[2], axes[3], 100)
    x0, x1 = np.meshgrid(x0s, x1s)
    X = np.c_[x0.ravel(), x1.ravel()] # Redimensionar al vector original
    y_pred = clf.predict(X).reshape(x0.shape)
    y_decision = clf.decision_function(X).reshape(x0.shape)
    plt.contourf(x0, x1, y_pred, cmap=plt.cm.brg, alpha=0.2) # Crear un mapa de contornos para visualizar datos en dos dimensiones
    plt.contourf(x0, x1, y_decision, cmap=plt.cm.brg, alpha=0.2) # Crear un mapa de contornos para visualizar datos en dos dimensiones

fig, axes = plt.subplots(ncols=2, figsize=(15,5), sharey=True)
plt.sca(axes[0])
plot_dataset(X_train_reduced.values, y_train_num)
plot_predictions(polynomial_svm_clf, [0, 1, -100, 250])
plt.xlabel("domainUrlRatio", fontsize=11)
plt.ylabel("domainlength", fontsize=11)
plt.sca(axes[1])
plot_predictions(polynomial_svm_clf,[0, 1, -100, 250])
plt.xlabel("domainUrlRatio", fontsize=11)
plt.ylabel("domainlength", fontsize=11)
plt.show()



#### Prediccion con el Dataset Reducido

In [None]:
svm_clf = SVC(kernel="poly", degree = 3, coef0 = 10, C=20)

svm_clf.fit(X_train_prep, y_train_num)

In [None]:
y_pred = polynomial_svm_clf.predict(X_val_reduced)

In [None]:
print("F1 Score: ", f1_score(y_pred, y_val_num))