# Before your start:
- Read the README.md file
- Comment as much as you can and use the resources in the README.md file
- Happy learning!

In [1]:
# Import your libraries:
import matplotlib.pyplot as plt
import seaborn as sns
%matplotlib inline
from sklearn.linear_model import LinearRegression
from sklearn.metrics import r2_score
from sklearn.model_selection import train_test_split

import numpy as np
import pandas as pd
import scipy
from sklearn import datasets

In this lab, we will explore a dataset that describes websites with different features and labels them either benign or malicious . We will use supervised learning algorithms to figure out what feature patterns malicious websites are likely to have and use our model to predict malicious websites.

# Challenge 1 - Explore The Dataset

Let's start by exploring the dataset. First load the data file:

In [2]:
websites = pd.read_csv('../website.csv')

#### Explore the data from an bird's-eye view.

You should already been very familiar with the procedures now so we won't provide the instructions step by step. Reflect on what you did in the previous labs and explore the dataset.

Things you'll be looking for:

* What the dataset looks like?
* What are the data types?
* Which columns contain the features of the websites?
* Which column contains the feature we will predict? What is the code standing for benign vs malicious websites?
* Do we need to transform any of the columns from categorical to ordinal values? If so what are these columns?

Feel free to add additional cells for your explorations. Make sure to comment what you find out.

In [3]:
#https://ieee-dataport.org/documents/malicious-and-benign-websites
#    URL: it is the anonimous identification of the URL analyzed in the study
#    URL_LENGTH: it is the number of characters in the URL
#    NUMBER_SPECIAL_CHARACTERS: it is number of special characters identified in the URL, such as, “/”, “%”, “#”, “&”, “. “, “=”
#    CHARSET: it is a categorical value and its meaning is the character encoding standard (also called character set).
#    SERVER: it is a categorical value and its meaning is the operative system of the server got from the packet response.
#    CONTENT_LENGTH: it represents the content size of the HTTP header.
#    WHOIS_COUNTRY: it is a categorical variable, its values are the countries we got from the server response (specifically, our script used the API of Whois).
#    WHOIS_STATEPRO: it is a categorical variable, its values are the states we got from the server response (specifically, our script used the API of Whois).
#    WHOIS_REGDATE: Whois provides the server registration date, so, this variable has date values with format DD/MM/YYY HH:MM
#    WHOIS_UPDATED_DATE: Through the Whois we got the last update date from the server analyzed
#    TCP_CONVERSATION_EXCHANGE: This variable is the number of TCP packets exchanged between the server and our honeypot client
#    DIST_REMOTE_TCP_PORT: it is the number of the ports detected and different to TCP
#    REMOTE_IPS: this variable has the total number of IPs connected to the honeypot
#    APP_BYTES: this is the number of bytes transfered
#    SOURCE_APP_PACKETS: packets sent from the honeypot to the server
#    REMOTE_APP_PACKETS: packets received from the server
#    APP_PACKETS: this is the total number of IP packets generated during the communication between the honeypot and the server
#    DNS_QUERY_TIMES: this is the number of DNS packets generated during the communication between the honeypot and the server
##################################################################################################################
#    TYPE: this is a categorical variable, its values represent the type of web page analyzed, specifically,     #
#    1 is for malicious websites and 0 is for benign websites                                                    #
##################################################################################################################

In [4]:

# Your code here
websites.head()

Unnamed: 0,URL,URL_LENGTH,NUMBER_SPECIAL_CHARACTERS,CHARSET,SERVER,CONTENT_LENGTH,WHOIS_COUNTRY,WHOIS_STATEPRO,WHOIS_REGDATE,WHOIS_UPDATED_DATE,...,DIST_REMOTE_TCP_PORT,REMOTE_IPS,APP_BYTES,SOURCE_APP_PACKETS,REMOTE_APP_PACKETS,SOURCE_APP_BYTES,REMOTE_APP_BYTES,APP_PACKETS,DNS_QUERY_TIMES,Type
0,M0_109,16,7,iso-8859-1,nginx,263.0,,,10/10/2015 18:21,,...,0,2,700,9,10,1153,832,9,2.0,1
1,B0_2314,16,6,UTF-8,Apache/2.4.10,15087.0,,,,,...,7,4,1230,17,19,1265,1230,17,0.0,0
2,B0_911,16,6,us-ascii,Microsoft-HTTPAPI/2.0,324.0,,,,,...,0,0,0,0,0,0,0,0,0.0,0
3,B0_113,17,6,ISO-8859-1,nginx,162.0,US,AK,7/10/1997 4:00,12/09/2013 0:45,...,22,3,3812,39,37,18784,4380,39,8.0,0
4,B0_403,17,6,UTF-8,,124140.0,US,TX,12/05/1996 0:00,11/04/2017 0:00,...,2,5,4278,61,62,129889,4586,61,4.0,0


In [5]:
websites.tail()

Unnamed: 0,URL,URL_LENGTH,NUMBER_SPECIAL_CHARACTERS,CHARSET,SERVER,CONTENT_LENGTH,WHOIS_COUNTRY,WHOIS_STATEPRO,WHOIS_REGDATE,WHOIS_UPDATED_DATE,...,DIST_REMOTE_TCP_PORT,REMOTE_IPS,APP_BYTES,SOURCE_APP_PACKETS,REMOTE_APP_PACKETS,SOURCE_APP_BYTES,REMOTE_APP_BYTES,APP_PACKETS,DNS_QUERY_TIMES,Type
1776,M4_48,194,16,UTF-8,Apache,,ES,Barcelona,17/09/2008 0:00,2/09/2016 0:00,...,0,0,0,0,3,186,0,0,0.0,1
1777,M4_41,198,17,UTF-8,Apache,,ES,Barcelona,17/09/2008 0:00,2/09/2016 0:00,...,0,0,0,0,2,124,0,0,0.0,1
1778,B0_162,201,34,utf-8,Apache/2.2.16 (Debian),8904.0,US,FL,15/02/1999 0:00,15/07/2015 0:00,...,2,6,6631,87,89,132181,6945,87,4.0,0
1779,B0_1152,234,34,ISO-8859-1,cloudflare-nginx,,US,CA,1/04/1998 0:00,9/12/2016 0:00,...,0,0,0,0,0,0,0,0,0.0,0
1780,B0_676,249,40,utf-8,Microsoft-IIS/8.5,24435.0,US,Wisconsin,14/11/2008 0:00,20/11/2013 0:00,...,6,11,2314,25,28,3039,2776,25,6.0,0


In [6]:
websites.CHARSET.value_counts()

UTF-8           676
ISO-8859-1      427
utf-8           379
us-ascii        155
iso-8859-1      134
None              7
ISO-8859          1
windows-1251      1
windows-1252      1
Name: CHARSET, dtype: int64

In [7]:
websites.shape

(1781, 21)

In [8]:
websites.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 1781 entries, 0 to 1780
Data columns (total 21 columns):
URL                          1781 non-null object
URL_LENGTH                   1781 non-null int64
NUMBER_SPECIAL_CHARACTERS    1781 non-null int64
CHARSET                      1781 non-null object
SERVER                       1780 non-null object
CONTENT_LENGTH               969 non-null float64
WHOIS_COUNTRY                1781 non-null object
WHOIS_STATEPRO               1781 non-null object
WHOIS_REGDATE                1781 non-null object
WHOIS_UPDATED_DATE           1781 non-null object
TCP_CONVERSATION_EXCHANGE    1781 non-null int64
DIST_REMOTE_TCP_PORT         1781 non-null int64
REMOTE_IPS                   1781 non-null int64
APP_BYTES                    1781 non-null int64
SOURCE_APP_PACKETS           1781 non-null int64
REMOTE_APP_PACKETS           1781 non-null int64
SOURCE_APP_BYTES             1781 non-null int64
REMOTE_APP_BYTES             1781 non-null int64
APP

In [9]:
col=[websites.columns[e].lower() for e in range(len(websites.columns))]
websites.columns=col
websites.head()

Unnamed: 0,url,url_length,number_special_characters,charset,server,content_length,whois_country,whois_statepro,whois_regdate,whois_updated_date,...,dist_remote_tcp_port,remote_ips,app_bytes,source_app_packets,remote_app_packets,source_app_bytes,remote_app_bytes,app_packets,dns_query_times,type
0,M0_109,16,7,iso-8859-1,nginx,263.0,,,10/10/2015 18:21,,...,0,2,700,9,10,1153,832,9,2.0,1
1,B0_2314,16,6,UTF-8,Apache/2.4.10,15087.0,,,,,...,7,4,1230,17,19,1265,1230,17,0.0,0
2,B0_911,16,6,us-ascii,Microsoft-HTTPAPI/2.0,324.0,,,,,...,0,0,0,0,0,0,0,0,0.0,0
3,B0_113,17,6,ISO-8859-1,nginx,162.0,US,AK,7/10/1997 4:00,12/09/2013 0:45,...,22,3,3812,39,37,18784,4380,39,8.0,0
4,B0_403,17,6,UTF-8,,124140.0,US,TX,12/05/1996 0:00,11/04/2017 0:00,...,2,5,4278,61,62,129889,4586,61,4.0,0


In [10]:
websites.head()

Unnamed: 0,url,url_length,number_special_characters,charset,server,content_length,whois_country,whois_statepro,whois_regdate,whois_updated_date,...,dist_remote_tcp_port,remote_ips,app_bytes,source_app_packets,remote_app_packets,source_app_bytes,remote_app_bytes,app_packets,dns_query_times,type
0,M0_109,16,7,iso-8859-1,nginx,263.0,,,10/10/2015 18:21,,...,0,2,700,9,10,1153,832,9,2.0,1
1,B0_2314,16,6,UTF-8,Apache/2.4.10,15087.0,,,,,...,7,4,1230,17,19,1265,1230,17,0.0,0
2,B0_911,16,6,us-ascii,Microsoft-HTTPAPI/2.0,324.0,,,,,...,0,0,0,0,0,0,0,0,0.0,0
3,B0_113,17,6,ISO-8859-1,nginx,162.0,US,AK,7/10/1997 4:00,12/09/2013 0:45,...,22,3,3812,39,37,18784,4380,39,8.0,0
4,B0_403,17,6,UTF-8,,124140.0,US,TX,12/05/1996 0:00,11/04/2017 0:00,...,2,5,4278,61,62,129889,4586,61,4.0,0


In [11]:
# Your comment here
#La columna URL (combinacion de texto y numeros) será eliminadas

#### Next, evaluate if the columns in this dataset are strongly correlated.

In the Mushroom supervised learning lab we did recently, we mentioned we are concerned if our dataset has strongly correlated columns because if it is the case we need to choose certain ML algorithms instead of others. We need to evaluate this for our dataset now.

Luckily, most of the columns in this dataset are ordinal which makes things a lot easier for us. In the next cells below, evaluate the level of collinearity of the data.

We provide some general directions for you to consult in order to complete this step:

1. You will create a correlation matrix using the numeric columns in the dataset.

1. Create a heatmap using `seaborn` to visualize which columns have high collinearity.

1. Comment on which columns you might need to remove due to high collinearity.

In [12]:
# Your code here
#https://stackoverflow.com/questions/39409866/correlation-heatmap
corr = websites.corr()
cmap = cmap=sns.diverging_palette(5, 250, as_cmap=True)
def magnify():
    return [dict(selector="th",
                 props=[("font-size", "7pt")]),
            dict(selector="td",
                 props=[('padding', "0em 0em")]),
            dict(selector="th:hover",
                 props=[("font-size", "12pt")]),
            dict(selector="tr:hover td:hover",
                 props=[('max-width', '200px'),
                        ('font-size', '12pt')])
]
corr.style.background_gradient(cmap, axis=1)\
    .set_properties(**{'max-width': '80px', 'font-size': '10pt'})\
    .set_caption("Hover to magify")\
    .set_precision(2)\
    .set_table_styles(magnify())

Unnamed: 0,url_length,number_special_characters,content_length,tcp_conversation_exchange,dist_remote_tcp_port,remote_ips,app_bytes,source_app_packets,remote_app_packets,source_app_bytes,remote_app_bytes,app_packets,dns_query_times,type
url_length,1.0,0.92,0.13,-0.038,-0.04,-0.046,-0.026,-0.042,-0.034,-0.015,-0.027,-0.042,-0.069,0.16
number_special_characters,0.92,1.0,0.21,-0.037,-0.043,-0.047,-0.024,-0.04,-0.031,-0.014,-0.024,-0.04,-0.05,0.28
content_length,0.13,0.21,1.0,0.078,-0.00038,0.0048,0.051,0.074,0.091,0.1,0.048,0.074,-0.046,-0.091
tcp_conversation_exchange,-0.038,-0.037,0.078,1.0,0.56,0.33,0.46,1.0,0.99,0.87,0.46,1.0,0.35,-0.04
dist_remote_tcp_port,-0.04,-0.043,-0.00038,0.56,1.0,0.21,0.78,0.56,0.59,0.31,0.78,0.56,0.26,-0.083
remote_ips,-0.046,-0.047,0.0048,0.33,0.21,1.0,0.023,0.36,0.3,0.17,0.025,0.36,0.55,-0.079
app_bytes,-0.026,-0.024,0.051,0.46,0.78,0.023,1.0,0.45,0.47,0.074,1.0,0.45,0.012,-0.011
source_app_packets,-0.042,-0.04,0.074,1.0,0.56,0.36,0.45,1.0,0.99,0.86,0.45,1.0,0.41,-0.034
remote_app_packets,-0.034,-0.031,0.091,0.99,0.59,0.3,0.47,0.99,1.0,0.88,0.47,0.99,0.36,-0.033
source_app_bytes,-0.015,-0.014,0.1,0.87,0.31,0.17,0.074,0.86,0.88,1.0,0.075,0.86,0.22,-0.044


In [13]:
# Your comment here
#source_app_packets,remote_app_packets,app_packets

# Challenge 2 - Remove Column Collinearity.

From the heatmap you created, you should have seen at least 3 columns that can be removed due to high collinearity. Remove these columns from the dataset.

Note that you should remove as few columns as you can. You don't have to remove all the columns at once. But instead, try removing one column, then produce the heatmap again to determine if additional columns should be removed. As long as the dataset no longer contains columns that are correlated for over 90%, you can stop. Also, keep in mind when two columns have high collinearity, you only need to remove one of them but not both.

In the cells below, remove as few columns as you can to eliminate the high collinearity in the dataset. Make sure to comment on your way so that the instructional team can learn about your thinking process which allows them to give feedback. At the end, print the heatmap again.

In [14]:
# Your code here
websites=websites.drop(['source_app_packets','remote_app_packets','app_packets','url_length'],axis=1)
websites.head()

Unnamed: 0,url,number_special_characters,charset,server,content_length,whois_country,whois_statepro,whois_regdate,whois_updated_date,tcp_conversation_exchange,dist_remote_tcp_port,remote_ips,app_bytes,source_app_bytes,remote_app_bytes,dns_query_times,type
0,M0_109,7,iso-8859-1,nginx,263.0,,,10/10/2015 18:21,,7,0,2,700,1153,832,2.0,1
1,B0_2314,6,UTF-8,Apache/2.4.10,15087.0,,,,,17,7,4,1230,1265,1230,0.0,0
2,B0_911,6,us-ascii,Microsoft-HTTPAPI/2.0,324.0,,,,,0,0,0,0,0,0,0.0,0
3,B0_113,6,ISO-8859-1,nginx,162.0,US,AK,7/10/1997 4:00,12/09/2013 0:45,31,22,3,3812,18784,4380,8.0,0
4,B0_403,6,UTF-8,,124140.0,US,TX,12/05/1996 0:00,11/04/2017 0:00,57,2,5,4278,129889,4586,4.0,0


In [15]:
corr = websites.corr()
corr.style.background_gradient(cmap, axis=1)\
    .set_properties(**{'max-width': '80px', 'font-size': '10pt'})\
    .set_caption("Hover to magify")\
    .set_precision(2)\
    .set_table_styles(magnify())

Unnamed: 0,number_special_characters,content_length,tcp_conversation_exchange,dist_remote_tcp_port,remote_ips,app_bytes,source_app_bytes,remote_app_bytes,dns_query_times,type
number_special_characters,1.0,0.21,-0.037,-0.043,-0.047,-0.024,-0.014,-0.024,-0.05,0.28
content_length,0.21,1.0,0.078,-0.00038,0.0048,0.051,0.1,0.048,-0.046,-0.091
tcp_conversation_exchange,-0.037,0.078,1.0,0.56,0.33,0.46,0.87,0.46,0.35,-0.04
dist_remote_tcp_port,-0.043,-0.00038,0.56,1.0,0.21,0.78,0.31,0.78,0.26,-0.083
remote_ips,-0.047,0.0048,0.33,0.21,1.0,0.023,0.17,0.025,0.55,-0.079
app_bytes,-0.024,0.051,0.46,0.78,0.023,1.0,0.074,1.0,0.012,-0.011
source_app_bytes,-0.014,0.1,0.87,0.31,0.17,0.074,1.0,0.075,0.22,-0.044
remote_app_bytes,-0.024,0.048,0.46,0.78,0.025,1.0,0.075,1.0,0.016,-0.011
dns_query_times,-0.05,-0.046,0.35,0.26,0.55,0.012,0.22,0.016,1.0,0.069
type,0.28,-0.091,-0.04,-0.083,-0.079,-0.011,-0.044,-0.011,0.069,1.0


# Challenge 3 - Handle Missing Values

The next step would be handling missing values. **We start by examining the number of missing values in each column, which you will do in the next cell.**

In [16]:
# Your code here
websites.isna().sum()

url                            0
number_special_characters      0
charset                        0
server                         1
content_length               812
whois_country                  0
whois_statepro                 0
whois_regdate                  0
whois_updated_date             0
tcp_conversation_exchange      0
dist_remote_tcp_port           0
remote_ips                     0
app_bytes                      0
source_app_bytes               0
remote_app_bytes               0
dns_query_times                1
type                           0
dtype: int64

If you remember in the previous labs, we drop a column if the column contains a high proportion of missing values. After dropping those problematic columns, we drop the rows with missing values.

#### In the cells below, handle the missing values from the dataset. Remember to comment the rationale of your decisions.

In [17]:
# Your code here
websites=websites.drop(['content_length'],axis=1)
websites.head()

Unnamed: 0,url,number_special_characters,charset,server,whois_country,whois_statepro,whois_regdate,whois_updated_date,tcp_conversation_exchange,dist_remote_tcp_port,remote_ips,app_bytes,source_app_bytes,remote_app_bytes,dns_query_times,type
0,M0_109,7,iso-8859-1,nginx,,,10/10/2015 18:21,,7,0,2,700,1153,832,2.0,1
1,B0_2314,6,UTF-8,Apache/2.4.10,,,,,17,7,4,1230,1265,1230,0.0,0
2,B0_911,6,us-ascii,Microsoft-HTTPAPI/2.0,,,,,0,0,0,0,0,0,0.0,0
3,B0_113,6,ISO-8859-1,nginx,US,AK,7/10/1997 4:00,12/09/2013 0:45,31,22,3,3812,18784,4380,8.0,0
4,B0_403,6,UTF-8,,US,TX,12/05/1996 0:00,11/04/2017 0:00,57,2,5,4278,129889,4586,4.0,0


In [18]:
websites.shape

(1781, 16)

In [19]:
websites=websites.dropna()
websites.head()

Unnamed: 0,url,number_special_characters,charset,server,whois_country,whois_statepro,whois_regdate,whois_updated_date,tcp_conversation_exchange,dist_remote_tcp_port,remote_ips,app_bytes,source_app_bytes,remote_app_bytes,dns_query_times,type
0,M0_109,7,iso-8859-1,nginx,,,10/10/2015 18:21,,7,0,2,700,1153,832,2.0,1
1,B0_2314,6,UTF-8,Apache/2.4.10,,,,,17,7,4,1230,1265,1230,0.0,0
2,B0_911,6,us-ascii,Microsoft-HTTPAPI/2.0,,,,,0,0,0,0,0,0,0.0,0
3,B0_113,6,ISO-8859-1,nginx,US,AK,7/10/1997 4:00,12/09/2013 0:45,31,22,3,3812,18784,4380,8.0,0
4,B0_403,6,UTF-8,,US,TX,12/05/1996 0:00,11/04/2017 0:00,57,2,5,4278,129889,4586,4.0,0


In [20]:
websites.shape

(1779, 16)

In [21]:
# Your comment here
#Nos cargamos content_length porque casi la mitad de los valores tiene NaN, y luego nos cargamos dos filas en 
#server y en dns_query_times

#### Again, examine the number of missing values in each column. 

If all cleaned, proceed. Otherwise, go back and do more cleaning.

In [22]:
# Examine missing values in each column
websites.isna().sum().sum()

0

# Challenge 4 - Handle `WHOIS_*` Categorical Data

There are several categorical columns we need to handle. These columns are:

* `URL`
* `CHARSET`
* `SERVER`
* `WHOIS_COUNTRY`
* `WHOIS_STATEPRO`
* `WHOIS_REGDATE`
* `WHOIS_UPDATED_DATE`

How to handle string columns is always case by case. Let's start by working on `WHOIS_COUNTRY`. Your steps are:

1. List out the unique values of `WHOIS_COUNTRY`.
1. Consolidate the country values with consistent country codes. For example, the following values refer to the same country and should use consistent country code:
    * `CY` and `Cyprus`
    * `US` and `us`
    * `SE` and `se`
    * `GB`, `United Kingdom`, and `[u'GB'; u'UK']`

#### In the cells below, fix the country values as intructed above.

In [23]:
# Your code here
websites.whois_country.unique(),len(websites.whois_country.unique())

(array(['None', 'US', 'SC', 'GB', 'UK', 'RU', 'AU', 'CA', 'PA', 'se', 'IN',
        'LU', 'TH', "[u'GB'; u'UK']", 'FR', 'NL', 'UG', 'JP', 'CN', 'SE',
        'SI', 'IL', 'ru', 'KY', 'AT', 'CZ', 'PH', 'BE', 'NO', 'TR', 'LV',
        'DE', 'ES', 'BR', 'us', 'KR', 'HK', 'UA', 'CH', 'United Kingdom',
        'BS', 'PK', 'IT', 'Cyprus', 'BY', 'AE', 'IE', 'UY', 'KG'],
       dtype=object), 49)

In [24]:
websites.whois_country=websites.whois_country.str.replace('Cyprus','CY')
websites.whois_country=websites.whois_country.str.replace('us','US')
websites.whois_country=websites.whois_country.str.replace('se','SE')
websites.whois_country=websites.whois_country.str.replace('United Kingdom','GB')
websites.whois_country=websites.whois_country.str.replace("\[u\'GB\'\; u\'UK\'\]",'GB')
websites.whois_country=websites.whois_country.str.replace('ru','RU')
websites.whois_country.unique(),len(websites.whois_country.unique())

(array(['None', 'US', 'SC', 'GB', 'UK', 'RU', 'AU', 'CA', 'PA', 'SE', 'IN',
        'LU', 'TH', 'FR', 'NL', 'UG', 'JP', 'CN', 'SI', 'IL', 'KY', 'AT',
        'CZ', 'PH', 'BE', 'NO', 'TR', 'LV', 'DE', 'ES', 'BR', 'KR', 'HK',
        'UA', 'CH', 'BS', 'PK', 'IT', 'CY', 'BY', 'AE', 'IE', 'UY', 'KG'],
       dtype=object), 44)

Since we have fixed the country values, can we convert this column to ordinal now?

Not yet. If you reflect on the previous labs how we handle categorical columns, you probably remember we ended up dropping a lot of those columns because there are too many unique values. Too many unique values in a column is not desirable in machine learning because it makes prediction inaccurate. But there are workarounds under certain conditions. One of the fixable conditions is:

#### If a limited number of values account for the majority of data, we can retain these top values and re-label all other rare values.

The `WHOIS_COUNTRY` column happens to be this case. You can verify it by print a bar chart of the `value_counts` in the next cell to verify:

In [25]:
# Your code here
websites.whois_country.value_counts()

US      1105
None     306
CA        83
ES        63
AU        35
GB        25
PA        21
JP        11
CN        10
UK        10
IN        10
FR         9
CZ         9
CH         6
NL         6
RU         6
KR         5
BS         4
PH         4
SE         4
AT         4
DE         3
KY         3
TR         3
HK         3
SC         3
BE         3
KG         2
NO         2
SI         2
IL         2
UA         2
BR         2
UY         2
CY         2
LV         1
BY         1
LU         1
UG         1
TH         1
AE         1
IE         1
IT         1
PK         1
Name: whois_country, dtype: int64

#### After verifying, now let's keep the top 10 values of the column and re-label other columns with `OTHER`.

In [51]:
# Your code here
#https://stackoverflow.com/questions/46920454/how-to-replace-multiple-values-with-one-value-python
#110 'other' values, 1669 weight's values
x = dict.fromkeys(['CN', 'FR', 'CZ', 'CH', 'RU', 'NL', 'KR', 'AT', 'SE', 'BS', 'PH',
       'TR', 'DE', 'HK', 'SC', 'BE', 'KY', 'SI', 'IL', 'BR', 'UY', 'KG',
       'NO', 'CY', 'UA', 'LV', 'BY', 'LU', 'IT', 'UG', 'TH', 'AE', 'PK',
       'IE'], 'other')    
websites.whois_country=websites.whois_country.replace(x)
websites.whois_country.value_counts()

US       1105
None      306
other     110
CA         83
ES         63
AU         35
GB         25
PA         21
JP         11
IN         10
UK         10
Name: whois_country, dtype: int64

Now since `WHOIS_COUNTRY` has been re-labelled, we don't need `WHOIS_STATEPRO` any more because the values of the states or provinces may not be relevant any more. We'll drop this column.

In addition, we will also drop `WHOIS_REGDATE` and `WHOIS_UPDATED_DATE`. These are the registration and update dates of the website domains. Not of our concerns.

#### In the next cell, drop `['WHOIS_STATEPRO', 'WHOIS_REGDATE', 'WHOIS_UPDATED_DATE']`.

In [27]:
# Your code here
websites=websites.drop(['whois_statepro','whois_regdate','whois_updated_date'],axis=1)
websites.head()

Unnamed: 0,url,number_special_characters,charset,server,whois_country,tcp_conversation_exchange,dist_remote_tcp_port,remote_ips,app_bytes,source_app_bytes,remote_app_bytes,dns_query_times,type
0,M0_109,7,iso-8859-1,nginx,,7,0,2,700,1153,832,2.0,1
1,B0_2314,6,UTF-8,Apache/2.4.10,,17,7,4,1230,1265,1230,0.0,0
2,B0_911,6,us-ascii,Microsoft-HTTPAPI/2.0,,0,0,0,0,0,0,0.0,0
3,B0_113,6,ISO-8859-1,nginx,US,31,22,3,3812,18784,4380,8.0,0
4,B0_403,6,UTF-8,,US,57,2,5,4278,129889,4586,4.0,0


# Challenge 5 - Handle Remaining Categorical Data & Convert to Ordinal

Now print the `dtypes` of the data again. Besides `WHOIS_COUNTRY` which we already fixed, there should be 3 categorical columns left: `URL`, `CHARSET`, and `SERVER`.

In [28]:
# Your code here
websites.info()

<class 'pandas.core.frame.DataFrame'>
Int64Index: 1779 entries, 0 to 1780
Data columns (total 13 columns):
url                          1779 non-null object
number_special_characters    1779 non-null int64
charset                      1779 non-null object
server                       1779 non-null object
whois_country                1779 non-null object
tcp_conversation_exchange    1779 non-null int64
dist_remote_tcp_port         1779 non-null int64
remote_ips                   1779 non-null int64
app_bytes                    1779 non-null int64
source_app_bytes             1779 non-null int64
remote_app_bytes             1779 non-null int64
dns_query_times              1779 non-null float64
type                         1779 non-null int64
dtypes: float64(1), int64(8), object(4)
memory usage: 194.6+ KB


#### `URL` is easy. We'll simply drop it because it has too many unique values that there's no way for us to consolidate.

In [29]:
# Your code here
websites=websites.drop(['url'],axis=1)
websites.head()

Unnamed: 0,number_special_characters,charset,server,whois_country,tcp_conversation_exchange,dist_remote_tcp_port,remote_ips,app_bytes,source_app_bytes,remote_app_bytes,dns_query_times,type
0,7,iso-8859-1,nginx,,7,0,2,700,1153,832,2.0,1
1,6,UTF-8,Apache/2.4.10,,17,7,4,1230,1265,1230,0.0,0
2,6,us-ascii,Microsoft-HTTPAPI/2.0,,0,0,0,0,0,0,0.0,0
3,6,ISO-8859-1,nginx,US,31,22,3,3812,18784,4380,8.0,0
4,6,UTF-8,,US,57,2,5,4278,129889,4586,4.0,0


#### Print the unique value counts of `CHARSET`. You see there are only a few unique values. So we can keep it as it is.

In [30]:
# Your code here
websites.charset.value_counts()

UTF-8           674
ISO-8859-1      427
utf-8           379
us-ascii        155
iso-8859-1      134
None              7
ISO-8859          1
windows-1251      1
windows-1252      1
Name: charset, dtype: int64

`SERVER` is a little more complicated. Print its unique values and think about how you can consolidate those values.

#### Before you think of your own solution, don't read the instructions that come next.

In [31]:
# Your code here
websites.server.value_counts()

Apache                                                                      385
nginx                                                                       211
None                                                                        175
Microsoft-HTTPAPI/2.0                                                       113
cloudflare-nginx                                                             94
                                                                           ... 
Apache/2.4.23 (Unix)                                                          1
mw2106.codfw.wmnet                                                            1
Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 PHP/5.3.10      1
Apache/2.2.11 (Unix) PHP/5.2.6                                                1
Apache/1.3.37 (Unix) mod_perl/1.29 mod_ssl/2.8.28 OpenSSL/0.9.7e-p1           1
Name: server, Length: 239, dtype: int64

In [33]:
#![Think Hard](../think-hard.jpg)

In [34]:
# Your comment here


Although there are so many unique values in the `SERVER` column, there are actually only 3 main server types: `Microsoft`, `Apache`, and `nginx`. Just check if each `SERVER` value contains any of those server types and re-label them. For `SERVER` values that don't contain any of those substrings, label with `Other`.

At the end, your `SERVER` column should only contain 4 unique values: `Microsoft`, `Apache`, `nginx`, and `Other`.

In [35]:
# Your code here
#https://es.stackoverflow.com/questions/170284/crear-diccionario-a-partir-de-una-lista
#Filtro Microsft, Apache, nginx
websites.server=websites.server.str.replace('^Microsoft.+', 'Microsoft')
websites.server=websites.server.str.replace('^Apache.+', 'Apache')
websites.server=websites.server.str.replace('.+nginx', 'nginx')
websites.server=websites.server.str.replace('^nginx.+', 'nginx')
#todos es una lista con los datos que vamos a poner como Other
todos=websites.server.value_counts().tail(108)
#Creo un diccionario
res={}
for e in range(len(todos.index)):
    res[todos.index[e]]='Other' 
#Reemplazo cada key(valor en lista todos) por el value(Other)
websites.server=websites.server.replace(res)

In [49]:
# Count `SERVER` value counts here
websites.server.value_counts()

Apache       641
Other        505
nginx        435
Microsoft    198
Name: server, dtype: int64

In [50]:
websites.info()

<class 'pandas.core.frame.DataFrame'>
Int64Index: 1779 entries, 0 to 1780
Data columns (total 12 columns):
number_special_characters    1779 non-null int64
charset                      1779 non-null object
server                       1779 non-null object
whois_country                1779 non-null object
tcp_conversation_exchange    1779 non-null int64
dist_remote_tcp_port         1779 non-null int64
remote_ips                   1779 non-null int64
app_bytes                    1779 non-null int64
source_app_bytes             1779 non-null int64
remote_app_bytes             1779 non-null int64
dns_query_times              1779 non-null float64
type                         1779 non-null int64
dtypes: float64(1), int64(8), object(3)
memory usage: 180.7+ KB


OK, all our categorical data are fixed now. **Let's convert them to ordinal data using Pandas' `get_dummies` function ([documentation](https://pandas.pydata.org/pandas-docs/stable/generated/pandas.get_dummies.html)).** Make sure you drop the categorical columns by passing `drop_first=True` to `get_dummies` as we don't need them any more. **Also, assign the data with dummy values to a new variable `website_dummy`.**

In [53]:
# Your code here
#https://stackoverflow.com/questions/36285155/pandas-get-dummies
website_dummy=pd.get_dummies(websites, columns=['charset','server','whois_country']) 

Now, inspect `website_dummy` to make sure the data and types are intended - there shouldn't be any categorical columns at this point.

In [54]:
# Your code here
website_dummy.info()

<class 'pandas.core.frame.DataFrame'>
Int64Index: 1779 entries, 0 to 1780
Data columns (total 33 columns):
number_special_characters    1779 non-null int64
tcp_conversation_exchange    1779 non-null int64
dist_remote_tcp_port         1779 non-null int64
remote_ips                   1779 non-null int64
app_bytes                    1779 non-null int64
source_app_bytes             1779 non-null int64
remote_app_bytes             1779 non-null int64
dns_query_times              1779 non-null float64
type                         1779 non-null int64
charset_ISO-8859             1779 non-null uint8
charset_ISO-8859-1           1779 non-null uint8
charset_None                 1779 non-null uint8
charset_UTF-8                1779 non-null uint8
charset_iso-8859-1           1779 non-null uint8
charset_us-ascii             1779 non-null uint8
charset_utf-8                1779 non-null uint8
charset_windows-1251         1779 non-null uint8
charset_windows-1252         1779 non-null uint8
server_Ap

In [56]:
websites.head()

Unnamed: 0,number_special_characters,charset,server,whois_country,tcp_conversation_exchange,dist_remote_tcp_port,remote_ips,app_bytes,source_app_bytes,remote_app_bytes,dns_query_times,type
0,7,iso-8859-1,nginx,,7,0,2,700,1153,832,2.0,1
1,6,UTF-8,Apache,,17,7,4,1230,1265,1230,0.0,0
2,6,us-ascii,Microsoft,,0,0,0,0,0,0,0.0,0
3,6,ISO-8859-1,nginx,US,31,22,3,3812,18784,4380,8.0,0
4,6,UTF-8,Other,US,57,2,5,4278,129889,4586,4.0,0


In [55]:
website_dummy.head()

Unnamed: 0,number_special_characters,tcp_conversation_exchange,dist_remote_tcp_port,remote_ips,app_bytes,source_app_bytes,remote_app_bytes,dns_query_times,type,charset_ISO-8859,...,whois_country_CA,whois_country_ES,whois_country_GB,whois_country_IN,whois_country_JP,whois_country_None,whois_country_PA,whois_country_UK,whois_country_US,whois_country_other
0,7,7,0,2,700,1153,832,2.0,1,0,...,0,0,0,0,0,1,0,0,0,0
1,6,17,7,4,1230,1265,1230,0.0,0,0,...,0,0,0,0,0,1,0,0,0,0
2,6,0,0,0,0,0,0,0.0,0,0,...,0,0,0,0,0,1,0,0,0,0
3,6,31,22,3,3812,18784,4380,8.0,0,0,...,0,0,0,0,0,0,0,0,1,0
4,6,57,2,5,4278,129889,4586,4.0,0,0,...,0,0,0,0,0,0,0,0,1,0


# Challenge 6 - Modeling, Prediction, and Evaluation

We'll start off this section by splitting the data to train and test. **Name your 4 variables `X_train`, `X_test`, `y_train`, and `y_test`. Select 80% of the data for training and 20% for testing.**

In [39]:
from sklearn.model_selection import train_test_split

# Your code here:


#### In this lab, we will try two different models and compare our results.

The first model we will use in this lab is logistic regression. We have previously learned about logistic regression as a classification algorithm. In the cell below, load `LogisticRegression` from scikit-learn and initialize the model.

In [40]:
# Your code here:



Next, fit the model to our training data. We have already separated our data into 4 parts. Use those in your model.

In [41]:
# Your code here:



finally, import `confusion_matrix` and `accuracy_score` from `sklearn.metrics` and fit our testing data. Assign the fitted data to `y_pred` and print the confusion matrix as well as the accuracy score

In [42]:
# Your code here:



What are your thoughts on the performance of the model? Write your conclusions below.

In [43]:
# Your conclusions here:



#### Our second algorithm is is K-Nearest Neighbors. 

Though is it not required, we will fit a model using the training data and then test the performance of the model using the testing data. Start by loading `KNeighborsClassifier` from scikit-learn and then initializing and fitting the model. We'll start off with a model where k=3.

In [44]:
# Your code here:



To test your model, compute the predicted values for the testing sample and print the confusion matrix as well as the accuracy score.

In [45]:
# Your code here:



#### We'll create another K-Nearest Neighbors model with k=5. 

Initialize and fit the model below and print the confusion matrix and the accuracy score.

In [46]:
# Your code here:



Did you see an improvement in the confusion matrix when increasing k to 5? Did you see an improvement in the accuracy score? Write your conclusions below.

In [47]:
# Your conclusions here:



# Bonus Challenge - Feature Scaling

Problem-solving in machine learning is iterative. You can improve your model prediction with various techniques (there is a sweetspot for the time you spend and the improvement you receive though). Now you've completed only one iteration of ML analysis. There are more iterations you can conduct to make improvements. In order to be able to do that, you will need deeper knowledge in statistics and master more data analysis techniques. In this bootcamp, we don't have time to achieve that advanced goal. But you will make constant efforts after the bootcamp to eventually get there.

However, now we do want you to learn one of the advanced techniques which is called *feature scaling*. The idea of feature scaling is to standardize/normalize the range of independent variables or features of the data. This can make the outliers more apparent so that you can remove them. This step needs to happen during Challenge 6 after you split the training and test data because you don't want to split the data again which makes it impossible to compare your results with and without feature scaling. For general concepts about feature scaling, click [here](https://en.wikipedia.org/wiki/Feature_scaling). To read deeper, click [here](https://medium.com/greyatom/why-how-and-when-to-scale-your-features-4b30ab09db5e).

In the next cell, attempt to improve your model prediction accuracy by means of feature scaling. A library you can utilize is `sklearn.preprocessing.RobustScaler` ([documentation](https://scikit-learn.org/stable/modules/generated/sklearn.preprocessing.RobustScaler.html)). You'll use the `RobustScaler` to fit and transform your `X_train`, then transform `X_test`. You will use logistic regression to fit and predict your transformed data and obtain the accuracy score in the same way. Compare the accuracy score with your normalized data with the previous accuracy data. Is there an improvement?

In [48]:
# Your code here