### To explore files
- load them
- strip columns
- Check labels

In [1]:
import pandas as pd
import numpy as np

## Exploring CICIDS monday benign file

In [4]:
#Loading small part of CICIDS2017
cic_path = "../datasets/raw/CICIDS2017/Monday-WorkingHours.pcap_ISCX.csv"

cic_df = pd.read_csv(cic_path)


In [5]:
#Looking at the data
#Checking if it loads, if colums are readable and if there is a label column
cic_df.head()

Unnamed: 0,Destination Port,Flow Duration,Total Fwd Packets,Total Backward Packets,Total Length of Fwd Packets,Total Length of Bwd Packets,Fwd Packet Length Max,Fwd Packet Length Min,Fwd Packet Length Mean,Fwd Packet Length Std,...,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min,Label
0,49188,4,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
1,49188,1,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
2,49188,1,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
3,49188,1,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
4,49486,3,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN


In [6]:
#chekcking shape, it gives clarity on how big the dataset is
cic_df.shape

(529918, 79)

In [7]:
#removinf the spaces before or after column names if any
cic_df.columns = cic_df.columns.str.strip()

In [8]:
cic_df.columns

Index(['Destination Port', 'Flow Duration', 'Total Fwd Packets',
       'Total Backward Packets', 'Total Length of Fwd Packets',
       'Total Length of Bwd Packets', 'Fwd Packet Length Max',
       'Fwd Packet Length Min', 'Fwd Packet Length Mean',
       'Fwd Packet Length Std', 'Bwd Packet Length Max',
       'Bwd Packet Length Min', 'Bwd Packet Length Mean',
       'Bwd Packet Length Std', 'Flow Bytes/s', 'Flow Packets/s',
       'Flow IAT Mean', 'Flow IAT Std', 'Flow IAT Max', 'Flow IAT Min',
       'Fwd IAT Total', 'Fwd IAT Mean', 'Fwd IAT Std', 'Fwd IAT Max',
       'Fwd IAT Min', 'Bwd IAT Total', 'Bwd IAT Mean', 'Bwd IAT Std',
       'Bwd IAT Max', 'Bwd IAT Min', 'Fwd PSH Flags', 'Bwd PSH Flags',
       'Fwd URG Flags', 'Bwd URG Flags', 'Fwd Header Length',
       'Bwd Header Length', 'Fwd Packets/s', 'Bwd Packets/s',
       'Min Packet Length', 'Max Packet Length', 'Packet Length Mean',
       'Packet Length Std', 'Packet Length Variance', 'FIN Flag Count',
       'SYN Flag Co

In [9]:
# checking unique labels
#tells what attacks exists, class imbalances, why this dataset is useful for anomaly detection
cic_df['Label'].value_counts()

Label
BENIGN    529918
Name: count, dtype: int64

In [None]:
#checking missing values
cic_df.isnull().sum().sort_values(ascending=False).head(10)


In [None]:
#checking data types
cic_df.dtypes

## Exploring NSL-KDD file

In [None]:
!pip install pyarrow

In [None]:
# loading the NSL-KDD
nsl_path = "../datasets/raw/NSLKDD2019/KDDTrain.parquet"
nsl_df = pd.read_parquet(nsl_path)

In [None]:
#INspecting NSL-kdd
nsl_df.head()

In [None]:
nsl_df.shape


In [None]:
nsl_df.columns

In [None]:
#checking labels in NSL-Kdd
nsl_df.iloc[:, -1].value_counts().head(10)

In [None]:
nsl_df['classnum'].value_counts()

## Exploring tuesday, wednesday and friday 
- has mixed benign and attack data

In [10]:
df_tue = pd.read_csv("../datasets/raw/CICIDS2017/Tuesday-WorkingHours.pcap_ISCX.csv")
df_wed = pd.read_csv("../datasets/raw/CICIDS2017/Wednesday-WorkingHours.pcap_ISCX.csv")
df_fri = pd.read_csv("../datasets/raw/CICIDS2017/Friday-WorkingHours-Morning.pcap_ISCX.csv")


In [11]:
df_tue.columns = cic_df.columns.str.strip()
df_wed.columns = cic_df.columns.str.strip()
df_fri.columns = cic_df.columns.str.strip()

In [13]:
df_tue['Label'].value_counts()


Label
BENIGN         432074
FTP-Patator      7938
SSH-Patator      5897
Name: count, dtype: int64

In [14]:
df_wed['Label'].value_counts()


Label
BENIGN              440031
DoS Hulk            231073
DoS GoldenEye        10293
DoS slowloris         5796
DoS Slowhttptest      5499
Heartbleed              11
Name: count, dtype: int64

In [15]:
df_fri['Label'].value_counts()

Label
BENIGN    189067
Bot         1966
Name: count, dtype: int64

## Exploring other attack files

In [2]:
df_thu_morning = pd.read_csv("../datasets/raw/CICIDS2017/Thursday-WorkingHours-Morning-WebAttacks.pcap_ISCX.csv")
df_thu_noon = pd.read_csv("../datasets/raw/CICIDS2017/Thursday-WorkingHours-Afternoon-Infilteration.pcap_ISCX.csv")
df_fri_noon1 = pd.read_csv("../datasets/raw/CICIDS2017/Friday-WorkingHours-Afternoon-PortScan.pcap_ISCX.csv")
df_fri_noon2 = pd.read_csv("../datasets/raw/CICIDS2017/Friday-WorkingHours-Afternoon-DDos.pcap_ISCX.csv")

In [3]:
df_thu_morning.columns = df_thu_morning.columns.str.strip()
df_thu_noon.columns = df_thu_noon.columns.str.strip()
df_fri_noon1.columns = df_fri_noon1.columns.str.strip()
df_fri_noon2.columns = df_fri_noon2.columns.str.strip()

In [4]:
df_thu_morning['Label'].value_counts()

Label
BENIGN                        168186
Web Attack � Brute Force        1507
Web Attack � XSS                 652
Web Attack � Sql Injection        21
Name: count, dtype: int64

In [5]:
df_thu_noon['Label'].value_counts()

Label
BENIGN          288566
Infiltration        36
Name: count, dtype: int64

In [6]:
df_fri_noon1['Label'].value_counts()

Label
PortScan    158930
BENIGN      127537
Name: count, dtype: int64

In [7]:
df_fri_noon2['Label'].value_counts()

Label
DDoS      128027
BENIGN     97718
Name: count, dtype: int64