# Extract, Transform, Load pipeline

### Navigation
* [README](https://github.com/SelinaFischer/unmasking_hidden_cyber_threats_t5/blob/main/README.md)
* [Raw data](https://github.com/SelinaFischer/unmasking_hidden_cyber_threats_t5/tree/main/data/raw)
* [EDA Analysis](https://github.com/SelinaFischer/unmasking_hidden_cyber_threats_t5/blob/main/jupyter_notebooks/2.%20eda_analysis.ipynb)
* [Hypothesis Validation](https://github.com/SelinaFischer/unmasking_hidden_cyber_threats_t5/blob/main/jupyter_notebooks/3.%20hypothesis_validation.ipynb)
* [Visualisation](https://github.com/SelinaFischer/unmasking_hidden_cyber_threats_t5/blob/main/jupyter_notebooks/4.%20visualisations.ipynb)

### Install libraries and load dataset

In [1]:
import numpy as np
import pandas as pd

In [2]:
# load dataset
train = pd.read_csv('../data/raw/train_data.csv')
test = pd.read_csv('../data/raw/test_data.csv')

# check if the dataset is loaded correctly
print("Train dataset:")
train.head()

Train dataset:


Unnamed: 0,duration,protocol_type,service,flag,src_bytes,dst_bytes,land,wrong_fragment,urgent,hot,...,dst_host_srv_count,dst_host_same_srv_rate,dst_host_diff_srv_rate,dst_host_same_src_port_rate,dst_host_srv_diff_host_rate,dst_host_serror_rate,dst_host_srv_serror_rate,dst_host_rerror_rate,dst_host_srv_rerror_rate,class
0,0,tcp,ftp_data,SF,491,0,0,0,0,0,...,25,0.17,0.03,0.17,0.0,0.0,0.0,0.05,0.0,normal
1,0,udp,other,SF,146,0,0,0,0,0,...,1,0.0,0.6,0.88,0.0,0.0,0.0,0.0,0.0,normal
2,0,tcp,private,S0,0,0,0,0,0,0,...,26,0.1,0.05,0.0,0.0,1.0,1.0,0.0,0.0,anomaly
3,0,tcp,http,SF,232,8153,0,0,0,0,...,255,1.0,0.0,0.03,0.04,0.03,0.01,0.0,0.01,normal
4,0,tcp,http,SF,199,420,0,0,0,0,...,255,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,normal


In [3]:
# check for test dataset
print("Test dataset:")
test.head() 

Test dataset:


Unnamed: 0,duration,protocol_type,service,flag,src_bytes,dst_bytes,land,wrong_fragment,urgent,hot,...,dst_host_count,dst_host_srv_count,dst_host_same_srv_rate,dst_host_diff_srv_rate,dst_host_same_src_port_rate,dst_host_srv_diff_host_rate,dst_host_serror_rate,dst_host_srv_serror_rate,dst_host_rerror_rate,dst_host_srv_rerror_rate
0,0,tcp,private,REJ,0,0,0,0,0,0,...,255,10,0.04,0.06,0.0,0.0,0.0,0.0,1.0,1.0
1,0,tcp,private,REJ,0,0,0,0,0,0,...,255,1,0.0,0.06,0.0,0.0,0.0,0.0,1.0,1.0
2,2,tcp,ftp_data,SF,12983,0,0,0,0,0,...,134,86,0.61,0.04,0.61,0.02,0.0,0.0,0.0,0.0
3,0,icmp,eco_i,SF,20,0,0,0,0,0,...,3,57,1.0,0.0,1.0,0.28,0.0,0.0,0.0,0.0
4,1,tcp,telnet,RSTO,0,15,0,0,0,0,...,29,86,0.31,0.17,0.03,0.02,0.0,0.0,0.83,0.71


In [4]:
# check for data size
print('Train data: ')
print(train.shape)
print('Test data: ')
print(test.shape)

Train data: 
(25192, 42)
Test data: 
(22544, 41)


Data is loaded correctly

### Check for Null values

In [5]:
# check for null value in train data
train.isnull().sum()

duration                       0
protocol_type                  0
service                        0
flag                           0
src_bytes                      0
dst_bytes                      0
land                           0
wrong_fragment                 0
urgent                         0
hot                            0
num_failed_logins              0
logged_in                      0
num_compromised                0
root_shell                     0
su_attempted                   0
num_root                       0
num_file_creations             0
num_shells                     0
num_access_files               0
num_outbound_cmds              0
is_host_login                  0
is_guest_login                 0
count                          0
srv_count                      0
serror_rate                    0
srv_serror_rate                0
rerror_rate                    0
srv_rerror_rate                0
same_srv_rate                  0
diff_srv_rate                  0
srv_diff_h

In [6]:
# check for null value in test data
test.isnull().sum()

duration                       0
protocol_type                  0
service                        0
flag                           0
src_bytes                      0
dst_bytes                      0
land                           0
wrong_fragment                 0
urgent                         0
hot                            0
num_failed_logins              0
logged_in                      0
num_compromised                0
root_shell                     0
su_attempted                   0
num_root                       0
num_file_creations             0
num_shells                     0
num_access_files               0
num_outbound_cmds              0
is_host_login                  0
is_guest_login                 0
count                          0
srv_count                      0
serror_rate                    0
srv_serror_rate                0
rerror_rate                    0
srv_rerror_rate                0
same_srv_rate                  0
diff_srv_rate                  0
srv_diff_h

No null values in both dataset

#### Convert datatype into boolean

In [7]:
# check for data types for train data   
train.dtypes

duration                         int64
protocol_type                   object
service                         object
flag                            object
src_bytes                        int64
dst_bytes                        int64
land                             int64
wrong_fragment                   int64
urgent                           int64
hot                              int64
num_failed_logins                int64
logged_in                        int64
num_compromised                  int64
root_shell                       int64
su_attempted                     int64
num_root                         int64
num_file_creations               int64
num_shells                       int64
num_access_files                 int64
num_outbound_cmds                int64
is_host_login                    int64
is_guest_login                   int64
count                            int64
srv_count                        int64
serror_rate                    float64
srv_serror_rate          

In [8]:
# check for data types in test data
test.dtypes

duration                         int64
protocol_type                   object
service                         object
flag                            object
src_bytes                        int64
dst_bytes                        int64
land                             int64
wrong_fragment                   int64
urgent                           int64
hot                              int64
num_failed_logins                int64
logged_in                        int64
num_compromised                  int64
root_shell                       int64
su_attempted                     int64
num_root                         int64
num_file_creations               int64
num_shells                       int64
num_access_files                 int64
num_outbound_cmds                int64
is_host_login                    int64
is_guest_login                   int64
count                            int64
srv_count                        int64
serror_rate                    float64
srv_serror_rate          

Columns with `land`, `urgent`, `logged_in`,`root_shells`, `num_shells`,`is_guest_login` are booleans so I will convert the data type

In [9]:
boolean_columns = ['land', 'urgent', 'logged_in', 'root_shell', 'num_shells', 'is_guest_login','is_host_login']
train[boolean_columns] = train[boolean_columns].astype(bool)
test[boolean_columns] = test[boolean_columns].astype(bool)


In [10]:
train.dtypes

duration                         int64
protocol_type                   object
service                         object
flag                            object
src_bytes                        int64
dst_bytes                        int64
land                              bool
wrong_fragment                   int64
urgent                            bool
hot                              int64
num_failed_logins                int64
logged_in                         bool
num_compromised                  int64
root_shell                        bool
su_attempted                     int64
num_root                         int64
num_file_creations               int64
num_shells                        bool
num_access_files                 int64
num_outbound_cmds                int64
is_host_login                     bool
is_guest_login                    bool
count                            int64
srv_count                        int64
serror_rate                    float64
srv_serror_rate          

In [11]:
test.dtypes

duration                         int64
protocol_type                   object
service                         object
flag                            object
src_bytes                        int64
dst_bytes                        int64
land                              bool
wrong_fragment                   int64
urgent                            bool
hot                              int64
num_failed_logins                int64
logged_in                         bool
num_compromised                  int64
root_shell                        bool
su_attempted                     int64
num_root                         int64
num_file_creations               int64
num_shells                        bool
num_access_files                 int64
num_outbound_cmds                int64
is_host_login                     bool
is_guest_login                    bool
count                            int64
srv_count                        int64
serror_rate                    float64
srv_serror_rate          

Data types are converted successfully

### Check inconsistency in categorical variable

In [12]:
print('Train data: ') 
print(train.select_dtypes(include='object').nunique())
print('\nTest data:')
print(test.select_dtypes(include='object').nunique())


Train data: 
protocol_type     3
service          66
flag             11
class             2
dtype: int64

Test data:
protocol_type     3
service          64
flag             11
dtype: int64


In [13]:
# List all the unique value in each dataset in aphabetical order
print('Train data: ')
print(sorted(train['service'].unique()))
print('Test data: ')
print(sorted(test['service'].unique()))

Train data: 
['IRC', 'X11', 'Z39_50', 'auth', 'bgp', 'courier', 'csnet_ns', 'ctf', 'daytime', 'discard', 'domain', 'domain_u', 'echo', 'eco_i', 'ecr_i', 'efs', 'exec', 'finger', 'ftp', 'ftp_data', 'gopher', 'hostnames', 'http', 'http_443', 'http_8001', 'imap4', 'iso_tsap', 'klogin', 'kshell', 'ldap', 'link', 'login', 'mtp', 'name', 'netbios_dgm', 'netbios_ns', 'netbios_ssn', 'netstat', 'nnsp', 'nntp', 'ntp_u', 'other', 'pm_dump', 'pop_2', 'pop_3', 'printer', 'private', 'red_i', 'remote_job', 'rje', 'shell', 'smtp', 'sql_net', 'ssh', 'sunrpc', 'supdup', 'systat', 'telnet', 'tim_i', 'time', 'urh_i', 'urp_i', 'uucp', 'uucp_path', 'vmnet', 'whois']
Test data: 
['IRC', 'X11', 'Z39_50', 'auth', 'bgp', 'courier', 'csnet_ns', 'ctf', 'daytime', 'discard', 'domain', 'domain_u', 'echo', 'eco_i', 'ecr_i', 'efs', 'exec', 'finger', 'ftp', 'ftp_data', 'gopher', 'hostnames', 'http', 'http_443', 'imap4', 'iso_tsap', 'klogin', 'kshell', 'ldap', 'link', 'login', 'mtp', 'name', 'netbios_dgm', 'netbios_ns'

In [14]:
# Assign variable
train_services = set(train['service'].unique())
test_services = set(test['service'].unique())

# Find values in test but not in train
no_services1 = test_services - train_services

# Find values in train but not in test 
no_services2 =  train_services - test_services

print("Services in Train but NOT in Test:")
print(sorted(no_services1))

print("\nService in Test but Not in Train:")
print(sorted(no_services2))

Services in Train but NOT in Test:
['tftp_u']

Service in Test but Not in Train:
['http_8001', 'red_i', 'urh_i']


Two dataset contains different services. Since one data is used to train a machine learning model, the other is a test model, I will remove those inconsistent values

In [15]:
# Filter values that are not present in the other dataset.
test_filtered = test[test['service'].isin(train['service'].unique())]
train_filtered = train[train['service'].isin(test['service'].unique())]

# Check the number of unique value in `service` column 
print('Train data: ') 
print(train_filtered.select_dtypes(include='object').nunique())
print('\nTest data:')
print(test_filtered.select_dtypes(include='object').nunique())


Train data: 
protocol_type     3
service          63
flag             11
class             2
dtype: int64

Test data:
protocol_type     3
service          63
flag             11
dtype: int64


Now data is consistent

### Feature engineering

`num_outbound_cmds` and `is_host_login` have only one value which is 0. Since it is not useful information to detect anormaly, we will remove this column  

In [16]:
# drop columns
test2 = test_filtered.drop(['num_outbound_cmds','is_host_login'], axis=1)
train2 = train_filtered.drop(['num_outbound_cmds','is_host_login'], axis=1)

# check if the column is removed - False means those columns are not in the data
print('num_outbound_cmds')
print('num_outbound_cmds' in test2.columns)
print('num_outbound_cmds' in train2.columns)

print('\nis_host_login')
print('is_host_login' in test2.columns)
print('is_host_login' in train2.columns)


num_outbound_cmds
False
False

is_host_login
False
False


#### Add column for hypothesis analysis
In order to reduce the extreme outliers in the data, we create new column with logarithm

In [17]:
train2['log_src_bytes'] = np.log1p(train2['src_bytes'])  # log(src_bytes + 1)
test2['log_src_bytes'] = np.log1p(test2['src_bytes'])  
train2.head()

Unnamed: 0,duration,protocol_type,service,flag,src_bytes,dst_bytes,land,wrong_fragment,urgent,hot,...,dst_host_same_srv_rate,dst_host_diff_srv_rate,dst_host_same_src_port_rate,dst_host_srv_diff_host_rate,dst_host_serror_rate,dst_host_srv_serror_rate,dst_host_rerror_rate,dst_host_srv_rerror_rate,class,log_src_bytes
0,0,tcp,ftp_data,SF,491,0,False,0,False,0,...,0.17,0.03,0.17,0.0,0.0,0.0,0.05,0.0,normal,6.198479
1,0,udp,other,SF,146,0,False,0,False,0,...,0.0,0.6,0.88,0.0,0.0,0.0,0.0,0.0,normal,4.990433
2,0,tcp,private,S0,0,0,False,0,False,0,...,0.1,0.05,0.0,0.0,1.0,1.0,0.0,0.0,anomaly,0.0
3,0,tcp,http,SF,232,8153,False,0,False,0,...,1.0,0.0,0.03,0.04,0.03,0.01,0.0,0.01,normal,5.451038
4,0,tcp,http,SF,199,420,False,0,False,0,...,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,normal,5.298317


In [18]:
test2.head()

Unnamed: 0,duration,protocol_type,service,flag,src_bytes,dst_bytes,land,wrong_fragment,urgent,hot,...,dst_host_srv_count,dst_host_same_srv_rate,dst_host_diff_srv_rate,dst_host_same_src_port_rate,dst_host_srv_diff_host_rate,dst_host_serror_rate,dst_host_srv_serror_rate,dst_host_rerror_rate,dst_host_srv_rerror_rate,log_src_bytes
0,0,tcp,private,REJ,0,0,False,0,False,0,...,10,0.04,0.06,0.0,0.0,0.0,0.0,1.0,1.0,0.0
1,0,tcp,private,REJ,0,0,False,0,False,0,...,1,0.0,0.06,0.0,0.0,0.0,0.0,1.0,1.0,0.0
2,2,tcp,ftp_data,SF,12983,0,False,0,False,0,...,86,0.61,0.04,0.61,0.02,0.0,0.0,0.0,0.0,9.471473
3,0,icmp,eco_i,SF,20,0,False,0,False,0,...,57,1.0,0.0,1.0,0.28,0.0,0.0,0.0,0.0,3.044522
4,1,tcp,telnet,RSTO,0,15,False,0,False,0,...,86,0.31,0.17,0.03,0.02,0.0,0.0,0.83,0.71,0.0


### Save the data in CSV

In [19]:
import os
os.makedirs('../data/cleaned', exist_ok=True)

In [20]:
train2.to_csv('../data/cleaned/cleaned_train.csv', index=False)
test2.to_csv('../data/cleaned/cleaned_test.csv', index=False)


Go to 
* [Main page](https://github.com/SelinaFischer/unmasking_hidden_cyber_threats_t5/tree/main) 
* [EDA Analysis](https://github.com/SelinaFischer/unmasking_hidden_cyber_threats_t5/blob/main/jupyter_notebooks/2.%20eda_analysis.ipynb)
* [Hypothesis Validation](https://github.com/SelinaFischer/unmasking_hidden_cyber_threats_t5/blob/main/jupyter_notebooks/3.%20hypothesis_validation.ipynb)
* [Visualisation](https://github.com/SelinaFischer/unmasking_hidden_cyber_threats_t5/blob/main/jupyter_notebooks/4.%20visualisations.ipynb)