# Sampling Task & Sketching task

In [19]:
import pandas as pd
import numpy as np
from time import time
from random import randint

### Cleaning & Processing dataset

In [22]:
df = pd.read_table('dataset/capture20110818-2.pcap.netflow.labeled',delim_whitespace=True) 
print(type(df))
df = df.iloc[:,:-5]
df.columns = ['Date','Time','Durat','Prot','Src IP Addr:Port','Dir','Dst IP Addr:Port','Flags','Tos','Packets','Bytes','Flows','Label']
LEN_DF = len(df)
print(LEN_DF)
print(df.head())

<class 'pandas.core.frame.DataFrame'>
408835
         Date          Time  Durat Prot    Src IP Addr:Port Dir  \
0  2011-08-18  10:39:35.289    0.0  TCP  85.3.219.122:55347  ->   
1  2011-08-18  10:39:36.067    0.0  TCP  85.3.219.122:55347  ->   
2  2011-08-18  10:39:36.754    0.0  TCP  85.3.219.122:55347  ->   
3  2011-08-18  10:39:37.079    0.0  TCP   84.13.8.236:61289  ->   
4  2011-08-18  10:39:37.186    0.0  TCP    147.32.3.51:4397  ->   

     Dst IP Addr:Port Flags  Tos  Packets  Bytes  Flows       Label  
0  147.32.84.118:6881  S_RA    0        2    120      1  Background  
1  147.32.84.118:6881  S_RA    0        2    120      1  Background  
2  147.32.84.118:6881  S_RA    0        2    116      1  Background  
3  147.32.84.118:6881  S_RA    0        2    120      1  Background  
4  147.32.87.22:10010  S_RA    0        2    116      1  Background  


In [23]:
#Seperate address and port
addr = []
port = []
for i in df['Dst IP Addr:Port']:
    try:
        s = i.split(':', 1)
        addr.append(s[0])
        port.append(s[1])
    except:
        port.append('Null')

df['Des_address'] = addr
df['Port'] = port
print(df.head())
df.to_csv('dataset/ctu_13_52_netflow.csv')
# Check Dataset Ip, protocol, port and label
label = np.unique(df['Label'].values)
print('Label:')
print(len(label))
print(label)

print('Protocol:')
protocol = np.unique(df['Prot'].values)
print(len(protocol))
print(protocol)

min_pac = min(df['Packets'])
max_pac = max(df['Packets'])
med_pac = np.median(df['Packets'].values)
print(min_pac,med_pac,max_pac)
s = df['Packets'].sort_values()

         Date          Time  Durat Prot    Src IP Addr:Port Dir  \
0  2011-08-18  10:39:35.289    0.0  TCP  85.3.219.122:55347  ->   
1  2011-08-18  10:39:36.067    0.0  TCP  85.3.219.122:55347  ->   
2  2011-08-18  10:39:36.754    0.0  TCP  85.3.219.122:55347  ->   
3  2011-08-18  10:39:37.079    0.0  TCP   84.13.8.236:61289  ->   
4  2011-08-18  10:39:37.186    0.0  TCP    147.32.3.51:4397  ->   

     Dst IP Addr:Port Flags  Tos  Packets  Bytes  Flows       Label  \
0  147.32.84.118:6881  S_RA    0        2    120      1  Background   
1  147.32.84.118:6881  S_RA    0        2    120      1  Background   
2  147.32.84.118:6881  S_RA    0        2    116      1  Background   
3  147.32.84.118:6881  S_RA    0        2    120      1  Background   
4  147.32.87.22:10010  S_RA    0        2    116      1  Background   

     Des_address   Port  
0  147.32.84.118   6881  
1  147.32.84.118   6881  
2  147.32.84.118   6881  
3  147.32.84.118   6881  
4   147.32.87.22  10010  
Label:
3
['Bac

### 10 most frequent IP - Before Sampling

In [24]:
des_ip = np.unique(df['Des_address'])
des_ip_sort = df['Des_address'].value_counts()
print(len(des_ip))
print(des_ip_sort[:10])
ori_ip = des_ip_sort[:10].index.values

print("Length of Stream - " + str(len(df)))

15258
147.32.96.69      279763
147.32.80.9        29441
147.32.84.229      28445
147.32.86.116      11692
147.32.84.59        3324
147.32.80.13         901
147.32.84.118        625
147.32.84.2          619
76.13.114.90         571
209.85.149.132       571
Name: Des_address, dtype: int64
Length of Stream - 408835


## Sampling Task - Using Resovoir Sampling

In [29]:
import random
from random import randint
from time import time

# select k elements 
select = [100000,10000,1000,500,100,60]

#remove duplicate
sub_df = df.iloc[:,2:12]
sub_df = sub_df.drop_duplicates()
print(len(sub_df))
inx_sub = sub_df.index.values
df = df.loc[inx_sub,:]
LEN_DF = len(df)

rand = np.random.random((LEN_DF,1))

df['random'] = rand

ip_list = list(ori_ip)
time_list = []
for k in select:
    print("Select Value - " + str(k))
    t = time()
    # first k items
    samp_df = df[:k]
    # select random sample with a probability smaller than k/i
    index = df.index.values # Just indexes
    proba = k/index
    df['proba'] = proba
#     print("Random Indices --- " + str(len(df['proba']!=0)))
    samples = df.loc[df['proba']<=df['random'],:]

    all_sample = pd.concat([samp_df,samples])
#     print("Length of All Samples - " + str(len(all_sample)))
    
    sample = all_sample.sample(n=k)
    t = time()-t
    time_list.append(t)
    
    samp_des_ip_sort = sample['Des_address'].value_counts()
    top = samp_des_ip_sort[:10]
    ip = top.index.values
    ip_list.extend(ip)
    
factors, uniques = pd.factorize(ip_list)
print(factors.reshape(7,10))
print(ip_list.reshape(7,10))
print(type(factors))

340865
Select Value - 100000




Select Value - 10000
Select Value - 1000
Select Value - 500
Select Value - 100
Select Value - 60
['147.32.96.69', '147.32.80.9', '147.32.84.229', '147.32.86.116', '147.32.84.59', '147.32.80.13', '147.32.84.118', '147.32.84.2', '76.13.114.90', '209.85.149.132', '147.32.96.69', '147.32.84.229', '147.32.80.9', '147.32.86.116', '147.32.84.59', '147.32.80.13', '76.13.114.90', '147.32.84.2', '209.85.149.132', '147.32.84.111', '147.32.96.69', '147.32.84.229', '147.32.80.9', '147.32.86.116', '147.32.84.59', '147.32.80.13', '209.85.149.132', '147.32.84.2', '76.13.114.90', '147.32.84.111', '147.32.96.69', '147.32.84.229', '147.32.80.9', '147.32.86.116', '147.32.84.59', '77.78.99.23', '147.32.84.111', '74.125.232.219', '209.85.149.132', '74.125.232.204', '147.32.96.69', '147.32.80.9', '147.32.84.229', '147.32.86.116', '147.32.84.191', '147.32.84.59', '46.4.78.181', '147.32.84.2', '74.125.232.215', '125.224.163.107', '147.32.96.69', '147.32.84.229', '147.32.80.9', '147.32.86.116', '2.40.126.117', 

In [30]:
# IP rank comparison
samp_ip = samp_des_ip_sort[:10].index.values

comp = pd.DataFrame({'Origin':factors[:10]})

for i,k in enumerate(select):
    comp[str(k)] = factors[(i+1)*10:(i+2)*10]
print(comp)

accuracy = [sum(comp.iloc[:,i]==comp.iloc[:,0])/10. for i,k in enumerate(comp.columns)]
print("Time consumed:")
print(np.asarray(time_list).reshape(6,1))
print(np.mean(time_list))
print("Accuracy:")
print(accuracy)

   Origin  100000  10000  1000  500  100  60
0       0       0      0     0    0    0   0
1       1       2      2     2    1    2   2
2       2       1      1     1    2    1   1
3       3       3      3     3    3    3   3
4       4       4      4     4   14   18  24
5       5       5      5    11    4   19  25
6       6       8      9    10   15   20  26
7       7       7      7    12    7   21  27
8       8       9      8     9   16   22  28
9       9      10     10    13   17   23  29
Time consumed:
[[0.77554417]
 [0.56497908]
 [0.40110898]
 [0.38509297]
 [0.38488722]
 [0.41068101]]
0.4870489041010539
Accuracy:
[1.0, 0.5, 0.6, 0.3, 0.5, 0.2, 0.2]


### Count Min Sketch

In [27]:
from array import array
from random import randint
from math import log, e, ceil
from itertools import izip
from heapq import nlargest

class CountMinSketch(object):
    def __init__(self, w=None, d=None, delta=None, epsilon=None):

        if w is not None and d is not None:
            self.w = w
            self.d = d
        elif delta is not None and epsilon is not None:
            self.w = int(ceil(e/epsilon))
            self.d = int(ceil(log(1./delta)))
            print self.w, self.d
        else:
            raise Exception("You must either supply both w and d or delta and epsilon.")

        self.counts = [array('L', (0 for _ in xrange(self.w))) for _ in xrange(self.d)]
        upper_bound = 2147483647
        step = upper_bound / (self.d-1)
        ranges = [(i*step, step*(i+1)-1) for i in xrange(self.d-1)]
        self.mask = array('L', (randint(low, high) for low, high in ranges))

    def get_columns(self, a):
        h = hash(a)
        w = self.w

        yield h % w
        for m in self.mask:
            yield (h ^ m) % w


    def update(self, a, val=1):
        for row, col in izip(self.counts, self.get_columns(a)):
          row[col] += val

    def query(self, a):
        return min(row[col] for row, col in izip(self.counts, self.get_columns(a)))

    def __getitem__(self, a):
        return self.query(a)

    def __setitem__(self, a, val):
        for row, col in izip(self.counts, self.get_columns(a)):
          row[col] = val
        
# Testing Count Min Sketch
def test_cms(ip_list,freq_list,w,d):
    mytime = 0
    mine = CountMinSketch(w, d)
    for ip,freq in zip(ip_list,freq_list):
        t = time()
        mine.update(ip, freq)
        mytime += time() - t
    loss= 0
    pre_freq={}
    for ip, freq in zip(ip_list,freq_list):
        
        loss += (mine.query(ip) - freq)**2
        pre_freq[ip]=int(mine[ip])

    print 'loss:', loss**0.5 / len(ip_list)
    print 'time', mytime
    ips=[]
    topNum = 10
    nlargestList = nlargest(topNum, pre_freq.values())        #get top 10  
    for value in nlargestList:                                #print
        for key in pre_freq:  
            if pre_freq[key] == value:  
                ips.append(key)
                print key, pre_freq[key]
    return np.array(ips)

In [28]:
# get the value and freq as input
ip_list = des_ip_sort.index.values
freq_list = np.array(des_ip_sort).tolist()
#get top 10 ips
true_10 = np.array(des_ip_sort[:10].keys())

# Get Accuracy - Count Min Sketch 
# Change w, d (hgt and width) for checking 
ips = test_cms(ip_list,freq_list,1000,1000)
acc = sum(ips==true_10)/10.
print 'the top10 accuracy is', acc

loss: 0.045737948311
time 13.7513535023
147.32.96.69 279767
147.32.80.9 29444
147.32.84.229 28451
147.32.86.116 11697
147.32.84.59 3330
147.32.80.13 907
147.32.84.118 630
147.32.84.2 625
209.85.149.132 577
76.13.114.90 576
the top10 accuracy is 0.8
