# Team Abnormal Distribution
## Project 3 - Data Engineering track
## TCC Data Analytics Bootcamp
[Project Requirements](https://bootcampspot.instructure.com/courses/4499/pages/16-project-3-overview?module_item_id=1101001)
<p>
<a href=https://github.com/Matendy12/Project-3/>GitHub repository</a>

### Project Intent
Abnormal Distribution's intent is to aid cybersecurity defenders (aka, Blue Teams) in preventing botnet attacks by producting intrusion detection system (IDS) rules to detect known malicious traffic used against common Internet of Things (IoT) devices. 

### About the Data
#### What is it?
Our foundational dataset contains a large volume of meta- and statistical data related to real-time network traffic collection involving several common IoT devices; the traffic includes both normal ('benign') and malicious ('attack') flows.

#### Where did it come from?
Our dataset, [RT-IoT2022](https://archive.ics.uci.edu/dataset/942/rt-iot2022), is publicly available in the Machine Learning Repository at the University of California, Irvine (UCI). The dataset was created and shared by researchers from [The National Institute of Engineering](https://nie.ac.in/), Mysuru, India.

#### Why does it matter?
The creators' note on the UCI share above say the dataset is "a comprehensive resource integrating a diverse range of IoT devices and sophisticated network attack methodologies." The simulated attacks encompassed several seen-in-the-wild reconaissance and exploitation attack patterns, such as brute-force SSH, DDoS, and NMAP scans. Their intent was "to advance the capabilities of Intrusion Detection Systems, fostering the development of robust and adaptive security solutions for real-time IoT networks."

### About the Code
All code is stored in our GitHub respository's [code](https://github.com/Matendy12/Project-3/tree/main/code) folder.

#### Notebook 1 (you are here!)
This interactive Python notebook is the main code deliverable of our team's efforts towards the Project 3 Data Engineering track. It implements ETL workflows to tune the dataset toward our goal of exporting Suricata rules.
[Suricata](https://suricata.io/) is one of the most popular open-source IDS controls on the cybersecurity market, and its rule (aka "signature") format is utilized extensively by many tools throughout the cyber landscape for threat and anomaly detection.

#### Notebook 2 (where to go next)
The second notebook, Part 2 - Suricata.ipynb, extends our work by exporting our PostgreSQL database of attack patterns as Suricata signatures.

### On to the code

In [1]:
# ensure the required libraries are installed in the notebook's local operating environment
!pip install sqlalchemy
!pip install psycopg2



In [2]:
# import the required libraries
import pandas as pd, sqlalchemy as sa

In [3]:
# set a column width limit & read in the raw CSV file
pd.options.display.max_colwidth = 100
tfc=pd.read_csv("RT_IOT2022")

In [4]:
# show the first 5 rows in the tfc dataframe to make sure all is well
# (notice how all 5 are the same "Attack_type", would be good to verify there are other types...)
tfc.head()

Unnamed: 0.1,Unnamed: 0,id.orig_p,id.resp_p,proto,service,flow_duration,fwd_pkts_tot,bwd_pkts_tot,fwd_data_pkts_tot,bwd_data_pkts_tot,...,active.std,idle.min,idle.max,idle.tot,idle.avg,idle.std,fwd_init_window_size,bwd_init_window_size,fwd_last_window_size,Attack_type
0,0,38667,1883,tcp,mqtt,32.011598,9,5,3,3,...,0.0,29729180.0,29729180.0,29729180.0,29729180.0,0.0,64240,26847,502,MQTT_Publish
1,1,51143,1883,tcp,mqtt,31.883584,9,5,3,3,...,0.0,29855280.0,29855280.0,29855280.0,29855280.0,0.0,64240,26847,502,MQTT_Publish
2,2,44761,1883,tcp,mqtt,32.124053,9,5,3,3,...,0.0,29842150.0,29842150.0,29842150.0,29842150.0,0.0,64240,26847,502,MQTT_Publish
3,3,60893,1883,tcp,mqtt,31.961063,9,5,3,3,...,0.0,29913770.0,29913770.0,29913770.0,29913770.0,0.0,64240,26847,502,MQTT_Publish
4,4,51087,1883,tcp,mqtt,31.902362,9,5,3,3,...,0.0,29814700.0,29814700.0,29814700.0,29814700.0,0.0,64240,26847,502,MQTT_Publish


In [5]:
# ... so show the last 5 rows, which are a different
tfc.tail()

Unnamed: 0.1,Unnamed: 0,id.orig_p,id.resp_p,proto,service,flow_duration,fwd_pkts_tot,bwd_pkts_tot,fwd_data_pkts_tot,bwd_data_pkts_tot,...,active.std,idle.min,idle.max,idle.tot,idle.avg,idle.std,fwd_init_window_size,bwd_init_window_size,fwd_last_window_size,Attack_type
123112,2005,59247,63331,tcp,-,6e-06,1,1,0,0,...,0.0,0.0,0.0,0.0,0.0,0.0,1024,0,1024,NMAP_XMAS_TREE_SCAN
123113,2006,59247,64623,tcp,-,7e-06,1,1,0,0,...,0.0,0.0,0.0,0.0,0.0,0.0,1024,0,1024,NMAP_XMAS_TREE_SCAN
123114,2007,59247,64680,tcp,-,6e-06,1,1,0,0,...,0.0,0.0,0.0,0.0,0.0,0.0,1024,0,1024,NMAP_XMAS_TREE_SCAN
123115,2008,59247,65000,tcp,-,6e-06,1,1,0,0,...,0.0,0.0,0.0,0.0,0.0,0.0,1024,0,1024,NMAP_XMAS_TREE_SCAN
123116,2009,59247,65129,tcp,-,6e-06,1,1,0,0,...,0.0,0.0,0.0,0.0,0.0,0.0,1024,0,1024,NMAP_XMAS_TREE_SCAN


In [6]:
# view the original, raw dataset
# (next we'll start the ETL process to tune the dataset)
tfc.info

<bound method DataFrame.info of         Unnamed: 0  id.orig_p  id.resp_p proto service  flow_duration  \
0                0      38667       1883   tcp    mqtt      32.011598   
1                1      51143       1883   tcp    mqtt      31.883584   
2                2      44761       1883   tcp    mqtt      32.124053   
3                3      60893       1883   tcp    mqtt      31.961063   
4                4      51087       1883   tcp    mqtt      31.902362   
...            ...        ...        ...   ...     ...            ...   
123112        2005      59247      63331   tcp       -       0.000006   
123113        2006      59247      64623   tcp       -       0.000007   
123114        2007      59247      64680   tcp       -       0.000006   
123115        2008      59247      65000   tcp       -       0.000006   
123116        2009      59247      65129   tcp       -       0.000006   

        fwd_pkts_tot  bwd_pkts_tot  fwd_data_pkts_tot  bwd_data_pkts_tot  ...  \
0         

In [7]:
# enhance and transform the raw dataset to better tell the story we're writing
# 1. drop extraneous columns that do not contribute to our understanding of attack & benign traffic patterns
# (these columns are currently cluttering our dataframe and do not add value to our study)
tfc.drop(['Unnamed: 0','idle.min','idle.max','idle.tot','idle.avg','idle.std','flow_duration','fwd_pkts_tot','bwd_pkts_tot','fwd_data_pkts_tot', 'bwd_data_pkts_tot', 'fwd_pkts_per_sec', 'bwd_pkts_per_sec', 'flow_pkts_per_sec', 'down_up_ratio', 'fwd_header_size_tot', 'fwd_header_size_min', 'fwd_header_size_max', 'bwd_header_size_tot', 'bwd_header_size_min', 'bwd_header_size_max', 'flow_FIN_flag_count', 'flow_SYN_flag_count', 'flow_RST_flag_count', 'fwd_PSH_flag_count', 'bwd_PSH_flag_count', 'flow_ACK_flag_count', 'fwd_URG_flag_count', 'bwd_URG_flag_count', 'flow_CWR_flag_count', 'flow_ECE_flag_count', 'fwd_pkts_payload.min', 'fwd_pkts_payload.max', 'fwd_pkts_payload.tot', 'fwd_pkts_payload.avg', 'fwd_pkts_payload.std', 'bwd_pkts_payload.min', 'bwd_pkts_payload.max', 'bwd_pkts_payload.tot', 'bwd_pkts_payload.avg', 'bwd_pkts_payload.std', 'flow_pkts_payload.min', 'flow_pkts_payload.max', 'flow_pkts_payload.tot', 'flow_pkts_payload.avg', 'flow_pkts_payload.std', 'fwd_iat.min', 'fwd_iat.max', 'fwd_iat.tot', 'fwd_iat.avg', 'fwd_iat.std', 'bwd_iat.min', 'bwd_iat.max', 'bwd_iat.tot', 'bwd_iat.avg', 'bwd_iat.std', 'flow_iat.min', 'flow_iat.max', 'flow_iat.tot', 'flow_iat.avg', 'flow_iat.std', 'payload_bytes_per_second', 'fwd_subflow_pkts',
 'bwd_subflow_pkts', 'fwd_subflow_bytes', 'bwd_subflow_bytes', 'fwd_bulk_bytes', 'bwd_bulk_bytes', 'fwd_bulk_packets', 'bwd_bulk_packets', 'fwd_bulk_rate', 'bwd_bulk_rate', 'active.min', 'active.max', 'active.tot', 'active.avg', 'active.std', 'fwd_init_window_size', 'bwd_init_window_size', 'fwd_last_window_size'], axis=1, inplace=True)
# 2. rename remaining columns for better clarity
# (origin_port is more clear than id.orig_p)
tfc.rename(columns={'id.orig_p':'origin_port','id.resp_p':'response_port','Attack_type':'traffic_pattern'},inplace=True)

# check that the dataframe looks right (columns presence, null data, data types, & size in memory)
tfc.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 123117 entries, 0 to 123116
Data columns (total 5 columns):
 #   Column           Non-Null Count   Dtype 
---  ------           --------------   ----- 
 0   origin_port      123117 non-null  int64 
 1   response_port    123117 non-null  int64 
 2   proto            123117 non-null  object
 3   service          123117 non-null  object
 4   traffic_pattern  123117 non-null  object
dtypes: int64(2), object(3)
memory usage: 4.7+ MB


In [15]:
# build a new dataframe
# 'traffic_patterns' are the benign and attack traffic present in the data
# identify which ones are present and save to a df
patterns=tfc.traffic_pattern.unique()
tfcPatterns=pd.DataFrame(patterns, columns=['pattern'])

In [16]:
# define a function that parses each pattern to determine if it's normal (benign) or malicious (attack)...
def categorize_attack(pattern):
    if pattern.startswith('NMAP'):
        return 'attack'
    elif 'DOS' in pattern:
        return 'attack'
    elif 'Metasploit' in pattern:
        return 'attack'
    elif pattern.startswith('ARP'):
        return 'attack'
    else:
        return 'benign'
# ... and write that result to a new column in the tfcPatterns dataframe
tfcPatterns['type'] = tfcPatterns['pattern'].apply(categorize_attack)
tfcPatterns

Unnamed: 0,pattern,type
0,MQTT_Publish,benign
1,Thing_Speak,benign
2,Wipro_bulb,benign
3,ARP_poisioning,attack
4,DDOS_Slowloris,attack
5,DOS_SYN_Hping,attack
6,Metasploit_Brute_Force_SSH,attack
7,NMAP_FIN_SCAN,attack
8,NMAP_OS_DETECTION,attack
9,NMAP_TCP_scan,attack


In [17]:
# import SqlAlchemy's create_engine, URL, and sessionmaker functions
from sqlalchemy import create_engine
from sqlalchemy.engine import URL
from sqlalchemy.orm import sessionmaker
# tell Python how to connect with our PostgreSQL database, iot_attack_traffic
connString = 'postgresql://postgres:postgres@127.0.0.1/iot_attack_traffic'
db=create_engine(connString)
# check that our db variable works (does Python assemble the connection parameters correctly)
print(db)

Engine(postgresql://postgres:***@127.0.0.1/iot_attack_traffic)


In [18]:
# write the traffic data we previously imported to the all_traffic table (should return a count)
tfc.to_sql('all_traffic',connString,if_exists='replace')

117

In [19]:
tfcPatterns.to_sql('traffic_patterns',connString,if_exists='replace')

12

In [13]:
# connect to the iot_attack_traffic database
Session=sessionmaker(bind=db)
session=Session()

In [14]:
# create a dataframe from the traffic_patterns db table
patterns=db.execute("select * from traffic_patterns")
# test our progress in building & populating the database
# by printing the traffic patterns in our df
print(patterns.fetchall())

[(0, 'benign'), (1, 'benign'), (2, 'benign'), (3, 'attack'), (4, 'attack'), (5, 'attack'), (6, 'attack'), (7, 'attack'), (8, 'attack'), (9, 'attack'), (10, 'attack'), (11, 'attack')]
