# Graph Matching and Profiling

Computer network can be represented by graph that consists of several connected components. By mining the different graphs that appear during the day, we can define anomalous events as anomalous subgraphs.

Equality on graphs is defined by isomorphism. 

In [1]:
# Preamble
import networkx as nx
from networkx.algorithms import isomorphism
from networkx.drawing.nx_agraph import graphviz_layout
from networkx.drawing.nx_agraph import to_agraph

import numpy as np
import matplotlib.pyplot as plt

import pickle

dotFormat = 'graph {\n\t"16739f5f" [label="575ace95" shape=box]\n\t"029ef910" [label="da:42.219.159.82"]\n\t"16739f5f" -- "029ef910" [weight=0.314046]\n\ta2e8770c [label="sa:67.207.110.194"]\n\t"16739f5f" -- a2e8770c [weight=0.314046]\n\t"358295f4" [label=fc32aa64 shape=box]\n\tc0fbda50 [label="sa:228.24.29.183"]\n\t"358295f4" -- c0fbda50 [weight=0.399695]\n\t"0e2a5d57" [label="sp:6000"]\n\t"358295f4" -- "0e2a5d57" [weight=0.399695]\n\teecd66de [label="13237ce3" shape=box]\n\t"76a05a17" [label="sa:42.219.153.128"]\n\teecd66de -- "76a05a17" [weight=0.418729]\n\t"13a453b8" [label="sp:80"]\n\teecd66de -- "13a453b8" [weight=0.418729]\n\t"7169111a" [label="4d7881ec" shape=box]\n\td5510535 [label="da:42.219.157.222"]\n\t"7169111a" -- d5510535 [weight=0.447278]\n\t"7ecaf819" [label="sp:53"]\n\t"7169111a" -- "7ecaf819" [weight=0.447278]\n\tfcd0014b [label="1a384ce4" shape=box]\n\t"27463b29" [label="da:42.219.159.90"]\n\tfcd0014b -- "27463b29" [weight=0.437762]\n\tae248c51 [label="sp:445"]\n\tfcd0014b -- ae248c51 [weight=0.437762]\n\t"736983b9" [label=a87d44c4 shape=box]\n\tb74f3e33 [label="da:42.219.155.29"]\n\t"736983b9" -- b74f3e33 [weight=0.494861]\n\t"71d850c7" [label="sa:165.133.210.160"]\n\t"736983b9" -- "71d850c7" [weight=0.494861]\n\t"2f498e7e" [label="77133cc1" shape=box]\n\tfdf8fe4d [label="da:165.133.210.160"]\n\t"2f498e7e" -- fdf8fe4d [weight=0.523411]\n\t"834143c2" [label="sa:42.219.155.29"]\n\t"2f498e7e" -- "834143c2" [weight=0.523411]\n\t"2ea6238e" [label="sp:8080"]\n\t"2f498e7e" -- "2ea6238e" [weight=0.523411]\n\tebddb97d [label="3bd5236e" shape=box]\n\tfdf8fe4d [label="da:165.133.210.160"]\n\tebddb97d -- fdf8fe4d [weight=0.523411]\n\t"834143c2" [label="sa:42.219.155.29"]\n\tebddb97d -- "834143c2" [weight=0.523411]\n\te1055037 [label="975d6220" shape=box]\n\t"834143c2" [label="sa:42.219.155.29"]\n\te1055037 -- "834143c2" [weight=0.523411]\n\t"2ea6238e" [label="sp:8080"]\n\te1055037 -- "2ea6238e" [weight=0.523411]\n\tc343fcb3 [label="16d12ae5" shape=box]\n\tfdf8fe4d [label="da:165.133.210.160"]\n\tc343fcb3 -- fdf8fe4d [weight=0.523411]\n\t"2ea6238e" [label="sp:8080"]\n\tc343fcb3 -- "2ea6238e" [weight=0.523411]\n\t"645766b4" [label="0ea6bd3a" shape=box]\n\t"2793f989" [label="sa:42.219.158.175"]\n\t"645766b4" -- "2793f989" [weight=0.55196]\n\tbeac4f79 [label="sp:443"]\n\t"645766b4" -- beac4f79 [weight=0.55196]\n\ta3e85eaa [label=a781b332 shape=box]\n\t"433fbce0" [label="sa:42.219.159.82"]\n\ta3e85eaa -- "433fbce0" [weight=0.55196]\n\t"3156646b" [label="sp:8000"]\n\ta3e85eaa -- "3156646b" [weight=0.55196]\n\t"716554f0" [label="358ea49f" shape=box]\n\teb1ad9f7 [label="sa:82.167.235.52"]\n\t"716554f0" -- eb1ad9f7 [weight=0.904073]\n\tbf888c33 [label="sp:44001"]\n\t"716554f0" -- bf888c33 [weight=0.904073]\n\tdbd5d09c [label="09d23111" shape=box]\n\t"8e3c8133" [label="da:42.219.153.89"]\n\tdbd5d09c -- "8e3c8133" [weight=0.494861]\n\tbeac4f79 [label="sp:443"]\n\tdbd5d09c -- beac4f79 [weight=0.494861]\n\tba62fb5c [label="61f8a198" shape=box]\n\te0c959f6 [label="sa:42.219.155.28"]\n\tba62fb5c -- e0c959f6 [weight=1.08489]\n\tbeac4f79 [label="sp:443"]\n\tba62fb5c -- beac4f79 [weight=1.08489]\n\t"7a270753" [label="43740def" shape=box]\n\tace5dae4 [label="sa:143.72.4.250"]\n\t"7a270753" -- ace5dae4 [weight=1.10392]\n\t"7ecaf819" [label="sp:53"]\n\t"7a270753" -- "7ecaf819" [weight=1.10392]\n\tf9d6e96d [label="29490ea8" shape=box]\n\t"268b4ba2" [label="da:42.219.159.92"]\n\tf9d6e96d -- "268b4ba2" [weight=0.428245]\n\tbeac4f79 [label="sp:443"]\n\tf9d6e96d -- beac4f79 [weight=0.428245]\n\ted0ac803 [label=cba1b542 shape=box]\n\t"268b4ba2" [label="da:42.219.159.92"]\n\ted0ac803 -- "268b4ba2" [weight=0.390179]\n\t"13a453b8" [label="sp:80"]\n\ted0ac803 -- "13a453b8" [weight=0.390179]\n\tc94ae390 [label="268e3359" shape=box]\n\te8c6a70e [label="da:42.219.159.85"]\n\tc94ae390 -- e8c6a70e [weight=0.504378]\n\tbeac4f79 [label="sp:443"]\n\tc94ae390 -- beac4f79 [weight=0.504378]\n\ta39cef1a [label="68c9467c" shape=box]\n\t"8215a4a4" [label="da:42.219.153.7"]\n\ta39cef1a -- "8215a4a4" [weight=0.352113]\n\t"7ecaf819" [label="sp:53"]\n\ta39cef1a -- "7ecaf819" [weight=0.352113]\n\t32227570 [label="93355e9d" shape=box]\n\te0dfc1d7 [label="sa:42.219.153.7"]\n\t32227570 -- e0dfc1d7 [weight=1.3799]\n\t"7ecaf819" [label="sp:53"]\n\t32227570 -- "7ecaf819" [weight=1.3799]\n\t"49deaabf" [label=d7e6f364 shape=box]\n\t"0c5d8e47" [label="sa:42.219.155.56"]\n\t"49deaabf" -- "0c5d8e47" [weight=1.67491]\n\t"13a453b8" [label="sp:80"]\n\t"49deaabf" -- "13a453b8" [weight=1.67491]\n\t"65e7826f" [label="10bfcadc" shape=box]\n\tfec59e25 [label="sa:42.219.158.156"]\n\t"65e7826f" -- fec59e25 [weight=2.02703]\n\tbeac4f79 [label="sp:443"]\n\t"65e7826f" -- beac4f79 [weight=2.02703]\n\t"79af2117" [label="36de70a5" shape=box]\n\tf3dc64e4 [label="sa:42.219.153.62"]\n\t"79af2117" -- f3dc64e4 [weight=2.03654]\n\t"7ecaf819" [label="sp:53"]\n\t"79af2117" -- "7ecaf819" [weight=2.03654]\n\t"088172ae" [label="6e22f384" shape=box]\n\tf8b94cff [label="sa:143.72.8.137"]\n\t"088172ae" -- f8b94cff [weight=4.07309]\n\t"7ecaf819" [label="sp:53"]\n\t"088172ae" -- "7ecaf819" [weight=4.07309]\n\t"8a33a9ab" [label="3dcceb1c" shape=box]\n\te08ad9b7 [label="sa:42.219.156.211"]\n\t"8a33a9ab" -- e08ad9b7 [weight=3.43548]\n\tbeac4f79 [label="sp:443"]\n\t"8a33a9ab" -- beac4f79 [weight=3.43548]\n\tca52700f [label="375d05da" shape=box]\n\te08ad9b7 [label="sa:42.219.156.211"]\n\tca52700f -- e08ad9b7 [weight=3.76856]\n\t"13a453b8" [label="sp:80"]\n\tca52700f -- "13a453b8" [weight=3.76856]\n}'

In [2]:
# read data from pickle
d = pickle.load(open('pickles/2016-7-28-FIM.p', 'rb'))

In [3]:
from IPython.display import Image
Image("2016-07-28/images/test.png")

TypeError: a bytes-like object is required, not 'str'

TypeError: 'NoneType' object is not iterable

In [5]:
testFim = d['2016-07-28 11:00:00']

In [20]:
def convertFIMtoGraph(fim):
    G = nx.Graph()
    counter = 0
    for items, sup in fim.items():
        nodes = list(items)
        G.add_nodes_from(nodes)
        G.add_edges_from([(node, str(counter)) for node in nodes])
        counter += 1
    return G

def connectedComponents(G):
    return list(nx.connected_component_subgraphs(G))

def is_isomorphic(G1, G2):
    GM = isomorphism.GraphMatcher(G1,G2)
    return GM.is_isomorphic()

G = convertFIMtoGraph(testFim)
# pos = graphviz_layout(G)
# nx.draw(G, pos)
# plt.show()
G_gv = to_agraph(G)
G_gv.draw('test.png', prog='sfdp')

In [19]:
type(G_gv)
G_gv.add_node('da:42.219.156.211', color='red',style='filled')
G_gv.draw('test2.png', prog='neato')

In [117]:
# Find the different types of connected components in G
def distinctConnectedComponents(G):
    CCs = connectedComponents(G)
    result = []
    for g in CCs:
        isNew = True
        for r in result:
            if is_isomorphic(g, r):
                isNew = False
                break
        if isNew:
            result.append(g)
    return result

def allDistinctConnectedComponents(graphs):
    result = distinctConnectedComponents(graphs[0])
    for g in graphs[1:]:
        for cc in distinctConnectedComponents(g):
            isNew = True
            for r in result:
                if is_isomorphic(cc, r):
                    isNew = False
                    break
            if isNew:
                result.append(cc)
    return result

# graphs = distinctConnectedComponents(G)
# print(len(graphs))
# cc = connectedComponents(G)
# is_isomorphic(cc[0], cc[1])
    
# for i, x in enumerate(cc):
#     print(i, len(x.nodes()))

In [100]:
graphs

[<networkx.classes.graph.Graph at 0x7fe27ccabe48>,
 <networkx.classes.graph.Graph at 0x7fe27ccab358>,
 <networkx.classes.graph.Graph at 0x7fe27ccab048>,
 <networkx.classes.graph.Graph at 0x7fe27cd85ba8>,
 <networkx.classes.graph.Graph at 0x7fe27cd85d68>,
 <networkx.classes.graph.Graph at 0x7fe27cd85278>]

In [118]:
# Find all distinct CC in the first 10 graphs
labels = sorted(d.keys())
allGraphs = [convertFIMtoGraph(d[l]) for l in labels]
distinctGraphs = allDistinctConnectedComponents(allGraphs)
print("Number of distinct connected components:", len(distinctGraphs))

Number of distinct connected components: 58


In [122]:
# Plot images of all the sub graph types
counter = 1
for g in sorted(distinctGraphs, key = lambda g : len(g.nodes())):
    G_gv = to_agraph(g)
    G_gv.draw('2016-07-28/subgraphs/{0}_{1}.png'.format(counter, len(g.nodes())), prog='sfdp')
    counter += 1

In [121]:
print([len(g.nodes()) for g in distinctGraphs])

[9, 3, 203, 15, 7, 5, 231, 193, 182, 13, 200, 192, 7, 200, 23, 147, 194, 9, 212, 219, 240, 247, 247, 189, 188, 225, 39, 19, 23, 195, 15, 11, 27, 173, 11, 31, 214, 217, 191, 7, 214, 200, 11, 198, 218, 216, 225, 220, 205, 238, 203, 199, 212, 206, 219, 17, 25, 31]
