# Artificial Intelligence for Cybersecurity Project
**Venturini Francesco** No. 548415

In [1]:
import os
import numpy as np
import pandas as pd
import seaborn as sns
import plotly.express as px
import plotly.graph_objects as go
import matplotlib.pyplot as plt
from sklearn.tree import DecisionTreeClassifier
from sklearn.linear_model import LogisticRegression
from sklearn.neighbors import KNeighborsClassifier
from sklearn.ensemble import RandomForestClassifier
from sklearn.metrics import classification_report, accuracy_score
from sklearn.model_selection import StratifiedKFold
from sklearn.neural_network import MLPClassifier

from sklearn.cluster import KMeans
from sklearn.metrics.cluster import contingency_matrix
from sklearn.metrics import homogeneity_completeness_v_measure
from sklearn.decomposition import PCA
from sklearn.neighbors import LocalOutlierFactor as LOF

# Dataset description and Goal
The dataset that has been chosen for the project is the **`UNSW-NB15`  dataset**, created by the IXIA PerfectStorm tool 
in the Cyber Range Lab of the Australian Centre for Cyber Security (ACCS) for generating a 
hybrid of real modern normal activities and synthetic contemporary attack behaviours. Tcpdump 
tool is utilised to capture 100 GB of the raw traffic (e.g., Pcap files). This data set has nine 
families of attacks, namely, `Fuzzers`, `Analysis`, `Backdoors`, `DoS`, `Exploits`, `Generic`, 
`Reconnaissance`, `Shellcode` and `Worms`. The Argus, Bro-IDS tools are utilised and twelve 
algorithms are developed to generate totally 49 features with the class label. These features are 
described in `UNSW-NB15_freatures.csv` file. The total number of records is two millions and 
540,044 which are stored in the four CSV files, namely, `UNSW-NB15_1.csv`, `UNSW-NB15_2.csv`, `UNSW-NB15_3.csv` and `UNSW-NB15_4.csv`. The ground truth table is named 
`UNSW-NB15_GT.csv` and the list of event file is called `UNSW-NB15_LIST_EVENTS.csv`. A
partition from this data set is configured as a training set and testing set, namely, 
`UNSW_NB15_training-set.csv` and `UNSW_NB15_testing-set.csv` respectively. The number of 
records in the training set is 82,332 records and the testing set is 175,341 records from different 
the types of attack and normal.

Input data files are available in the `datasets/UNSW-NB15` directory. The next cell will list all files under this directory.

The goal of this project is to devise a general classifier that categorizes each individual sample as one of the nine classes
seen before, with an appropriate accuracy and other performance metrics that will be evaluated and compared with existent works in the dedicated paragraph. 

The followed procedure is the classical one of the Data Mining process, thus:

1) **Data acquisition and exploration**: first phase with data harvesting 

2) **Data cleaning**: duplicate removal, missing values manage, erroneous data and other problems that affect data quality

3) **Data selection**: find relevant data for the analysis 

4) **Pre-processing**: data transformation in more useful formats (like standardization and categorical-variables encoding)

5) **Data modelling**: applying machine learning and data mining algorithms to build models that describes the data

6) **Evaluation**: accuracy of the model and its ability to predict future values

7) **Results interpretation**


In [2]:
for dirname, _, filenames in os.walk('../datasets/UNSW-NB15/'):
    for filename in filenames:
        print(os.path.join(dirname, filename))

../datasets/UNSW-NB15/The UNSW-NB15 description.pdf
../datasets/UNSW-NB15/UNSW-NB15_1.csv
../datasets/UNSW-NB15/UNSW-NB15_2.csv
../datasets/UNSW-NB15/UNSW-NB15_3.csv
../datasets/UNSW-NB15/UNSW-NB15_4.csv
../datasets/UNSW-NB15/UNSW-NB15_features.csv
../datasets/UNSW-NB15/UNSW-NB15_GT.csv
../datasets/UNSW-NB15/UNSW-NB15_LIST_EVENTS.csv
../datasets/UNSW-NB15/a part of training and testing set\UNSW_NB15_testing-set.csv
../datasets/UNSW-NB15/a part of training and testing set\UNSW_NB15_training-set.csv


# 1. Data Acquisition and Exlporation

Pandas utilities are used to retireve the dataset from the CSV files. The result of read_csv is stored into a DataFrame data structure, e.g., a two-dimensional table-like form. 

In [None]:
dataset_root = '../datasets/UNSW-NB15/'

# datasets are switched
test = pd.read_csv(dataset_root + 'a part of training and testing set/UNSW_NB15_training-set.csv')
train = pd.read_csv(dataset_root + 'a part of training and testing set/UNSW_NB15_testing-set.csv')

# otherwise UTF-8 decoding error, Windows codepage 1252 is used
features = pd.read_csv(dataset_root + 'UNSW-NB15_features.csv', encoding='cp1252').set_index('No.') 
list_events = pd.read_csv(dataset_root + 'UNSW-NB15_LIST_EVENTS.csv')

# train and test set concatenation
train['type'] = 'train'
test['type'] = 'test'
df_total = pd.concat([train, test], axis=0, ignore_index=True)

# to see all the columns in outputs
pd.set_option('display.max_columns', None) 

In [None]:
df_total

Let's see the dimensionality and an extract of the content:

In [None]:
print(f"Training set shape: {train.shape}\n")
print(f"Test set shape: {test.shape}\n")
print(f"Total set shape: {df_total.shape}\n")

In [None]:
# thanks to https://www.kaggle.com/code/khairulislam/unsw-nb15-eda?scriptVersionId=27690564&cellId=8
from pandas.api.types import is_datetime64_any_dtype as is_datetime
from pandas.api.types import is_categorical_dtype
def reduce_mem_usage(df, use_float16=False):
    """ iterate through all the columns of a dataframe and modify the data type
        to reduce memory usage.        
    """
    start_mem = df.memory_usage().sum() / 1024**2
    print('Memory usage of dataframe is {:.2f} MB'.format(start_mem))
    
    for col in df.columns:
        if is_datetime(df[col]) or is_categorical_dtype(df[col]):
            # skip datetime type or categorical type
            continue
        col_type = df[col].dtype
        
        if col_type != object:
            c_min = df[col].min()
            c_max = df[col].max()
            if str(col_type)[:3] == 'int':
                if c_min > np.iinfo(np.int8).min and c_max < np.iinfo(np.int8).max:
                    df[col] = df[col].astype(np.int8)
                elif c_min > np.iinfo(np.int16).min and c_max < np.iinfo(np.int16).max:
                    df[col] = df[col].astype(np.int16)
                elif c_min > np.iinfo(np.int32).min and c_max < np.iinfo(np.int32).max:
                    df[col] = df[col].astype(np.int32)
                elif c_min > np.iinfo(np.int64).min and c_max < np.iinfo(np.int64).max:
                    df[col] = df[col].astype(np.int64)  
            else:
                if use_float16 and c_min > np.finfo(np.float16).min and c_max < np.finfo(np.float16).max:
                    df[col] = df[col].astype(np.float16)
                elif c_min > np.finfo(np.float32).min and c_max < np.finfo(np.float32).max:
                    df[col] = df[col].astype(np.float32)
                else:
                    df[col] = df[col].astype(np.float64)
        else:
            df[col] = df[col].astype('object')
    end_mem = df.memory_usage().sum() / 1024**2
    print('Memory usage after optimization is: {:.2f} MB'.format(end_mem))
    print('Decreased by {:.1f}%'.format(100 * (start_mem - end_mem) / start_mem))
    
    return df

In [None]:
df_total = reduce_mem_usage(df_total)

## Feature statistics 

Attack categories:

In [None]:
list_events['Attack category'].unique()

Attack subcategories: 

In [None]:
list_events['Attack subcategory'].unique()

The features and the relative descriptions are in the next cell. Note that `srcip`, `sport`, `dstip`, `dsport` are not present in the training set. 

In [None]:
# actually 45 are present in the dataset
features.head(features.shape[0]) 

Print some information on the individual attributes, checking also the number of null instances:


In [None]:
for i, col_name in enumerate(train.columns):  
  print("{0:16}".format(col_name), " \tn_unique = {0:6}".format(train[col_name].nunique()), 
        "---> {0:5}%".format(round((100*train[col_name].nunique()/len(train[col_name])),2)),
        "\tnull_count = {}".format(train[col_name].isnull().sum())) 

Let's see the description of the features (including non-numerical attributes)

In [None]:
train.describe(include='all') 

## TO DO comments

We can take a look at the training data class distribution (10 category breakdown):

In [None]:
train_attack_cats = train['attack_cat'].value_counts()
train_attack_cats.plot(kind='barh', figsize=(20,10), fontsize=20);

The same plot as before in a logarithmic representation:

In [None]:
train_attack_cats.plot(kind='barh', logx=True, figsize=(20,10), fontsize=20);

One obvious observation is that the classes are tremendously imbalanced. For instance, the `Worms` class is smaller than the `Exploits` class. If we ignore this class imbalance and use the training data as is, there is a chance that the model will learn a lot more about, e.g., the `Normal` and the `Generic` classes compared to the `Worms` and `Shellcode` classes, which can result in an undesirable bias in the classifier. 

Now, let's take a look at some data. Data visualization provides many additional techniques for viewing data through graphical means. These can help in identifying relations, trends, and biases "hidden" in unstructured data sets. 

# TO DO questo va capito e commentato / utilizzato

In [None]:
df_to_plot = train.copy().drop(['id'], axis=1) # useless
df_columns = df_to_plot.columns

for i, var in enumerate(df_columns):
    max_largest = 30

    largest = min(max_largest, df_to_plot[var].nunique())
    n_nunique_var = df_to_plot[var].nunique()
    tot = len(df_to_plot[var])
    n_null = df_to_plot[var].isnull().sum() 

    plt.figure(figsize = (14, 6))
    ax = sns.countplot(x = var, order = df_to_plot[var].value_counts().iloc[:largest].index, data=df_to_plot)
    plt.xticks(rotation = 90,fontsize = 12)
    plt.yticks(fontsize = 12)
    plt.xlabel(var, fontsize = 18)
    plt.ylabel('COUNT', fontsize = 18)

    if max_largest == largest:
      plt.title(f'{var} countplot (zoom over the largest {largest} (n_unique= {n_nunique_var}))', fontsize = 15)
    else:
        plt.title(f'{var} countplot', fontsize = 18)

    plt.grid(axis = 'y')

    for p in ax.patches:
        percentage = '{:.0f}\n{:.1f}%'.format(p.get_height(), 100 * p.get_height() / len(df_to_plot[var]))
        x = p.get_x() + p.get_width()
        y = p.get_height()
        ax.annotate(percentage, (x,y), ha='right', va='bottom')

    # plt.savefig(workdir + '/fig/{}_largest_{}.png'.format(var, largest), format = 'png')

    if max_largest == largest: 
      plt.figure(figsize = (14, 6))
      # print("plotting also smallest ")
      ax_lower = sns.countplot(x = var, order = df_to_plot[var].value_counts().iloc[-largest:].index, data = df_to_plot)
      plt.xticks(rotation = 90, fontsize = 12)
      plt.yticks(fontsize = 12)
      plt.xlabel(var, fontsize = 18)
      plt.ylabel('COUNT', fontsize = 18)
      plt.title(f'{var} countplot (zoom over the smallest {largest} (n_unique= {n_nunique_var}))',fontsize = 15)

      plt.grid(axis='y')

      for p in ax_lower.patches:
        percentage = '{:.0f}\n{:.1f}%'.format(p.get_height(), 100 * p.get_height() / len(df_to_plot[var]))
        x = p.get_x() + p.get_width()
        y = p.get_height()
        ax_lower.annotate(percentage, (x,y), ha='right', va='bottom')

      # plt.savefig(workdir + '/fig/{}_smallest_{}.png'.format(var, largest), format = 'png')


In [None]:
df_to_plot.hist(figsize=(22,22));

### Datatypes understanding

In [None]:
df_total.dtypes # data types of each column, mixed types are stored with the `object` dtype

From the previous output, the describe output and the specification of the dataset in the documentation, we can see the presence of:
- 3 categorical features (*dur*, *proto*, *service*)
- 2 (asymmetric) binary features (*is_ftp_login*, *is_sm_ips_ports*)
- 2 possible target features (*attack_cat*, *label*)
- the *others* are numerical features

## Look at some features for a specific attack
This paragraph it is not aimed at a deep data visualization analysis of the dataset but is useful to understand some insights.  



In [None]:
fuzzers_df = df_total[df_total['attack_cat'] == 'Fuzzers' ]
fuzzers_df.describe(include='all')

In [None]:
fuzzers_df.hist(figsize=(20,20));

With the general distributions we can spot some differences, like in the values taken in sttl and dttl. But also, for example, the maximum values of dur, spkts, dkpts, sbytes, dbytes, and a lot more. 

If we analyse the tendency of two attributes like *is_ftp_login* and *dur* we can, for example, spot that attacks belonging to the Exploit category are characterized by a higher value of the former feature (note that the attribute is binary but assumes values higher than 1, data cleaning is a step performed ahead), meanwhile no insights come from the latter one. 

In [None]:
g = sns.lmplot(x="dur", y="is_ftp_login", data=df_total, hue="attack_cat")

Take a look at categorical values for different attack categories:

In [None]:
# pip install -U kaleido

In [None]:
nominal_cols = train.select_dtypes(include='object').columns
for feature in nominal_cols:
    fig = px.histogram(train, x=feature, log_y=True, color="attack_cat", color_discrete_sequence=px.colors.qualitative.Light24)
    fig.update_layout(xaxis={'categoryorder':'total ascending'})
    fig.show(renderer="svg", width=900, height=600)

Let's do the same for the numeric attributes:

In [None]:
numeric_cols = train.select_dtypes(exclude='object').columns

In [None]:
for feature in numeric_cols:
    fig = px.histogram(train, x=feature, log_y=True, color="attack_cat", color_discrete_sequence=px.colors.qualitative.Light24)
    fig.show(renderer="svg", width=900, height=600)

# 2. Data cleaning

The data cleaning phase is applied both to the training and the test set. It is an important phase because data quality has an high impact on the precision and the accuracy of the machine learning models. It is important to manage both the sets in the same manner to gurantee that the models will be evaluated equally and in a reliable manner. 


Data in real word is dirty. The may be:
- incomplete (missing values)
- noisy (containing noise, errors, outliers)
- inconsitent (containing dicrepancies)
- intentional 

Remove useless *id* column:

In [None]:
df_total.drop(['id'], axis=1, inplace=True) 

TO DO comment this (EDA, data preprocessing...):

Some utility variable for different feature types:

In [None]:
# retrieve features based on their types
col_names = np.array(df_total.columns)
nominal_idx = [1, 2, 3] # indexes of nominal features
binary_idx =  [36, 41] # indexes of binary features
target_idx = [42, 43, 44] # attack category, label and utility column for splitting
numeric_idx = list(set(range(43)).difference(nominal_idx).difference(binary_idx).difference(target_idx)) # indexes of numerical features


nominal_cols = col_names[nominal_idx].tolist()
binary_cols = col_names[binary_idx].tolist()
target_cols = col_names[target_idx].tolist()
numeric_cols = col_names[numeric_idx].tolist()

In [None]:
print("Check on cols assignment:")
print(f"nominal_cols = {nominal_cols}\n")
print(f"binary_cols  = {binary_cols}\n")
print(f"target_cols  = {target_cols}\n")
print(f"numeric_cols = {numeric_cols}\n")

### Missing values check

In [None]:
df_total.isnull().values.any()

In [None]:
# # TEST 

# # L'idea dovrebbe andare bene, 
# # il problema ora è riportare il tutto a come era prima (service categorico, attack_cat non encoded etc. )
# # forse la cosa migliore è lavorare nel dataset originale riga per riga in modo da sapere dove andare a mettere
# # il valore calcolato

# from sklearn.preprocessing import LabelEncoder

# multi_data = df_total.copy()
# multi_data.drop('label', axis=1, inplace=True)
# multi_label = pd.DataFrame(multi_data.service)
# # multi_data = pd.get_dummies(multi_data,columns=['service']) secondo me non necessario TO DO delete?

# le2 = LabelEncoder()
# enc_label = multi_label.apply(le2.fit_transform)
# multi_data['service'] = enc_label # '-' is encoded as 0

# multi_data 
# multi_data = pd.get_dummies(multi_data, columns=['proto', 'state', 'attack_cat'], drop_first=True) # one-hot encoding

# test_service = multi_data[multi_data['service'] == 0]
# train_service = multi_data[multi_data['service'] > 0]

# train_service_y = train_service['service']
# train_service_x = train_service.drop(['service'], axis=1)

# test_service_y = test_service['service']
# test_service_x = test_service.drop(['service'], axis=1)

# # ------------------------------------------------------

# classifier = DecisionTreeClassifier(random_state=0)
# classifier = classifier.fit(train_service_x, train_service_y)
# pred_y = classifier.predict(test_service_x)
   
# # to have the same schema
# prova = test_service.drop('service', axis=1)
# prova['service'] = pred_y.tolist()
# temp_col = prova.pop('service')
# prova.insert(0, 'service', temp_col)

# temp_col = train_service.pop('service')
# train_service.insert(0, 'service', temp_col)

# new_df = pd.concat([train_service, prova], ignore_index=True)
# new_df

### Consistency checking

Let's take a look at the binary features (index and column transposition is used).

By definition, all of these features should have a min of 0.0 and a max of 1.0



In [None]:
df_total[binary_cols].describe().transpose()

The `is_ftp_login` has a maximum value of 4

In [None]:
# The is_ftp_login column has a max value of 2.0
df_total.groupby(['is_ftp_login']).size()

In [None]:
fig = px.histogram(train, x='is_ftp_login', log_y=True, color="attack_cat", color_discrete_sequence=px.colors.qualitative.Light24)
fig.update_layout(xaxis={'categoryorder':'total ascending'})
fig.show(renderer="svg", width=900, height=600)

In [None]:
# Let's fix this discrepancy and assume that: 
# is_ftp_login == 2 ==> 0 
# is_ftp_login == 4 ==> 1
df_total['is_ftp_login'].replace(2, 0, inplace=True)
df_total['is_ftp_login'].replace(4, 1, inplace=True)
df_total.groupby(['is_ftp_login']).size()

### Checking for single-value features

In [None]:
df_total.nunique()

### TODO data scrubbling? Data auditing? Slide page 31 Marcelloni

### Duplicates check

In [None]:
train.duplicated().sum()

In [None]:
test.duplicated().sum()

# NO SMOOTHING, WHY? (TO NOT DELETE OUTLIERS?) TO DO

## Balance checking

In [None]:
train['attack_cat'].unique() # performed only on the training set

In [None]:
wedges = train['attack_cat'].value_counts()
myexplode = [0, 0.04, 0.04, 0.04, 0.15, 0.2, 0.3, 0.7, 1.3, 2]
plt.pie(np.array(wedges), labels= wedges.index, explode=myexplode, rotatelabels=True)
plt.show()
# classes.plot(kind = 'pie', figsize=(15,15), rot=0);


We may have some problems with the `Analysis`,`Backdoor`, `Shellcode`, and `Worms` classes. The resolution of the class imbalance problem is ahead in the notebook. 

### Correlation Analysis


Correlation analysis it is most commonly performed on the training data. The purpose of performing correlation analysis on the training data is to identify the relationships between the independent variables (predictors) and the dependent variable (outcome). This information can then be used to inform the selection of predictors for a predictive model or to inform feature engineering efforts. 

In [None]:
correlations = df_total.corr()

# Generate a mask for the upper triangle
mask = np.triu(np.ones_like(correlations, dtype=bool))

fig, ax = plt.subplots(figsize=(18,14))

# Generate a custom diverging colormap
cmap = sns.diverging_palette(200, 20, as_cmap=True)

sns.heatmap(correlations, mask=mask, cmap=cmap, vmax=.9, center=0,
            square=True, linewidths=.1, cbar_kws={"shrink": .5})


In [None]:
def top_correlations(correlations, limit=0.9):
    columns = correlations.columns
    for i in range(correlations.shape[0]):
        for j in range(i+1, correlations.shape[0]):
            if correlations.iloc[i,j] >= limit or correlations.iloc[i,j] <= -limit:
                print(f"{columns[i]} <-> {columns[j]}  ==  {correlations.iloc[i,j]*100}")

top_correlations(correlations)

Most correlated features are :

* spkts, sbytes, sloss
* dpkts, dbytes, dloss
* sinpkt, is_sm_ips_ports
* swin, dwin
* tcprtt, synack
* ct_srv_src, ct_srv_dst, ct_dst_src_ltm, ct_src_dport_ltm, ct_dst_sport_ltm
* is_ftp_login ct_ftp_cmd

We can easily visualize correlations in a scatter plot. In the cell below a strong positive correlations between the *dbytes* and the *dloss* features is shown. Other examples are provided below, but here the analysis is not exhaustive. 

In [None]:
sns.scatterplot(x = 'dbytes', y = 'dloss', data = df_total); 

In [None]:
sns.scatterplot(x = 'sbytes', y = 'spkts', data = df_total);

In [None]:
sns.scatterplot(x = 'ct_dst_src_ltm', y = 'ct_srv_dst', data = df_total);

# 3. Data selection & 4. Data preparation



This is an important step in the machine learning process, we have to select a significant data subset then used to learn a model. Data selection is performed to raise the quality of machine learning models and to improve the performance of the models with new data. This could include missing or duplicate data removing, the deletion of useless features or the selection of a subset of the most important features. This step can also include the modification of the data distribution to make the model stable if the dataset is unbalanced.  

The data selection step can contain oversampling and undersampling methods. 

Oversampling consists in increasing the data quantity of a minority class within the dataset to guarantee a higher representability of that class. This step can be useful to prevent understimating machine learning model performance. 

Undersampling consists in the reduction of data quantità of a majority class within the dataset to stabilize the representation of different classes. This step can be useuful to prevent overstimating machine learning model performance.


The pre-elaboration phase is fundamental and should be executed both on the train and the test set. This phase consists in a serie of steps, like data cleaning (already performed), normalization, feature transformation and selection, that aim at improve the quality and the usability of the data to perform an automatic learning. 
It's important that both the train and the test set will be treated in the same manner, to avoid models either to be disadvantaged or to introduce inconsistencies. For example, if normalization is performed only on the train set, but not on the test set, test set values could not be represented correcly and negatively affect the model evaluation. 


TO DO oversampling, under sampling, e quindi balancing si fanno qui

In [None]:
def create_count_df(col, data=df_total):
    df = pd.DataFrame(data[col].value_counts().reset_index().values, columns = [col, 'count'])
    df['percent'] = df['count'].values*100/data.shape[0]
    return df.sort_values(by='percent', ascending=False)

In [None]:
def corr(col1, col2='label', df=df_total):
    return pd.concat([df[col1], df[col2]], axis=1).corr().iloc[0,1]

### State

In [None]:
col = 'state'
# create_count_df(col, train) # to set the row below
df_total.loc[~df_total[col].isin(['FIN', 'INT', 'CON', 'REQ', 'RST']), col] = 'others'
create_count_df(col)

### Service

In [None]:
col = 'service'
# create_count_df(col, train) # to set the row below
df_total.loc[~df_total[col].isin(['-', 'dns', 'http', 'smtp', 'ftp-data', 'ftp', 'ssh', 'pop3']), col] = 'others'
create_count_df(col)


### Proto

In [None]:
col = 'proto'
create_count_df(col, train)
# from the documentation we can see that some valuee are present in the 
# test set but not in the train set
df_total.loc[df_total[col].isin(['igmp', 'icmp', 'rtp']), col] = 'igmp_icmp_rtp'
df_total.loc[~df_total[col].isin(['tcp', 'udp', 'arp', 'ospf', 'igmp_icmp_rtp']), col] = 'others'
create_count_df(col)

### is_sm_ips_ports

In [None]:
# is_sm_ips_ports, if it is 1 the connection is always normal
ax = sns.catplot(x='is_sm_ips_ports', hue="label", col="type", data=df_total, kind="count", height=5, legend=False, aspect=1.4)
ax.set_titles("{col_name}")
ax.add_legend(loc='upper right',labels=['normal','attack'])
plt.show(ax)

### is_ftp_login

This feature is highly correlated to *ct_ftp_cmd*. 

In [None]:
df_total.drop('is_ftp_login', axis=1, inplace=True)

### ct_ftp_cmd

It has an high correlation with is_ftp_login and has a very low correlation with 'label'

### sbytes & dbytes

These features are highly correlated to the number of sent packets. Actually, we can say that *spkts* * *smean* = *sbytes*. These features are highly correlated to sloss and dloss, we can drop them. 

In [None]:
df_total.drop(['sbytes', 'dbytes'], axis=1, inplace=True)

### smean & dmean

In [None]:
# the distributions are skewed to the left
train['smean'].hist(figsize=(5,5));
train['dmean'].hist(figsize=(5,5));

In [None]:
# we can drop smean and dmean after this computation
df_total['smean_log'] = df_total['smean'].apply(np.log1p)
df_total['dmean_log'] = df_total['dmean'].apply(np.log1p)

In [None]:
# we obtain a better correlation
print(corr('smean'), corr('dmean'), corr('smean_log'), corr('dmean_log'))

In [None]:
df_total.drop(['smean', 'dmean'], axis=1, inplace=True)

### spkts & dpkts

In [None]:
# also these features are skewed, drop them
df_total['spkts_log'] = df_total['spkts'].apply(np.log1p)
df_total['dpkts_log'] = df_total['dpkts'].apply(np.log1p)
print(corr('spkts'), corr('dpkts'), corr('spkts_log'), corr('dpkts_log'))
df_total.drop(['spkts', 'dpkts'], axis=1, inplace=True)

### sloss & dloss

In [None]:
df_total['sloss_log'] = df_total['sloss'].apply(np.log1p)
df_total['dloss_log'] = df_total['dloss'].apply(np.log1p)
print(corr('sloss'), corr('dloss'), corr('sloss_log'), corr('dloss_log'))
df_total.drop(['sloss', 'dloss'], axis=1, inplace= True)

### swin & dwin
binning is performed, TO DO?? è strano non so quanto sia utile (EDA)

### stcpb & dtcpb

In [None]:
df_total['stcpb_log'] = df_total['stcpb'].apply(np.log1p)
df_total['dtcpb_log'] = df_total['dtcpb'].apply(np.log1p)
print(corr('stcpb'), corr('dtcpb'), corr('stcpb_log'), corr('dtcpb_log'))
df_total.drop(['stcpb', 'dtcpb'], axis=1, inplace= True)

### tcprtt & synack & ackdat
*cprtt* is just the sum of *synack* and *ackdat*, we can drop it

In [None]:
df_total.drop(['tcprtt'], axis=1, inplace=True)

### response_body_len

In [None]:
df_total['response_body_len_log'] = df_total['response_body_len'].apply(np.log1p)
print(corr('response_body_len'), corr('response_body_len_log'))
df_total.drop(['response_body_len'], axis=1, inplace=True)

### ct_srv_src & ct_srv_dst
TO DO They are high correlated, should be checked if dropping one improves results

### sinpkt & dinpkt

In [None]:
# sinpkt is highly correlated with is_sm_ips_ports, will dropping one of them benefit? TO DO check
df_total['sinpkt_log'] = df_total['sinpkt'].apply(np.log1p)
df_total['dinpkt_log'] = df_total['dinpkt'].apply(np.log1p)
print(corr('sinpkt'), corr('dinpkt'), corr('sinpkt_log'), corr('dinpkt_log'))
df_total.drop(['sinpkt', 'dinpkt'], axis=1, inplace= True)

### sload & dload

In [None]:
df_total['sload_log'] = df_total['sload'].apply(np.log1p)
df_total['dload_log'] = df_total['dload'].apply(np.log1p)
print(corr('sload'), corr('dload'), corr('sload_log'), corr('dload_log'))
df_total.drop(['sload', 'dload'], axis=1, inplace=True)

In [None]:
# retrieve original datasets 
train = df_total[df_total['type'] == 'train']
test = df_total[df_total['type'] == 'test']

# splitting the train set
train_y = train['attack_cat'] 
train_y_label = train['label']
train_x_raw = train.drop(['attack_cat', 'label'], axis=1) 

# splitting the test set
test_y = test['attack_cat']
test_y_label = test['label']
test_x_raw = test.drop(['attack_cat', 'label'], axis=1)

In [None]:
# combined train and test set, without the ground truth
combined_df_raw = pd.concat([train_x_raw, test_x_raw])
combined_df_raw_y = pd.concat([train_y_label, test_y_label])

In [None]:
# reduces the cardinality for some features, less occurring values are set to '-' 
# for feature in df_cat.columns:    
#     if df_cat[feature].nunique() > 6:
#         combined_df_raw[feature] = np.where(combined_df_raw[feature].isin(combined_df_raw[feature].value_counts().head().index), combined_df_raw[feature], '-')

In [None]:
# df_cat = combined_df_raw.select_dtypes(exclude=[np.number])
# df_cat.describe(include='all')

In [None]:
# Remove the first level of the categorical attribute, to avoi the so-called "dummy variable trap
# in which independent vairbales being closely correlated violates assumptions of independence in regression
combined_df = pd.get_dummies(combined_df_raw, columns=nominal_cols, drop_first=True) # one-hot encoding

# Store dummy variable features name
dummy_variables = list(set(combined_df) - set(combined_df_raw))
dummy_variables

In [None]:
train_x = combined_df[combined_df['type'] == 'train']
test_x = combined_df[combined_df['type'] == 'test']
df_total.drop(['type'], axis=1, inplace=True)
combined_df.drop(['type'], axis=1, inplace=True)
train_x.drop(['type'], axis=1, inplace=True)
test_x.drop(['type'], axis=1, inplace=True)

In [None]:
train_x.describe()

### Feature selection

Now the problem of dimensionality reduction is assessed. In particular it could be needed for:
- avoid the curse of dimensionality
- help in eliminating irrelevant features and reduce noise
- reduce time and space required
- allow easier visualization

This step is not always performed.

In [None]:
# ONE POSSIBLE APPROACH

# Feature Selection
from sklearn.feature_selection import SelectKBest, chi2

best_features = SelectKBest(score_func=chi2, k='all')

fit = best_features.fit(train_x,train_y)

df_scores=pd.DataFrame(fit.scores_)
df_col=pd.DataFrame(train_x.columns)

feature_score=pd.concat([df_col,df_scores],axis=1)
feature_score.columns=['feature','score']
feature_score.sort_values(by=['score'],ascending=False,inplace=True)

print(feature_score)


In [None]:
# ANOTHER APPROACH
importance_dict = {
    'feature': train_x.columns
}

# on train data only
clf = RandomForestClassifier(random_state = 1)
clf.fit(train_x, train_y)
feature_importance = clf.feature_importances_
importance_dict['train'] = feature_importance


In [None]:
# ten-fold cross validation on train data
from tqdm import notebook

feature_importances = []
kf = StratifiedKFold(n_splits = 10, shuffle = True, random_state=1)

for tr_idx, val_idx in notebook.tqdm(kf.split(train_x, train_y), total = 10):
    x_train, y_train = train_x.iloc[tr_idx], train_y[tr_idx]
    clf = RandomForestClassifier()
    clf.fit(x_train, y_train)
    
    feature_importances.append(clf.feature_importances_)
    
feature_importance = np.mean(feature_importances, axis = 0)
importance_dict['train_10_fold'] = feature_importance

In [None]:
importance_df = pd.DataFrame(importance_dict)
for col in importance_df.columns:
    if col == 'feature':
        continue
    importance_df[col] = importance_df[col] * 100 / importance_df[col].sum()
    
importance_df['mean'] = importance_df[[col for col in importance_df.columns if col != 'feature']].mean(axis=1)
importance_df.sort_values('train_10_fold', ascending=False)

The less useful features, according to both the approaches above, are:

- *state_others*
- *state_RST*
- *service_pop3*
- *ct_ftp_cmd*
- *state_REQ*
- *service_others*
- *service_ftp-data*
- *state_FIN*
- maybe *service_ftp*, *proto_ospf*, *service_smtp*

In [None]:
# TO DO re-check with new values of the ensemble method
combined_df.drop(['state_others', 'state_RST', 'service_pop3', 'state_REQ', 'service_others', 'service_ftp-data', 'state_FIN', 'ct_ftp_cmd'], axis=1, inplace=True)

In [None]:

# def plot_feature_importance(df_train, df_test, title='Feature importance', max_tree_depth=20):
#     clf = DecisionTreeClassifier(max_depth=max_tree_depth)
#     X = df_train
#     y = df_test
#     clf = clf.fit(X, y)

#     # The importance of a feature is computed as the (normalized) total reduction of the criterion brought by that feature.
#     # It is also known as the Gini importance.
#     feature_names = df_train.columns
#     feature_importance_df = pd.DataFrame(list(zip(clf.feature_importances_, feature_names)), columns=["feature_importance", "feature_name"])
#     feature_importance_df = feature_importance_df.sort_values(by='feature_importance', ascending=False)
#     useless_features = list(feature_importance_df[feature_importance_df['feature_importance'] <= 0]['feature_name'])
#     feature_importance_df = feature_importance_df[feature_importance_df['feature_importance'] >= 0]

#     fig = px.bar(feature_importance_df, x="feature_name", y="feature_importance", log_y=True, title=title)
#     fig.show(width=900, height=500)
    
    
#     print("The following features were dropped:")
#     print(useless_features)
#     return useless_features

# useless_features = plot_feature_importance(train_x, train_y)

# combined_df.drop(useless_features, axis=1, inplace=True)

# # TO DO, specificare da ove sono stati presi questi valori
# combined_df.drop(['proto_udp', 'swin', 'service_ftp-data', 'dttl', 'state_REQ', 'state_RST'], axis=1, inplace=True)


In [None]:
combined_df.shape

In [None]:
# update the slices 
train_x = combined_df[:len(train_x)]
test_x = combined_df[len(train_x):]

## Correlation-based selection

In [None]:
new_correlations = combined_df.corr()
top_correlations(new_correlations)

In [None]:
combined_df.drop(['dwin', 'stcpb_log', 'dtcpb_log', 'proto_tcp', 'ct_dst_src_ltm', 'ct_srv_dst', 'ct_dst_sport_ltm', 'ct_src_ltm', 'dpkts_log', 'dload_log', 'state_INT', 'dpkts_log', 'sloss_log', 'proto_tcp'], axis=1, inplace=True)

In [None]:
# update the slices 
train_x = combined_df[:len(train_x)]
test_x = combined_df[len(train_x):]

### Numerosity Reduction


See the Imbalance Problem in the Classification Chapter. 

### Normalization
**Observation**: 
The distributions of each feature vary widely, this will affect our results if we use any distance-based methods for classification. 
For instance, the mean of `sload` is larger than the mean of `dur` by seven orders of magnitude, and its standard deviation is larger by eight orders of magnitude.

Without performing feature value normalization, the `sload` feature would dominate, causing the model to miss out on potentially important information in the `dur` feature. We need to rescale the value. 

This step is usually applied to both the training and test data. The purpose of standardization is to transform the data so that it has a mean of zero and a standard deviation of one. This is done so that the data has a common scale, which is important for many machine learning algorithms that use distance metrics or assume a Gaussian distribution of the input features. By standardizing both the training and test data using the same statistics (mean and standard deviation) computed from the training data, we ensure that the test data is transformed in the same way as the training data and the results are comparable.

TO DO provare anchea a togliere la normalizzazione

In [None]:
train_x.describe()

The chosen scaler is RobustScaler because of its capability of maintaining small differences in the distributions, especially for outliers, this is justified by some experimentation in the classification below (initially StandardScaler was used). 

In [None]:
# produces an ill defined F score (0 division, no predicted samples)

# from sklearn.preprocessing import StandardScaler

# numeric_cols = train_x.select_dtypes(exclude='object').columns

# ss = StandardScaler()
# train_x[numeric_cols] = ss.fit_transform(train_x[numeric_cols])
# test_x[numeric_cols] = ss.transform(test_x[numeric_cols])


In [None]:
# # similar results of RobustScaler

# from sklearn.preprocessing import MinMaxScaler

# numeric_cols = train_x.select_dtypes(exclude='object').columns

# mms = MinMaxScaler()
# train_x[numeric_cols] = mms.fit_transform(train_x[numeric_cols])
# test_x[numeric_cols] = mms.transform(test_x[numeric_cols])

In [None]:
from sklearn.preprocessing import RobustScaler

numeric_cols = train_x.select_dtypes(exclude='object').columns

rs = RobustScaler().fit(train_x[numeric_cols]);
train_x[numeric_cols] = rs.transform(train_x[numeric_cols]);
test_x[numeric_cols] = rs.transform(test_x[numeric_cols]);


In [None]:
train_x.describe()

In [None]:
# # TEST
# from sklearn.tree import DecisionTreeClassifier
# from sklearn.metrics import confusion_matrix, zero_one_loss, ConfusionMatrixDisplay

# classifier = DecisionTreeClassifier(random_state=0)
# classifier = classifier.fit(train_x, train_y)
# pred_y = classifier.predict(test_x)
# print(classification_report(test_y, pred_y))

# 5. Data Modelling (Classification)

**Why classification and not anomaly detection?**

Classification and anomaly detection are two different machine learning tasks.

**Classification** involves assigning a predefined class or category to a new instance based on its features. For example, classify a new email as spam or not spam.

**Anomaly detection**, on the other hand, involves detecting instances that are different from the norm in the data. For example, detecting fraudulent transactions in a set of financial transactions.

In summary, classification divides data into predefined categories, while anomaly detection identifies instances that are outside of the norm.

We have a ten-class classification problem in which each sample belongs to one of the following classes: `Fuzzers`, `Analysis`, `Backdoors`, `DoS`, `Exploits`, `Generic`, `Reconnaissance`, `Shellcode`, `Worms` and `Normal`. There are many different classification algorithms suitable for a problem like this, and many different ways to approach the problem of multiclass classification. Many classification algorithms inherently supprot multiclass data (e.g., decision trees, nearest neighbors, Naive Bayes), whereas other do not (e.g., support vector machines). Even if our algorithm of choice does not inherently support multiple classes, there are some clever techniques for effectively achieving this. 

TO DO remove? 
Essentially, a multiclass problem can be split into multiple binary classification problems. A strategy known as *one-versus-all*, also called *binary relevance method*, fits one classifier per class, with data belonging to the class fitted against the aggregate of all other classes. Another less commonly used strategy is *one-versus-one*, in which there are *n_classes * (n_classes - 1) / 2* classifier constructed, one for each unique pair of classes. In this case, during the prediction phase, each sample is run through all the classifiers, and the classification confidences for each of the classes are tallied. The class with the highest aggregate confidence is selectedd as the prediction result. 
One-versus-all scales linearly with the number of class and, in general, has better model interpretability because each class is only represented by one classifier (as opposed to each class being represented by *n_class - 1* classifiers for one-versus-one). TO DO remove below??? In contrast, the one-versus-one strategy does not scale well with the number of classes because of its polynomial complexity. 

## 5.1 Supervised Learning

### Decision Tree and the Imbalance Problem

In [None]:
from sklearn.tree import DecisionTreeClassifier
from sklearn.metrics import confusion_matrix, zero_one_loss, ConfusionMatrixDisplay

In [None]:
# Visualization purposes
# We start with a small max_depth so we can look at the decision tree structure in a friendly way
classifier = DecisionTreeClassifier(max_depth=5)
classifier = classifier.fit(train_x, train_y)
print(f"double check shapes: X.shape = {train_x.shape}, y.shape = {train_y.shape}")
print(f"model classes: {classifier.classes_}")

In [None]:
from sklearn import tree

plt.figure(figsize=(30, 20), dpi=150)

tree.plot_tree(classifier, feature_names = train_x.columns, fontsize=14)
plt.show()

In [None]:
# random_state is set to an integer to obtain a deterministic behaviour in fitting
classifier = DecisionTreeClassifier(random_state=0)
classifier = classifier.fit(train_x, train_y)

In [None]:
pred_y = classifier.predict(test_x)

In [None]:
fig, ax = plt.subplots(figsize=(11, 11))
disp = ConfusionMatrixDisplay.from_predictions(test_y, pred_y, xticks_rotation='vertical', ax=ax)
plt.show()

In [None]:
print(classification_report(test_y, pred_y))

With just a few lines of code and no tuning at all, a 77% classification accuracy is obtained. However, this number is quite meaningless without considering the distribution of the test set (shown below). We know that such a measure is not acceptable for an unbalanced dataset, because we are interested in the *minority* class. If we take a look at some other measure like the **precision** (percentage of tuples labeled as positive and actually such, *TP/(TP+FP)*) and the **recall**  (percentage of positive tuples labeled as such, *TP/P*) the results are not very good. For example, the 'Analysis' attack category has a precision = 2% and a recall = 9%. 
A good parameter to look at is the F1-Score, e.g. an harmonic mean of precision and recall.

In [None]:
test_attack_cats = test_y.value_counts()
test_attack_cats.plot(kind='barh', logx=True, figsize=(20,10), fontsize=20);

In the confusion matrix, the diagonal values are the counts of the correctly classified samples. Each row represents the true class, and each column represents the predicted class. For instance, the number in the second row and in third column represents the number of samples that are actually of class `Backdoor` that were classfied as `DoS`.

Simlarly to the training set, the test distribution is not balanced across categories:

In [None]:
test_y.value_counts().apply(lambda x: x / float(len(test_y)))

TO DO correct these values. 
We see that the 44% of the test data belong to the `Normal` class, 23% to the `Generic` one, 14% to `Exploits`, 7% to `Fuzzers`, whereas only the 0,005% of the data belongs to the `Worms` class, the 0,04% belongs to the `Shellcode`, 0,07% to `Backdoor` and 0,08% to `Analysis`. We can see the problem in the `Shellcode` row for example, the number of times it is correctly classified is similar to the number of times it is wrongly classified. It could have been not enough information for the trained model to learn from the latter classes to correctly identify them. We must face the problem of class imbalance. 

### Sampling

As we know, there are two possible remedies: undersampling (e.g., prioritize the removal of samples that are very similar to other samples that will remain in the dataset) and oversampling (e.g., generate synthetic data points for minority classes using SMOTE). A popular method is to first oversample the minority class and then undersample to tighten the class distribution discrepancy. 

In [None]:
print(pd.Series(train_y).value_counts())

In [None]:
# !pip install imblearn

In [None]:
from imblearn.over_sampling import SMOTE

mean_class_size = int(pd.Series(train_y).value_counts().sum() / 10)

# a lot of values were tried
strategy = { 
            #'Fuzzers': mean_class_size, 
            'DoS': 40000, 
            'Analysis': 40000, 
            'Backdoor': 40000, 
            'Shellcode': 40000, 
            'Worms': 40000
           }

sm = SMOTE(sampling_strategy = strategy, random_state = 0)
train_x_sm, train_y_sm = sm.fit_resample(train_x, train_y)
print(pd.Series(train_y_sm).value_counts())


In [None]:
test_attack_cats = train_y_sm.value_counts()
test_attack_cats.plot(kind='barh', logx=True, figsize=(20,10), fontsize=20);

In [None]:
# OVERFITTING CHECK (commented because time-consuming, also tried with classification_report)
# values = [i for i in range(10, 25)]
# for i in values:
#     print(f"Value: {i}\n")
#     classifier = DecisionTreeClassifier(max_depth=i, random_state=0)
#     classifier = classifier.fit(train_x_sm, train_y_sm)
#     pred_yt = classifier.predict(test_x)
#     print(accuracy_score(test_y, pred_yt))
#     pred_yt = classifier.predict(train_x_sm)
#     print(accuracy_score(train_y_sm, pred_yt))
#     print(" ")

dt = DecisionTreeClassifier(max_depth=25, random_state=0)
classifier = classifier.fit(train_x_sm, train_y_sm)
pred_y = classifier.predict(test_x)
fig, ax = plt.subplots(figsize=(11, 11))
disp = ConfusionMatrixDisplay.from_predictions(test_y, pred_y, xticks_rotation='vertical', ax=ax)
plt.show()
print(classification_report(test_y, pred_y))

We can see an overfitting problem after a depth of 16 levels, thanks to the loop test. This is why we set max_depth to 16. 

TO DO correct Here a lot of experimentation can be made: my idea was to try first SMOTE to all the minority classes with a sampling set to *mean_class_size*, then SMOTE to all the minority classes with the strategy set to *auto*, then some experimentation mixing these values. For example, applying SMOTE only to those features with an F-score less than 0.50, or do the latter but adding also those features that worsen their measures (like Worms), and something similar. I found that the best, worst, solution is applying SMOTE to all those features with an F-score less than 50%. When I evaluated these combinations I evaluated the total sum of the F-scores of all the features. When I said best/worst is because the relative solution is in any case worst with respect to the base one without over-sampling. 

Let's see what happens applying also under-sampling:

In [None]:
print(pd.Series(train_y_sm).value_counts())

In [None]:
from imblearn.under_sampling import RandomUnderSampler

# mean_class_size = int(pd.Series(train_y_sm).value_counts().sum() / 10)

# a lot of combinations has been tried
ratio = {
         'Normal': mean_class_size, 
         'Exploits': mean_class_size,
         'Generic': mean_class_size
        }

rus = RandomUnderSampler(sampling_strategy = ratio, random_state = 0)
train_x_sm_rus, train_y_sm_rus = rus.fit_resample(train_x_sm, train_y_sm)
print(pd.Series(train_y_sm_rus).value_counts())

In [None]:
test_attack_cats_sm_rus = train_y_sm_rus.value_counts()
test_attack_cats_sm_rus.plot(kind='barh', logx=True, figsize=(20,10), fontsize=20);

In [None]:
# OVERFITTING CHECK (commented because time-consuming)
# values = [i for i in range(10, 30)]
# for i in values:
#     print(f"Value: {i}\n")
#     classifier = DecisionTreeClassifier(max_depth=i, random_state=0)
#     classifier = classifier.fit(train_x_sm_rus, train_y_sm_rus)
#     pred_yt = classifier.predict(test_x)
#     print(classification_report(test_y, pred_yt))
#     pred_yt = classifier.predict(train_x_sm_rus)
#     print(classification_report(train_y_sm_rus, pred_yt))
#     print(" ")

classifier = DecisionTreeClassifier(max_depth=21, random_state=0)
classifier = classifier.fit(train_x_sm_rus, train_y_sm_rus)
pred_y = classifier.predict(test_x)
fig, ax = plt.subplots(figsize=(11, 11))
disp = ConfusionMatrixDisplay.from_predictions(test_y, pred_y, xticks_rotation='vertical', ax=ax)
plt.show()

In [None]:
print(classification_report(test_y, pred_y))

Also here, some experimentation has been done. We can notice that the scores change a bit for some features but basically their sum remains the same. 

Our last chance is to perform only undersampling:

In [None]:
# mean_class_size = int(pd.Series(train_y_sm).value_counts().sum() / 10)

# a lot of combinations has been tried
ratio = {
         'Normal': mean_class_size, 
         'Exploits': mean_class_size,
         'Generic': mean_class_size
        }

orus = RandomUnderSampler(sampling_strategy = ratio, random_state = 0)
train_x_orus, train_y_orus = orus.fit_resample(train_x, train_y)
print(pd.Series(train_y_orus).value_counts())

In [None]:
test_attack_cats_orus = train_y_orus.value_counts()
test_attack_cats_orus.plot(kind='barh', logx=True, figsize=(20,10), fontsize=20);

In [None]:
# OVERFITTING CHECK (commented because time-consuming)
# values = [i for i in range(10, 30)]
# for i in values:
#     print(f"Value: {i}\n")
#     classifier = DecisionTreeClassifier(max_depth=i, random_state=0)
#     classifier = classifier.fit(train_x_orus, train_y_orus)
#     pred_yt = classifier.predict(test_x)
#     print(classification_report(test_y, pred_yt))
#     pred_yt = classifier.predict(train_x_orus)
#     print(classification_report(train_y_orus, pred_yt))
#     print(" ")

classifier = DecisionTreeClassifier(max_depth=12, random_state=0)
classifier = classifier.fit(train_x_orus, train_y_orus)
pred_y = classifier.predict(test_x)

In [None]:
print(classification_report(test_y, pred_y))

Also in this case some experiments have been done, but the point remains the same, we can get some better behaviour in classifying some minority classes but with no such a general great improvement. 
We can conclude that some features like *Analysis* and *Backdoors* probably do not have a suitable fingerprint on the network statistics, because even raising up their instances, making them the majority classes (e.g., first oversample them to the max, and then undersample the other major categories), makes a little difference on their metrics. Another possible reason is the nature of the data that were sampled when the dataset was created. 
Furthermore, the unbalanced multiclass classification problem is hard to solve.

In the following i decided to apply the **stratified K fold cross validation** to choose the right sampling to maintain (spoiler: the application of both SMOTE and RandomUnderSampling). 

In [None]:
# this is not extremely necessary because the test set is not too small
# but is preferred considering the unbalanced nature of the dataset

def applyStratifiedKFold(classifier):
    skf = StratifiedKFold(n_splits=10, shuffle=True)

    df_all = pd.concat([train_x, test_x], axis=0)
    gt_all = pd.concat([train_y, test_y], axis=0)

    list_df = []
    list_accuracy = []

    k = 1
    for train_idx, test_idx in skf.split(df_all, gt_all):

        print(f'FOLD {k}:')

        # fit and predict using classifier
        x_tr = df_all.iloc[train_idx]
        y_tr = gt_all.iloc[train_idx]
        x_test = df_all.iloc[test_idx]
        y_test = gt_all.iloc[test_idx]

        clf = classifier
        clf.fit(x_tr, y_tr)
        y_pred = clf.predict(x_test)

        # compute classification report
        cr = classification_report(y_test, y_pred, output_dict = True)

        # store accuracy
        list_accuracy.append(cr['accuracy'])

        # store per-class metrics as a dataframe
        df = pd.DataFrame({k:v for k,v in cr.items() if k != 'accuracy'})
        display(df)
        list_df.append(df)
        k += 1
        print("")
    
    return list_df, list_accuracy


In [None]:
list_df, list_accuracy = applyStratifiedKFold(DecisionTreeClassifier())

In [None]:
# compute average per-class metrics  
def computeAverageMetrics(df_list):
    df_concat = pd.concat(df_list)
    grouped_by_row_index = df_concat.groupby(df_concat.index)
    df_avg = grouped_by_row_index.mean()
    df_avg.transpose()
    return df_avg

# compute average accuracy
def computeAverageAccuracy(accuracy_list):
    accuracy_avg = np.mean(accuracy_list)
    print("Average Accuracy score == {:.2f} %".format(accuracy_avg*100))
    
# compute average F1-score
def computeAverageF1Score(avg_df):
    f1_avg = avg_df.transpose()['f1-score'].mean()
    print("Average F1-score == {:.2f} %".format(f1_avg*100))

In [None]:
df_avg = computeAverageMetrics(list_df)
df_avg.transpose()

In [None]:
computeAverageAccuracy(list_accuracy)

In [None]:
computeAverageF1Score(df_avg)

### Logistic Regression

dal file IoT dei salvati:
    - linear regression
    - linear support vector machine? mi sembrava di no
    - KNN
    - Random forest / decision tree

In [None]:
# 20 minutes running
from sklearn.linear_model import LogisticRegression

# one-versus-rest
logr_classifier = LogisticRegression(dual=False, class_weight='balanced', max_iter=5000, solver='newton-cg', multi_class='ovr', n_jobs=-1)
logr_classifier.fit(train_x, train_y)

In [None]:
pred_y = logr_classifier.predict(test_x)

In [None]:
fig, ax = plt.subplots(figsize=(11, 11))
disp = ConfusionMatrixDisplay.from_predictions(test_y, pred_y, xticks_rotation='vertical', ax=ax)
plt.show()

In [None]:
print(classification_report(test_y, pred_y))

## Linear Regression

In [None]:
from sklearn.linear_model import LinearRegression
lr_multi = LinearRegression()
lr_multi.fit(train_x, train_y)

## Support Vector Machine

In [None]:
# support vector machine
# LinearSVC implements “one-vs-the-rest” multi-class strategy, thus training n_classes models
# it scales better than SVC with kernel=linear

# VERY LONG RUNNING TIME

from sklearn.svm import LinearSVC

lsvm = LinearSVC(dual=False, class_weight='balanced', max_iter=15000)
lsvm.fit(train_x, train_y) 


In [None]:
pred_y = lsvm.predict(test_x)
print(classification_report(test_y, pred_y))

In [None]:
fig, ax = plt.subplots(figsize=(11, 11))
disp = ConfusionMatrixDisplay.from_predictions(test_y, pred_y, xticks_rotation='vertical', ax=ax)
plt.show()

In [None]:
skf = StratifiedKFold(n_splits=10, shuffle=True)

print('here')
df_all = pd.concat([train_x, test_x], axis=0)
gt_all = pd.concat([train_y, test_y], axis=0)

list_df = []
list_accuracy = []
print('here1')
k = 1
for train_idx, test_idx in skf.split(df_all, gt_all):

    print(f'FOLD {k}:')

    # fit and predict using classifier
    x_tr = df_all.iloc[train_idx]
    y_tr = gt_all.iloc[train_idx]
    x_test = df_all.iloc[test_idx]
    y_test = gt_all.iloc[test_idx]
    
    print('pre')
    clf = LinearSVC(dual=False, class_weight='balanced', max_iter=15000)
    print('gas')
    clf.fit(x_tr, y_tr)
    print('post')
    y_pred = clf.predict(x_test)
    print('predicted')
    # compute classification report
    cr = classification_report(y_test, y_pred, output_dict = True)

    # store accuracy
    list_accuracy.append(cr['accuracy'])

    # store per-class metrics as a dataframe
    df = pd.DataFrame({k:v for k,v in cr.items() if k != 'accuracy'})
    display(df)
    list_df.append(df)
    k += 1
    print("")


In [None]:
df_concat = pd.concat(list_df)
grouped_by_row_index = df_concat.groupby(df_concat.index)
df_avg = grouped_by_row_index.mean()
df_avg.transpose()

accuracy_avg = np.mean(list_accuracy)
print("Average Accuracy score == {:.2f} %".format(accuracy_avg*100))
    
f1_avg = df_avg.transpose()['f1-score'].mean()
print("Average F1-score == {:.2f} %".format(f1_avg*100))

## K Nearest Neighbours

In [None]:
knn = KNeighborsClassifier(n_jobs=-1)
knn.fit(train_x,train_y)

In [None]:
pred_y = knn.predict(test_x)

In [None]:
print(classification_report(test_y, pred_y))

## Random Forest

In [None]:
randf = RandomForestClassifier(class_weight = 'balanced', n_jobs=-1)
randf.fit(train_x, train_y)

pred_y = randf.predict(test_x)
print(classification_report(test_y, pred_y))

## Multi-layer Perceptron

In [None]:
mlp = MLPClassifier(random_state=123, solver='adam', max_iter=10000)
mlp.fit(train_x, train_y)

In [None]:
pred_y = mlp.predict(test_x)
print(classification_report(test_y, pred_y))

# TEST for class change

In [None]:
train_y

In [None]:
train_y_9 = train_y.copy(deep=True)
train_y_9.loc[train_y_9 == 'Backdoor'] = 'Backdoor_or_Dos'
train_y_9.loc[train_y_9 == 'DoS'] = 'Backdoor_or_Dos'


test_y_9 = test_y.copy(deep=True)
test_y_9.loc[test_y_9 == 'Backdoor'] = 'Backdoor_or_Dos'
test_y_9.loc[test_y_9 == 'DoS'] = 'Backdoor_or_Dos'
test_y_9.sample(100)


In [None]:
classifier = DecisionTreeClassifier(random_state=0)
classifier = classifier.fit(train_x, train_y_9)
pred_y = classifier.predict(test_x)
print(classification_report(test_y_9, pred_y))

In [None]:
fig, ax = plt.subplots(figsize=(11, 11))
disp = ConfusionMatrixDisplay.from_predictions(test_y_9, pred_y, xticks_rotation='vertical', ax=ax)
plt.show()

In [None]:
train_y_7 = train_y_9.copy(deep=True)
train_y_7.loc[train_y_7 == 'Backdoor_or_Dos'] = 'BADE'
train_y_7.loc[train_y_7 == 'Analysis'] = 'BADE'
train_y_7.loc[train_y_7 == 'Exploits'] = 'BADE'


test_y_7 = test_y_9.copy(deep=True)
test_y_7.loc[test_y_7 == 'Backdoor_or_Dos'] = 'BADE'
test_y_7.loc[test_y_7 == 'Analysis'] = 'BADE'
test_y_7.loc[test_y_7 == 'Exploits'] = 'BADE'

test_y_7.sample(100)


In [None]:
classifier = DecisionTreeClassifier(random_state=0)
classifier = classifier.fit(train_x, train_y_7)
pred_y = classifier.predict(test_x)
print(classification_report(test_y_7, pred_y))


In [None]:
fig, ax = plt.subplots(figsize=(11, 11))
disp = ConfusionMatrixDisplay.from_predictions(test_y_7, pred_y, xticks_rotation='vertical', ax=ax)
plt.show()

In [None]:
train_y_2 = train_y_7.copy(deep=True)
train_y_2.loc[train_y_7 != 'Normal'] = 'Attack'


test_y_2 = test_y_7.copy(deep=True)
test_y_2.loc[test_y_2 != 'Normal'] = 'Attack'


test_y_2.sample(100)

In [None]:
classifier = DecisionTreeClassifier(random_state=0)
classifier = classifier.fit(train_x, train_y_2)
pred_y_2 = classifier.predict(test_x)
print(classification_report(test_y_2, pred_y_2))


In [None]:
fig, ax = plt.subplots(figsize=(11, 11))
disp = ConfusionMatrixDisplay.from_predictions(test_y_2, pred_y_2, xticks_rotation='vertical', ax=ax)
plt.show()

In [None]:
# randf = RandomForestClassifier(class_weight = 'balanced', n_jobs=-1)
# randf.fit(train_x, train_y_2)

# pred_y_2 = randf.predict(test_x)
# print(classification_report(test_y_2, pred_y_2))

mlp = MLPClassifier(random_state=123, solver='adam', max_iter=10000)
mlp.fit(train_x, train_y_2)
pred_y_2 = mlp.predict(test_x)
print(classification_report(test_y_2, pred_y_2))

# Unsupervised Learning

In [None]:
def evaluate_clustering(y_true, y_pred):
    # Matrix $C$ such that $C_{ij}$ is the number of samples in true class $i$ and in predicted cluster $j$.
    cm = contingency_matrix(y_true, y_pred)
    print(f'contingency matrix: \n {cm}')
    for enu, row in enumerate(cm):
        print(f'Row{enu}: sum = {sum(row)}')    
    homogeneity, completeness, v_measure = homogeneity_completeness_v_measure(y_true, y_pred)
#   homogeneity is high if all the clusters contain only data points which are members of a single class.
    print(f'homogeneity score: {homogeneity}')
#   completeness is high if all the data points that are members of a given class are elements of the same cluster.
    print(f'completeness score: {completeness}')
    print(f'v-measure score: {v_measure}')

In [None]:
train_y_bin = train_y.apply(lambda x: 'normal' if x == 'Normal' else 'attack')
train_y_bin.value_counts()

In [None]:

def plot_pca(X,Y):
    # Use PCA to reduce dimensionality so we can visualize the dataset on a 2d plot
    pca = PCA(n_components=2)

    data_pca = pca.fit_transform(X)

    print(f'percentage of variance explained by principal components: {pca.explained_variance_ratio_}')
    print(f'sum: {sum(pca.explained_variance_ratio_)}')

    plt.figure(figsize=(15,10))
    colors = ['navy', 'turquoise', 'darkorange', 'red', 'purple', 'green', 'pink', 'yellow', 'black', 'orange']
    
    for color, cat in zip(colors, np.unique(Y)):
        plt.scatter(data_pca[Y==cat, 0], data_pca[Y==cat, 1],
                    color=color, alpha=.8, lw=2, label=cat)
    plt.legend(loc='best', shadow=False, scatterpoints=1)

    plt.show()

    
# %matplotlib notebook
plot_pca(train_x, train_y)
plot_pca(train_x, train_y_bin)


In [None]:
def apply_kmeans(X, y, k_values, n_components = 2):
    for k in k_values:
        print(f'k = {k}')
        kmeans = KMeans(n_clusters = k, random_state = 17).fit(X)
        pred_y = kmeans.labels_
        evaluate_clustering(y, pred_y)

        
# If 0 < n_components < 1 and svd_solver == 'full' (automatically selected), 
# select the number of components such that 
# the amount of variance that needs to be explained is greater 
# than the percentage specified by n_components.
for components in [0.95,2,None]: # arguments for the PCA reduction, different cases
    print()
    if components:
        print(components)
        pca = PCA(n_components=components)
        data_clustering = pca.fit_transform(train_x)
    else:
        data_clustering = train_x
    print(f'[transformed] space shape: {data_clustering.shape}')
    apply_kmeans(data_clustering, train_y, [10])
#     apply_kmeans(data_pca,train_y,[8])

In [None]:
for components in [0.95,2,None]:
    print()
    if components:
        pca = PCA(n_components = components)
        data_clustering = pca.fit_transform(train_x)
    else:
        data_clustering = train_x
    print(f'[transformed] space shape: {data_clustering.shape}')
    apply_kmeans(data_clustering, train_y_bin, [2])

As we can see from the previous results, this dataset is absolutely not suitable for a clustering approach. 
### TODO comments

# Outlier Detection

In [None]:
train_y.value_counts().index

In [None]:
final_indices = []
for net_type in train_y.value_counts().index:
    if net_type == 'Normal':
        final_indices.extend(train_y[train_y == net_type].index.values)
    final_indices.extend(train_y[train_y == net_type].sample(10).index.values)
len(final_indices)
train_y_sample = train_y.loc[final_indices]
train_y_bin_sample = train_y_bin.loc[final_indices]
print(train_y_sample.value_counts())
print(train_y_bin_sample.value_counts())
train_x_sample = train_x.loc[final_indices,:]

In [None]:
def apply_LOF(X, contamination):
    lof = LOF(contamination = contamination)
    y_lof = lof.fit_predict(X)
    unique, counts = np.unique(y_lof, return_counts = True)
    print(dict(zip(unique, counts)))
    pred_y = np.minimum(y_lof,0)*(-1)
    return pred_y

pca = PCA(n_components=0.95)
data_clustering = pca.fit_transform(train_x_sample)

print(f'[transformed] space shape: {data_clustering.shape}')

for contamination in [0.0005, 0.001, 'auto']:
    print('contamination', contamination)
    pred_y = apply_LOF(data_clustering, contamination)
    evaluate_clustering(train_y_sample, pred_y)
    evaluate_clustering(train_y_bin_sample, pred_y)


In [None]:
train_y_fuzzers = train_y.apply(lambda x: 'outlier' if x == 'Fuzzers' else 'normal')

In [None]:
pca = PCA(n_components=0.95)
data_clustering = pca.fit_transform(train_x)
print(f'[transformed] space shape: {data_clustering.shape}')

for contamination in [0.0005,'auto']:
    print()
    print('contamination', contamination)
    pred_y = apply_LOF(data_clustering, contamination)
    evaluate_clustering(train_y_fuzzers, pred_y)
