# Volt
# Summary 
In this project the National Vulnerability Database's (NVD) of Common exposures and vulnerabilites (CVES) is levarged
to create a tool that is used as a part of the data pipeline to determine how similar CVE's are to one another. 

The first goal to such a pipeline is to clean the description data, tokenize the data. The second goal is tokenize and read the data that will be used as a training label. 
## Project Objective: 
### Create a Pipeline that Can Support Document Similarity and Search


# Requirements
Required packages:
- pyspark
- numpy

TF-IDF use cases:
- LDA
- Similarity with
1. **Feature Selection**:
   - Examine the top TF-IDF terms to identify important features. You can select a subset of these features for further analysis or modeling.
   - Consider removing low-TF-IDF terms (common words) that might not contribute significantly to your task.

2. **Clustering and Topic Modeling**:
   - Apply clustering algorithms (e.g., K-means, DBSCAN) to group similar documents based on their TF-IDF vectors.
   - Explore topic modeling techniques (e.g., Latent Dirichlet Allocation, Non-Negative Matrix Factorization) to discover latent topics within your corpus.

3. **Document Similarity**:
   - Calculate cosine similarity between TF-IDF vectors of different documents. This helps identify similar documents.
   - Use similarity scores to recommend related articles, products, or content.

4. **Classification and Sentiment Analysis**:
   - Train classifiers (e.g., SVM, Random Forest) using TF-IDF features as input. This is useful for tasks like sentiment analysis, spam detection, or document categorization.
   - Convert text data into TF-IDF vectors and use them as features for machine learning models.

5. **Search and Information Retrieval**:
   - Build an inverted index using TF-IDF vectors to create an efficient search engine.
   - Retrieve relevant documents based on user queries by ranking them using their TF-IDF scores.

6. **Visualizations**:
   - Visualize TF-IDF scores using word clouds, scatter plots, or bar charts to gain insights into term importance.
   - Plot the distribution of TF-IDF values across the entire dataset.

7. **Optimize Hyperparameters**:
   - Experiment with different parameters (e.g., n-grams, stop words, max features) in your TF-IDF vectorization process.
   - Use cross-validation to find optimal settings.

TODO: Find sources to back up these claims.

In [1]:
# Python system utilities
import os, math, re
# Pyspark for Spark 🌟
import pyspark
# Used to download the dataset the first time
import urllib.request
import zipfile
# Spark session
from pyspark.sql import SparkSession
# Common functions.
from pyspark.sql.functions import col, count, collect_list, countDistinct, concat_ws, desc, explode, expr, lit, udf, split, sum
# Spark data types used throughout the application.
from pyspark.sql.types import DoubleType, FloatType, StringType, ArrayType
# Used to remove common stopwords. We do additional dataset specific stopword analysis latter.
from pyspark.ml.feature import StopWordsRemover
# These are spark math libraries that allow the developer to make memory effienct vectors
from pyspark.ml.linalg import VectorUDT, SparseVector
# This takes a sparse vector and gets the features from the vector.
from pyspark.ml.feature import VectorAssembler 

# Download data
Handle downloading the data if it doesn't already exist for the user.

In [2]:
# Load the dataset if it doesn't already exist. 
data_dir = "data"
os.makedirs(data_dir, exist_ok=True) 
fileUrls = [
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2002.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2003.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2004.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2005.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2006.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2007.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2008.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2009.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2010.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2011.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2012.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2013.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2014.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2015.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2016.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2017.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2018.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2019.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2021.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2022.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2023.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2024.json.zip',
        'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-recent.json.zip'
    ]

# Iterate through each URL
for url in fileUrls:
    filename = url.split("/")[-1]
    outputfile = os.path.join(data_dir, filename)
    checkfile = os.path.join(data_dir, os.path.splitext(filename)[0])

    # Check if the file already exists
    if not os.path.exists(checkfile):
        # Download the file
        urllib.request.urlretrieve(url, outputfile)
        print(f"Downloaded: {filename}")

        # Extract the file
        with zipfile.ZipFile(outputfile, "r") as zip_ref:
            zip_ref.extractall(data_dir)

        # Delete the original zip file
        os.remove(outputfile)

In [3]:
spark = (
    SparkSession.builder
        .master("local[*]")
        .appName("voltcve")
        .config("spark.driver.host", "127.0.0.1")
        .config("spark.driver.bindAddress", "127.0.0.1")
        .config("spark.default.parallelism", 8)
        .config("spark.driver.memory", "25g") \
        .config("spark.executor.memory", "10g") \
        .config("spark.driver.maxResultSize", "5g") \
        .getOrCreate()
)
# read the data
cves = spark.read.option("multiline", "true").json("data/nvdcve-1.1-2020.json")

# Manipulate the data to be more usable 
cves.printSchema()


24/03/23 13:30:57 WARN Utils: Your hostname, sandbox resolves to a loopback address: 127.0.0.1; using 192.168.0.14 instead (on interface eth0)
24/03/23 13:30:57 WARN Utils: Set SPARK_LOCAL_IP if you need to bind to another address
Setting default log level to "WARN".
To adjust logging level use sc.setLogLevel(newLevel). For SparkR, use setLogLevel(newLevel).
24/03/23 13:30:58 WARN NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
                                                                                

root
 |-- CVE_Items: array (nullable = true)
 |    |-- element: struct (containsNull = true)
 |    |    |-- configurations: struct (nullable = true)
 |    |    |    |-- CVE_data_version: string (nullable = true)
 |    |    |    |-- nodes: array (nullable = true)
 |    |    |    |    |-- element: struct (containsNull = true)
 |    |    |    |    |    |-- children: array (nullable = true)
 |    |    |    |    |    |    |-- element: struct (containsNull = true)
 |    |    |    |    |    |    |    |-- children: array (nullable = true)
 |    |    |    |    |    |    |    |    |-- element: string (containsNull = true)
 |    |    |    |    |    |    |    |-- cpe_match: array (nullable = true)
 |    |    |    |    |    |    |    |    |-- element: struct (containsNull = true)
 |    |    |    |    |    |    |    |    |    |-- cpe23Uri: string (nullable = true)
 |    |    |    |    |    |    |    |    |    |-- cpe_name: array (nullable = true)
 |    |    |    |    |    |    |    |    |    |    |-

# Complex JSON
Look at the Schema above, the data is complex and Spark can read the data into a DataFrame. The DataFrame being equvielent to Spark SQL. 

From the complex schema the data needs to be turned into a more usable format. 

## Section Objective:
- Get Ids
- Description Data
- Remove unnecessary nesting

In [4]:
exploded = cves.select(explode(col("CVE_Items")).alias("cves"))

descr_df = exploded.select(col("cves.cve.CVE_data_meta.ID").alias("id"),
          col("cves.cve.description.description_data.value").alias("description"));

descr_df = descr_df.withColumn("description_single", concat_ws(" ", descr_df["description"]))

In [5]:
doc_count = descr_df.selectExpr("count(distinct id)").first()[0]
print("Number of docs: {}".format(doc_count))

[Stage 1:>                                                          (0 + 1) / 1]

Number of docs: 20453


                                                                                

# CVE Product Info
Below the goal is to get useful information about the CVEs. For example, the type of tool or software that had a vulnerability.
- Scheme format: https://en.wikipedia.org/wiki/Common_Platform_Enumeration
- If it is not used in the application the data may be used in other applications the data later.


Example of CPEs: \
cpe:2.3:a:ntp:ntp:4.2.8:p3:*:*:*:*:*:* \
cpe:2.3:o:microsoft:windows_7:-:sp2:*:*:*:*:*:* \
cpe:2.3:a:microsoft:internet_explorer:8.0.6001:beta:*:*:*:*:*:*



In [6]:
# Now 'exploded' contains individual rows for each 'CVE_Item'
# Scheme format: https://en.wikipedia.org/wiki/Common_Platform_Enumeration
# cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>
cpe_df = exploded.select(col("cves.cve.CVE_data_meta.ID").alias("id"), explode(col("cves.configurations.nodes.cpe_match")[0]).alias("cpe"))

cpe_df = cpe_df.select(col("id"), col("cpe").alias("cpe"))
cpe_df = cpe_df.select("id", split(cpe_df.cpe.cpe23uri,":",-1)[4].alias("product"))

# Sample of the data - schema/show
cpe_df.printSchema()
cpe_df.show(n=50, truncate=200)

root
 |-- id: string (nullable = true)
 |-- product: string (nullable = true)



                                                                                

+-------------+-------+
|           id|product|
+-------------+-------+
|CVE-2020-0001|android|
|CVE-2020-0001|android|
|CVE-2020-0001|android|
|CVE-2020-0001|android|
|CVE-2020-0002|android|
|CVE-2020-0002|android|
|CVE-2020-0002|android|
|CVE-2020-0002|android|
|CVE-2020-0003|android|
|CVE-2020-0004|android|
|CVE-2020-0004|android|
|CVE-2020-0004|android|
|CVE-2020-0004|android|
|CVE-2020-0005|android|
|CVE-2020-0005|android|
|CVE-2020-0005|android|
|CVE-2020-0005|android|
|CVE-2020-0006|android|
|CVE-2020-0006|android|
|CVE-2020-0006|android|
|CVE-2020-0006|android|
|CVE-2020-0007|android|
|CVE-2020-0007|android|
|CVE-2020-0007|android|
|CVE-2020-0007|android|
|CVE-2020-0008|android|
|CVE-2020-0008|android|
|CVE-2020-0008|android|
|CVE-2020-0008|android|
|CVE-2020-0009|android|
|CVE-2020-0010|android|
|CVE-2020-0011|android|
|CVE-2020-0012|android|
|CVE-2020-0014|android|
|CVE-2020-0014|android|
|CVE-2020-0014|android|
|CVE-2020-0014|android|
|CVE-2020-0015|android|
|CVE-2020-0015|a

## Uses from the cpe data:
- CPE could be a training label.
- CPE used in clustering.
- Document filtering. 


# Tokenization: 
## Applying the right tokenization methods:
The dataset contains a lot of data the ordinary tokenization may not apply. For example, file names contain puncutation and can leave the token meaningless. 
An effort was made to preserve all meaninful punction that would describe software or hardware configurations, while removing stop words, and ordinary english punctation. 

In [7]:
@udf
def string_cleaner(input_str):
    # 1. Replace all "." or ':' followed by whitespace with an empty string.
    # a. Remove ending periods.
    # 2. Remove trademark, rights.
    # 3. Grab cotent in parentheses only.
    # 4. Remove some punctuation.
    cleaned_text = re.sub(r"[.:,]+\s+", " ", input_str)
    # Remove trailing periods
    cleaned_text = re.sub(r"\.$", "", cleaned_text)
    # Remove apostrophes, (TM), (R), parentheses, and double quotes, newlines
    cleaned_text = re.sub(r"\'|\(TM\)|\(R\)|\(|\)|\"|[\n]+", "", cleaned_text)
    # Convert to lowercase and strip leading/trailing spaces
    cleaned_text = cleaned_text.lower().strip()
    return cleaned_text

clean_tokens = descr_df.withColumn("token", split(string_cleaner(col("description_single")), " " ))
stop_words_remover = StopWordsRemover(inputCol="token", outputCol="cleanToken")
clean_tokens = stop_words_remover.transform(clean_tokens)
clean_tokens = clean_tokens.select("id", explode("cleantoken").alias("token"))
clean_tokens = clean_tokens.filter(col("token").isNotNull())
# Remove words that are only one character
# https://towardsdatascience.com/tf-idf-for-document-ranking-from-scratch-in-python-on-real-world-dataset-796d339a4089
clean_tokens = clean_tokens.rdd.filter(lambda x: x['token'] != "")
clean_tokens = clean_tokens.filter(lambda x: len(x['token']) > 2).toDF()

id_tokens = clean_tokens
id_tokens = id_tokens.cache()

id_tokens.show()
# # Show the resulting DataFrame

[Stage 9:>                                                          (0 + 1) / 1]

+-------------+--------------------+
|           id|               token|
+-------------+--------------------+
|CVE-2020-0001|getprocessrecordl...|
|CVE-2020-0001|activitymanagerse...|
|CVE-2020-0001|            isolated|
|CVE-2020-0001|                apps|
|CVE-2020-0001|             handled|
|CVE-2020-0001|           correctly|
|CVE-2020-0001|                lead|
|CVE-2020-0001|               local|
|CVE-2020-0001|          escalation|
|CVE-2020-0001|           privilege|
|CVE-2020-0001|          additional|
|CVE-2020-0001|           execution|
|CVE-2020-0001|          privileges|
|CVE-2020-0001|              needed|
|CVE-2020-0001|                user|
|CVE-2020-0001|         interaction|
|CVE-2020-0001|              needed|
|CVE-2020-0001|        exploitation|
|CVE-2020-0001|             product|
|CVE-2020-0001|             android|
+-------------+--------------------+
only showing top 20 rows



                                                                                

# Improvements
In previous iterations of the application it became apparent that this dataset has its own set of stop words that causes TF-IDF Vectors (show in latter section), 
to have matches that were not as good as they could because of similar low importance words. 

Given that this is a dataset about CVEs words like 'attack', 'exploit', 'vulnerab*', don't convey as much meaning.  

For example examine the top words after removing common stop words: 

In [8]:
clean_tokens.groupBy("token").agg(countDistinct("id").alias("df")).orderBy(desc("df")).show(n=50)

+-------------+----+
|        token|  df|
+-------------+----+
|vulnerability|8523|
|     attacker|6020|
|       allows|5608|
|          via|4681|
|       remote|3847|
|     versions|3713|
|         user|3690|
|         code|3632|
|        issue|3367|
|    arbitrary|3346|
|       access|3181|
|     affected|2809|
|      crafted|2628|
|        allow|2548|
|    attackers|2485|
|    execution|2450|
|          use|2434|
|          may|2407|
|         file|2332|
|      service|2264|
|       exists|2222|
|       system|2182|
|  information|2104|
|      exploit|2091|
|         data|2035|
|      execute|2023|
|   discovered|1897|
|      version|1862|
|        prior|1812|
|          xss|1796|
|          due|1783|
|   successful|1778|
|       server|1755|
|        cause|1736|
|       number|1718|
|        local|1684|
|       memory|1663|
|         lead|1622|
|       reason|1614|
|     rejected|1612|
|authenticated|1611|
|   privileges|1591|
|    malicious|1582|
|       denial|1575|
|        note

Lets resolve some of these:

In [9]:
stopwordslist=['attack', 'attacks', 'attacker', 'attackers',  'vulnerability', 'due', 'may', '1','exploit', 'affects', 'affected', 'exists', 'version', 'versions', 'id' ]
clean_tokens = clean_tokens.filter(~col("token").isin(*stopwordslist))
# Sort the entire dataset and not partionwise.
clean_tokens = clean_tokens.groupBy("token").agg(countDistinct("id").alias("df")).orderBy("token")
# Only include the tokens which occur in more than one document. 
clean_tokens = clean_tokens.filter(clean_tokens['df'] > 1)

# Cache the results, this will be used frequently.
clean_token = clean_tokens.cache()

clean_tokens.show(n=50)




+--------------------+---+
|               token| df|
+--------------------+---+
|  !j@l#y$z%x6x7q8c9z|  2|
|                 #gp|  2|
|               $_get|  2|
|              $_post|  3|
|                 %0a|  2|
|              %path%|  3|
|%programfiles%\1e...|  2|
|               &amp;|  3|
|        &quot;public|  2|
|          &quot;safe|  2|
|             **not**|  2|
|        **resolved**|  2|
|           **version|  5|
|       *.example.com|  2|
|               *ctxt|  2|
|               *note| 19|
|                 *pb|  2|
|                 -->|  4|
|            --config|  2|
|--enable-experime...|  3|
|            --output|  2|
|              -dsafe|  2|
|                 -s+|  5|
|                 ...|  2|
|                 ../| 20|
|../../programs/dw...|  2|
|                 ..\|  3|
|             .append|  2|
|                .bat|  2|
|                .bmp|  2|
|                .bss|  2|
|                 .cf|  3|
|                .dll|  4|
|               .docx|  4|
|

                                                                                

In [10]:
clean_tokens.select(countDistinct("token")).show()
clean_tokens_count = clean_tokens.count()

+---------------------+
|count(DISTINCT token)|
+---------------------+
|                15330|
+---------------------+



In [11]:
# Get all the id's for which our tokens associated to it.
id_tokens = clean_tokens.join(id_tokens,['token'],how='inner') 
id_tokens.show()

+--------------------+----+-------------+
|               token|  df|           id|
+--------------------+----+-------------+
|activitymanagerse...|   3|CVE-2020-0001|
|            isolated|  11|CVE-2020-0001|
|                apps|  46|CVE-2020-0001|
|             handled| 100|CVE-2020-0001|
|           correctly|  74|CVE-2020-0001|
|                lead|1622|CVE-2020-0001|
|               local|1684|CVE-2020-0001|
|          escalation| 746|CVE-2020-0001|
|           privilege|1450|CVE-2020-0001|
|          additional| 744|CVE-2020-0001|
|           execution|2450|CVE-2020-0001|
|          privileges|1591|CVE-2020-0001|
|              needed| 519|CVE-2020-0001|
|                user|3690|CVE-2020-0001|
|         interaction| 990|CVE-2020-0001|
|              needed| 519|CVE-2020-0001|
|        exploitation| 477|CVE-2020-0001|
|             product|1018|CVE-2020-0001|
|             android| 265|CVE-2020-0001|
|         android-8.0|  74|CVE-2020-0001|
+--------------------+----+-------

In [12]:
def tfidf(tokens, doc_count):
    allTokensForId = id_tokens.groupBy("id").agg(count("id").alias("allTokensForId"))

    tfds = id_tokens.groupBy("id", "token").agg(count("id").alias("rawtf"))
    dfds = id_tokens.groupBy("token").agg(countDistinct("id").alias("df"))

    # Join the two DataFrames on 'id'
    merged_df = tfds.join(allTokensForId, on="id")

    # Calculate the ratio of rawtf to allTokensForId
    tfds = merged_df.withColumn("tf", col("rawtf") / col("allTokensForId"))

    merged_df.show()

    # Define the UDF for idf calculation
    spark.udf.register("calcidfudf", lambda df: calcidf(doc_count, df), DoubleType())

    # Calculate idf and add it as a new column "idf"
    tokens_idf = dfds.withColumn("idf", expr("calcidfudf(df)"))

    # Show the resulting dataframe
    tfidfds = tokens_idf.join(tfds, "token", "left") \
        .withColumn("tf_idf", col("tf") * col("idf"))

    return tfidfds

def calcidf(doc_count, df):
    # Calculate the tf-idf using natural log
    return math.log((doc_count + 1.0) / (df + 1.0))


In [13]:
clean_tokens.show()
tfidf_df = tfidf(id_tokens, doc_count)

tfidf_df.show()

+--------------------+---+
|               token| df|
+--------------------+---+
|  !j@l#y$z%x6x7q8c9z|  2|
|                 #gp|  2|
|               $_get|  2|
|              $_post|  3|
|                 %0a|  2|
|              %path%|  3|
|%programfiles%\1e...|  2|
|               &amp;|  3|
|        &quot;public|  2|
|          &quot;safe|  2|
|             **not**|  2|
|        **resolved**|  2|
|           **version|  5|
|       *.example.com|  2|
|               *ctxt|  2|
|               *note| 19|
|                 *pb|  2|
|                 -->|  4|
|            --config|  2|
|--enable-experime...|  3|
+--------------------+---+
only showing top 20 rows

+-------------+-----------------+-----+--------------+
|           id|            token|rawtf|allTokensForId|
+-------------+-----------------+-----+--------------+
|CVE-2020-0002|             code|    1|            24|
|CVE-2020-0003|             user|    1|            23|
|CVE-2020-0006|           needed|    2|            

In [14]:
# I don't think I need this anymore
# from pyspark.sql import Row
# tfidf_df.show()

grouped_tfidf = tfidf_df.groupBy('id').agg(collect_list('token').alias('words_list'),
    collect_list('tf_idf').alias('tfidf_list'))

# def sort_words(record):
#     id, words, tf_idf = record
#     sorted_words = sorted(words)
#     sorted_tf_idf = [x for _, x in sorted(zip(words, tf_idf))]
#     return Row(id=id, words_list=sorted_words, tfidf_list=sorted_tf_idf)

# rdd = grouped_tfidf.rdd.map(sort_words)

# grouped_tfidf = rdd.toDF()

# grouped_tfidf.show()

# Slow Iteration 1
```python
"""
    Create a sparse vector for each of the documents in the dataset filled with 0's,
    replacing the 0 with values that exist for that token on the id.
"""

from pyspark.ml.feature import VectorAssembler

token_list = clean_tokens.select('token').collect()

word_to_index = {word: i for i, word in enumerate(words)}

def create_sparse_vector(words, tfidf_list, num_tokens):
    indices = range(num_tokens)
    values = [0.0] * num_tokens
    for i, row in enumerate(token_list):
        # print(row['token'])
        for j, word in enumerate(words):
            if row['token'] == word:
                # print('match {}'.format(tfidf_list[j]))
                values[i] = tfidf_list[j]
                break
    return SparseVector(num_tokens, indices, values)
    
sparse_vector_udf = udf(create_sparse_vector, VectorUDT())

tfidf_vector_with_sparse = grouped_tfidf.withColumn('tfidf_vector', sparse_vector_udf('words_list', 'tfidf_list', lit(clean_tokens_count)))


tfidf_vector_with_sparse.show()
# https://spark.apache.org/docs/3.3.0/api/python/reference/api/pyspark.ml.feature.VectorAssembler.html
assembler = VectorAssembler(inputCols=['tfidf_vector'], outputCol='tfidf_features')
final_tfidf_vector = assembler.transform(tfidf_vector_with_sparse).cache()

# Show the resulting DataFrame
final_tfidf_vector.show(truncate=100)

print(tfidf_vector_with_sparse.select("*").first())
```

In [15]:
token_list = clean_tokens.select('token').collect()
# word_list = clean_tokens.select('token').rdd.flatMap(lambda x: x).collect()

# Create a dictionary to map words to indices
word_to_index = {word.token: i for i, word in enumerate(token_list)}
print(len(word_to_index))

index = word_to_index['android']
print(index)
# print(word_to_index)

def create_sparse_vector(words, tfidf_list, num_tokens):
    indices = range(num_tokens)
    values = [0.0] * num_tokens
    for tfidf_idx, word in enumerate(words):
        if word in word_to_index:
            index = word_to_index[word]
            values[index] = tfidf_list[tfidf_idx]
    
    return SparseVector(num_tokens, indices, values)

sparse_vector_udf = udf(create_sparse_vector, VectorUDT())

tfidf_vector_with_sparse = grouped_tfidf.withColumn('tfidf_vector', sparse_vector_udf('words_list', 'tfidf_list', lit(clean_tokens_count)))

assembler = VectorAssembler(inputCols=['tfidf_vector'], outputCol='tfidf_features')
final_tfidf_vector = assembler.transform(tfidf_vector_with_sparse).cache()

15330
3925


                                                                                

In [17]:
from pyspark.ml.feature import Normalizer

# Normalize the vectors
normalizer = Normalizer(inputCol="tfidf_features", outputCol="normFeatures")
normalized = normalizer.transform(final_tfidf_vector).cache()

In [24]:
from pyspark.ml.linalg import Vectors
from pyspark.ml.feature import Normalizer

# Get a document's features
first_doc_features = normalized.filter(col('id') == 'CVE-2020-0003').select('normFeatures').first()[0]


# first_doc_features = normalized.first().normFeatures
def cosine_similarity(v):
    dot_product = float(first_doc_features.dot(v))
    norm_product = float(first_doc_features.norm(2)) * float(v.norm(2))
    return float(dot_product) / float(norm_product)


cosine_similarity_udf = udf(cosine_similarity, FloatType())

# Compute the cosine similarity and add it as a new column
data = normalized.withColumn("cosine_sim", cosine_similarity_udf(col("normFeatures")))

# Show the top 5 documents
data.sort(col("cosine_sim").desc()).select('id', 'words_list', 'cosine_sim').show(5)

24/03/23 13:46:47 WARN DAGScheduler: Broadcasting large task binary with size 1555.8 KiB
24/03/23 13:46:47 WARN DAGScheduler: Broadcasting large task binary with size 1555.8 KiB
24/03/23 13:46:47 WARN DAGScheduler: Broadcasting large task binary with size 1555.8 KiB
24/03/23 13:46:47 WARN DAGScheduler: Broadcasting large task binary with size 1553.7 KiB

+-------------+--------------------+----------+
|           id|          words_list|cosine_sim|
+-------------+--------------------+----------+
|CVE-2020-0003|[android, interac...|       1.0|
|CVE-2020-0236|[android, disclos...| 0.5676376|
|CVE-2020-0002|[android, code, i...|0.55887586|
|CVE-2020-0008|[android, disclos...| 0.5543941|
|CVE-2020-0215|[android, interac...| 0.5533824|
+-------------+--------------------+----------+
only showing top 5 rows



                                                                                

# Top Results:
# Search Doc: CVE-2020-0003  
In onCreate of InstallStart.java, there is a possible package validation bypass due to a time-of-check time-of-use vulnerability. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-8.0 Android ID: A-140195904
 
### CVE-2020-0236
In A2DP_GetCodecType of a2dp_codec_config, there is a possible out-of-bounds read due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android, Versions: Android-10, Android ID: A-79703353."

### CVE-2020-0002
In ih264d_init_decoder of ih264d_api.c, there is a possible out of bounds write due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation Product: Android Versions: Android-8.0, Android-8.1, Android-9, and Android-10 Android ID: A-142602711

### CVE-2020-0008
In LowEnergyClient::MtuChangedCallback of low_energy_client.cc, there is a possible out of bounds read due to a race condition. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-8.0, Android-8.1, Android-9, and Android-10 Android ID: A-142558228


In [None]:
normalized.printSchema()

In [25]:
# Throw away simply testing performance here.

# Get the first document's features

sc = spark.sparkContext

# first_doc_features = final_tfidf_vector.first().tfidf_features
first_doc_features = normalized.filter(col('id') == 'CVE-2020-0003').select('normFeatures').first()[0]

# Broadcast the first document's features
first_doc_features_bc = sc.broadcast(first_doc_features)


def cosine_similarity(v):
    return float(first_doc_features_bc.value.dot(v) / (first_doc_features_bc.value.norm(2) * v.norm(2)))

cosine_similarity_udf = udf(cosine_similarity, DoubleType())

# Compute the cosine similarity and add it as a new column
data = normalized.withColumn("cosine_sim", cosine_similarity_udf(col("tfidf_features")))
data.sort(col("cosine_sim").desc()).select('id', 'words_list', 'cosine_sim').show(5)

24/03/23 13:46:52 WARN DAGScheduler: Broadcasting large task binary with size 1555.8 KiB
24/03/23 13:46:52 WARN DAGScheduler: Broadcasting large task binary with size 1555.8 KiB
24/03/23 13:46:52 WARN DAGScheduler: Broadcasting large task binary with size 1555.8 KiB
24/03/23 13:46:52 WARN DAGScheduler: Broadcasting large task binary with size 1553.4 KiB

+-------------+--------------------+------------------+
|           id|          words_list|        cosine_sim|
+-------------+--------------------+------------------+
|CVE-2020-0003|[android, interac...|0.9999999999999998|
|CVE-2020-0236|[android, disclos...|0.5676376436703957|
|CVE-2020-0002|[android, code, i...|0.5588758555631687|
|CVE-2020-0008|[android, disclos...|0.5543941394005784|
|CVE-2020-0215|[android, interac...| 0.553382375146582|
+-------------+--------------------+------------------+
only showing top 5 rows



                                                                                

# IDEAS
Already calculated the TF-IDF scores for the documents. Now, let’s create a TF-IDF vector from these scores.

Assuming you have a DataFrame named tfidf_vector with columns ‘id’, ‘token’, ‘tf_idf’, and ‘allTokensForId’, you can proceed as follows:

    Group TF-IDF Scores by Document ID:
        Group the DataFrame by the ‘id’ column and aggregate the ‘tf_idf’ values into a list for each document.
        This will give you a list of TF-IDF scores for each document.

    Create a Sparse Vector Representation:
        Use the SparseVector class from PySpark to create a sparse vector representation for each document.
        The vector will have dimensions equal to the total number of unique tokens (terms) in your dataset.
        For each document, set the value at the index corresponding to the token to its corresponding TF-IDF score.

    Assemble the Sparse Vectors:
        Assemble the sparse vectors into a single column using the VectorAssembler.
        This will give you a new DataFrame with a column containing the TF-IDF vectors.


In [26]:
# This is just to compare how my vectorization method compares to ML libs 
from pyspark.sql import SparkSession
from pyspark.ml.feature import HashingTF, Normalizer
from pyspark.sql.functions import udf, col
from pyspark.sql.types import DoubleType
from pyspark.ml.linalg import SparseVector, DenseVector
grouped_tfidf = tfidf_df.groupBy('id').agg(collect_list('token').alias('words'))
ht = HashingTF(inputCol="words", outputCol="rawFeatures", numFeatures=20000)
featurizedData = ht.transform(grouped_tfidf)

normalizer = Normalizer(inputCol="rawFeatures", outputCol="normFeatures")
normData = normalizer.transform(featurizedData)

first_doc_features = normData.filter(col('id') == 'CVE-2020-0003').select('normFeatures').first()[0]

# Get the SparkContext from the SparkSession
sc = spark.sparkContext

# Broadcast the first document's features
first_doc_features_bc = sc.broadcast(first_doc_features)

# Define a UDF to compute cosine similarity
def cosine_similarity(v):
    return float(first_doc_features_bc.value.dot(v) / (first_doc_features_bc.value.norm(2) * v.norm(2)))

cosine_similarity_udf = udf(cosine_similarity, DoubleType())

# Compute cosine similarity
result = normData.withColumn("cosine_sim", cosine_similarity_udf(col('normFeatures')))

# Get the top similar documents
top_similar_docs = result.sort(col("cosine_sim").desc()).limit(5)

top_similar_docs.show()

+--------------+--------------------+--------------------+--------------------+------------------+
|            id|               words|         rawFeatures|        normFeatures|        cosine_sim|
+--------------+--------------------+--------------------+--------------------+------------------+
| CVE-2020-0003|[android, interac...|(20000,[392,1662,...|(20000,[392,1662,...|1.0000000000000002|
| CVE-2020-0009|[android, corrupt...|(20000,[392,1662,...|(20000,[392,1662,...|0.6982972487551755|
| CVE-2020-0215|[android-11, andr...|(20000,[104,392,1...|(20000,[104,392,1...|0.6888747637021418|
|CVE-2020-27059|[android, interac...|(20000,[392,2803,...|(20000,[392,2803,...|0.6681531047810613|
| CVE-2020-0202|[android, develop...|(20000,[392,1662,...|(20000,[392,1662,...| 0.654653670707977|
+--------------+--------------------+--------------------+--------------------+------------------+



                                                                                

In [None]:
from pyspark.ml.linalg import SparseVector
from pyspark.sql.functions import collect_list
from pyspark.ml.feature import VectorAssembler

#grouped_tfidf = tfidf_df.groupBy('id').agg(collect_list('tf_idf').alias('tfidf_list'))

# Create Sparse Vectors
def create_sparse_vector(tfidf_list, num_tokens):
    indices = range(num_tokens)
    values = [0.0] * num_tokens  # Initialize all values to 0.0
    for i, tfidf_score in enumerate(tfidf_list):
        values[i] = tfidf_score
    return SparseVector(num_tokens, indices, values)

sparse_vector_udf = udf(create_sparse_vector, VectorUDT())

tfidf_vector_with_sparse = grouped_tfidf.withColumn('tfidf_vector', sparse_vector_udf('tfidf_list', lit(clean_tokens_count)))

# Assemble the Sparse Vectors
assembler = VectorAssembler(inputCols=['tfidf_vector'], outputCol='tfidf_features')
final_tfidf_vector = assembler.transform(tfidf_vector_with_sparse)

# Show the resulting DataFrame
final_tfidf_vector.select('id', 'tfidf_features').show(truncate=100)


Now that you have the TF-IDF vectors for the documents, here are some useful things to do with the results:

    Document Similarity:
        Calculate the similarity between documents using cosine similarity or other distance metrics. The closer the vectors, the more similar the documents.
        For example, you can find similar documents to a given query document by comparing their TF-IDF vectors.

    Topic Modeling:
        Apply topic modeling techniques (such as Latent Dirichlet Allocation or Non-Negative Matrix Factorization) to discover underlying topics in your corpus.
        Use the TF-IDF vectors as input for these models.

    Classification and Clustering:
        Train machine learning models (e.g., SVM, Random Forest, or k-means) using the TF-IDF vectors as features.
        Classify documents into predefined categories or cluster similar documents together.

    Keyword Extraction:
        Identify important keywords or phrases within each document based on their TF-IDF scores.
        Higher TF-IDF scores indicate more significant terms.

    Search and Retrieval:
        Use the TF-IDF vectors to build an efficient search index for your documents.
        Given a query, retrieve relevant documents based on their similarity to the query.

    Visualizations:
        Visualize the TF-IDF vectors in lower dimensions using techniques like t-SNE or PCA.
        Explore the distribution of documents in the vector space.



In [None]:
data = data.withColumn("cosine_sim2", cos_sim_udf(col("normFeatures")))
data.sort(col("cosine_sim").desc()).select('id', 'cosine_sim').show(5)

# The results:
## Results from first iteration - No stop words were removed
### CVE-2020-0003 (Search Document)
In onCreate of InstallStart.java, there is a possible package validation bypass due to a time-of-check time-of-use vulnerability. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-8.0 Android ID: A-140195904

### CVE-2020-25162
A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges

### CVE-2020-24721
An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put in a position where he or she can be coerced into proving or disproving an exposure notification, because of the persistent state of a private framework.

There could be a few reasons why the documents getting aren't as similar as I'd like. Here are some things to consider:

1. **Quality of your data**: The quality and relevance of the documents in your dataset can greatly affect the results of cosine similarity. If the documents in your dataset are not very similar to your target document to begin with, the top results might not seem very similar.

2. **Preprocessing**: How you preprocess your data can also affect the results. This includes things like removing stop words, stemming or lemmatization, and how you handle punctuation and capitalization. You might need to adjust your preprocessing steps to better suit your data.

3. **Vectorization**: The method you use to convert your text data into numerical vectors can also have a big impact. You're currently using TF-IDF, which is a good choice for many applications, but there might be other methods that work better for your specific dataset. You could experiment with other methods like Word2Vec, Doc2Vec, or BERT embeddings.

4. **Dimensionality**: High-dimensional data can be problematic for cosine similarity due to the curse of dimensionality. You might want to try reducing the dimensionality of your data with techniques like PCA or t-SNE.

5. **Thresholding**: You might want to consider applying a threshold to your cosine similarity scores. This means that you only consider documents as "similar" if their cosine similarity score is above a certain threshold.



In [None]:
spark.stop()