

    The RT-IoT2022, a proprietary dataset encompasses both normal and adversarial network behaviors, providing a general representation of real-world scenarios.

    Incorporating data from IoT devices such as ThingSpeak-LED, Wipro-Bulb, and MQTT-Temp, as well as simulated attack scenarios involving Brute-Force SSH attacks, DDoS attacks using Hping and Slowloris, and Nmap patterns, RT-IoT2022 offers a detailed perspective on the complex nature of network traffic. The bidirectional attributes of network traffic are meticulously captured using the Zeek network monitoring tool and the Flowmeter plugin.

    Infrastructure consists of two parts, namely IoT victim devices and IoT attacker devices, both connected through a router. We collect the network traffic through a router using Wireshark, which is an open-source monitoring tool for network traffic that helps extract traces and convert them into a PCAP file.

    The attacking infrastructure includes 50 machines, and the victim organization has 5 departments and includes 420 machines and 30 servers. The dataset includes the captures network traffic and system logs of each machine, along with 80 features extracted from the captured traffic.

    It includes 9 different attack scenarios: DOS_SYN_Hping,, ARP_poisioning, NMAP_UDP_SCAN,
    NMAP_XMAS_TREE_SCAN, NMAP_OS_DETECTION, NMAP_TCP_scan, DDOS_Slowloris, Metasploit_Brute_Force_SSH, NMAP_FIN_SCAN and 3 normal pattern MQTT, Thing_speak and Wipro_bulb_Dataset.


# Procedures

For this quiz, you must build an end-to-end data analysis notebook following the ETL pipeline.

    On a separate document, create a table with 3 columns. Column 1: Phase, Column 2: Activity, and Column 3: Code and Output.
        Phase will only have 3 major rows: Extract, Transform, Load
        Activity will list down all the activities you performed per phase.
        Code and output will correspond to the activity.
    Extract the provided dataset using FLAT FILE. You get extra points for loading it through Kaggle API.

    import kagglehub

    # Download latest version
    path = kagglehub.dataset_download("supplejade/rt-iot2022real-time-internet-of-things")

    print("Path to dataset files:", path)

    Transform the dataset. List down all activities included in the transformation.
    Show the transformed dataset.
    Load the dataset and perform statistical analysis and visualization. List down all activities included in the "load" phase.

Provide a summary of all activities performed and your insights derived from the dataset.

In [2]:
import pandas as pd

df = pd.read_csv('RT_IOT2022.csv')

In [4]:
df.head(5)

Unnamed: 0,no,id.orig_p,id.resp_p,proto,service,flow_duration,fwd_pkts_tot,bwd_pkts_tot,fwd_data_pkts_tot,bwd_data_pkts_tot,...,active.std,idle.min,idle.max,idle.tot,idle.avg,idle.std,fwd_init_window_size,bwd_init_window_size,fwd_last_window_size,Attack_type
0,0,38667,1883,tcp,mqtt,32.011598,9,5,3,3,...,0.0,29729180.0,29729180.0,29729180.0,29729180.0,0.0,64240,26847,502,MQTT_Publish
1,1,51143,1883,tcp,mqtt,31.883584,9,5,3,3,...,0.0,29855280.0,29855280.0,29855280.0,29855280.0,0.0,64240,26847,502,MQTT_Publish
2,2,44761,1883,tcp,mqtt,32.124053,9,5,3,3,...,0.0,29842150.0,29842150.0,29842150.0,29842150.0,0.0,64240,26847,502,MQTT_Publish
3,3,60893,1883,tcp,mqtt,31.961063,9,5,3,3,...,0.0,29913770.0,29913770.0,29913770.0,29913770.0,0.0,64240,26847,502,MQTT_Publish
4,4,51087,1883,tcp,mqtt,31.902362,9,5,3,3,...,0.0,29814700.0,29814700.0,29814700.0,29814700.0,0.0,64240,26847,502,MQTT_Publish


About the data:
<br>
 ~general representation of real-world scenarios.
 <br>
 ~incorporating data from IoT devices 
 <br>
   (ThingSpeak-LED, Wipro-Bulb, and MQTT-Temp, as well as simulated attack scenarios involving Brute-         Force SSH attacks, DDoS attacks using Hping and Slowloris, and Nmap patterns,)
<br>
 ~The attacking infrastructure includes 50 machines, and the victim organization has 5 departments and     includes 420 machines and 30 servers. The dataset includes the captures network traffic and system      logs of each machine, along with 80 features extracted from the captured traffic.
          

In [9]:
df.columns

Index(['no', 'id.orig_p', 'id.resp_p', 'proto', 'service', 'flow_duration',
       'fwd_pkts_tot', 'bwd_pkts_tot', 'fwd_data_pkts_tot',
       'bwd_data_pkts_tot', 'fwd_pkts_per_sec', 'bwd_pkts_per_sec',
       'flow_pkts_per_sec', 'down_up_ratio', 'fwd_header_size_tot',
       'fwd_header_size_min', 'fwd_header_size_max', 'bwd_header_size_tot',
       'bwd_header_size_min', 'bwd_header_size_max', 'flow_FIN_flag_count',
       'flow_SYN_flag_count', 'flow_RST_flag_count', 'fwd_PSH_flag_count',
       'bwd_PSH_flag_count', 'flow_ACK_flag_count', 'fwd_URG_flag_count',
       'bwd_URG_flag_count', 'flow_CWR_flag_count', 'flow_ECE_flag_count',
       'fwd_pkts_payload.min', 'fwd_pkts_payload.max', 'fwd_pkts_payload.tot',
       'fwd_pkts_payload.avg', 'fwd_pkts_payload.std', 'bwd_pkts_payload.min',
       'bwd_pkts_payload.max', 'bwd_pkts_payload.tot', 'bwd_pkts_payload.avg',
       'bwd_pkts_payload.std', 'flow_pkts_payload.min',
       'flow_pkts_payload.max', 'flow_pkts_payload.tot',
  

In [17]:
df.dtypes

no                        int64
id.orig_p                 int64
id.resp_p                 int64
proto                    object
service                  object
                         ...   
idle.std                float64
fwd_init_window_size      int64
bwd_init_window_size      int64
fwd_last_window_size      int64
Attack_type              object
Length: 85, dtype: object

In [56]:

# merge the total packets to one column
dfMelted = df.melt(['no', 'id.orig_p', 'id.resp_p', 'service', 'Attack_type'], ['fwd_pkts_tot', 'bwd_pkts_tot', 'fwd_data_pkts_tot',
       'bwd_data_pkts_tot'],'packets', 'total packets').set_index('Attack_type')          # set the index to the attack type used
dfMelted.groupby(['Attack_type','packets'])['total packets'].max()

Attack_type                 packets          
ARP_poisioning              bwd_data_pkts_tot     3709
                            bwd_pkts_tot          3782
                            fwd_data_pkts_tot     1156
                            fwd_pkts_tot          2166
DDOS_Slowloris              bwd_data_pkts_tot        6
                            bwd_pkts_tot            13
                            fwd_data_pkts_tot        9
                            fwd_pkts_tot            11
DOS_SYN_Hping               bwd_data_pkts_tot        0
                            bwd_pkts_tot             1
                            fwd_data_pkts_tot        1
                            fwd_pkts_tot             1
MQTT_Publish                bwd_data_pkts_tot    10105
                            bwd_pkts_tot         10112
                            fwd_data_pkts_tot        4
                            fwd_pkts_tot          1661
Metasploit_Brute_Force_SSH  bwd_data_pkts_tot       21
                   

In [76]:
dfMelted2 = df.melt(['no', 'id.orig_p', 'id.resp_p', 'service', 'Attack_type'], ['active.min', 'active.max', 'active.tot', 'active.avg',
       'active.std'],'Activity', 'values').set_index('Attack_type')
dfMelted2

Unnamed: 0_level_0,no,id.orig_p,id.resp_p,service,Activity,values
Attack_type,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1
MQTT_Publish,0,38667,1883,mqtt,active.min,2.282415e+06
MQTT_Publish,1,51143,1883,mqtt,active.min,2.028307e+06
MQTT_Publish,2,44761,1883,mqtt,active.min,2.281904e+06
MQTT_Publish,3,60893,1883,mqtt,active.min,2.047288e+06
MQTT_Publish,4,51087,1883,mqtt,active.min,2.087657e+06
...,...,...,...,...,...,...
NMAP_XMAS_TREE_SCAN,2005,59247,63331,-,active.std,0.000000e+00
NMAP_XMAS_TREE_SCAN,2006,59247,64623,-,active.std,0.000000e+00
NMAP_XMAS_TREE_SCAN,2007,59247,64680,-,active.std,0.000000e+00
NMAP_XMAS_TREE_SCAN,2008,59247,65000,-,active.std,0.000000e+00


In [77]:
dfMelted2.groupby(['Attack_type','Activity'])['values'].max()

Attack_type                 Activity  
ARP_poisioning              active.avg    2.180349e+07
                            active.max    6.633823e+07
                            active.min    9.899053e+06
                            active.std    3.078395e+07
                            active.tot    5.115597e+08
DDOS_Slowloris              active.avg    6.621021e+06
                            active.max    1.046104e+07
                            active.min    6.621021e+06
                            active.std    6.037871e+06
                            active.tot    1.046732e+07
DOS_SYN_Hping               active.avg    4.506111e+01
                            active.max    4.506111e+01
                            active.min    4.506111e+01
                            active.std    0.000000e+00
                            active.tot    4.506111e+01
MQTT_Publish                active.avg    1.071157e+07
                            active.max    2.239558e+07
                          

In [78]:
dfCheckIdx = dfMelted2.groupby(['Attack_type','Activity'])['values'].max()
dfCheckIdx

Attack_type                 Activity  
ARP_poisioning              active.avg    2.180349e+07
                            active.max    6.633823e+07
                            active.min    9.899053e+06
                            active.std    3.078395e+07
                            active.tot    5.115597e+08
DDOS_Slowloris              active.avg    6.621021e+06
                            active.max    1.046104e+07
                            active.min    6.621021e+06
                            active.std    6.037871e+06
                            active.tot    1.046732e+07
DOS_SYN_Hping               active.avg    4.506111e+01
                            active.max    4.506111e+01
                            active.min    4.506111e+01
                            active.std    0.000000e+00
                            active.tot    4.506111e+01
MQTT_Publish                active.avg    1.071157e+07
                            active.max    2.239558e+07
                          

In [75]:
dfMelted2.Attack_type[dfMelted2.Activity == 'active.avg']

369351           MQTT_Publish
369352           MQTT_Publish
369353           MQTT_Publish
369354           MQTT_Publish
369355           MQTT_Publish
                 ...         
492463    NMAP_XMAS_TREE_SCAN
492464    NMAP_XMAS_TREE_SCAN
492465    NMAP_XMAS_TREE_SCAN
492466    NMAP_XMAS_TREE_SCAN
492467    NMAP_XMAS_TREE_SCAN
Name: Attack_type, Length: 123117, dtype: object