#  DATA WRANGLING AND ANALYSIS

#### Data wrangling is the process of cleaning, structuring and enriching raw data into a desired format for better decision making in less time. Data wrangling is increasingly ubiquitous at today’s top firms. Data has become more diverse and unstructured, demanding increased time spent culling, cleaning, and organizing data ahead of broader analysis. At the same time, with data informing just about every business decision, business users have less time to wait on technical resources for prepared data.

####  Data analysis is the process of collecting and organizing data in order to draw helpful conclusions from it. The process of data analysis uses analytical and logical reasoning to gain information from the data. The main purpose of data analysis is to find meaning in data so that the derived knowledge can be used to make informed decisions.

## UNDERSTANDING THE DATASET

### THE DATASET IS DIVIDED INTO TWO FEATURE SETS WHICH ARE COMBINED TOGETHER :
 #### 1. Basic Features
 #### 2. Flow based Features


## BASIC FEATURES

<img src="images/feature.jpg">

#### The basic features are from column 0 to 29 and last three columns

### Data Wrangling on Basic Features

In [1]:
import pandas as pd
import numpy as np

In [2]:
df_orginal = pd.read_csv("../dataset/DDoSdata.csv")

  interactivity=interactivity, compiler=compiler, result=result)


In [3]:
df = df_orginal.copy()

In [4]:
df.head()

Unnamed: 0.1,Unnamed: 0,pkSeqID,stime,flgs,flgs_number,proto,proto_number,saddr,sport,daddr,...,AR_P_Proto_P_DstIP,N_IN_Conn_P_DstIP,N_IN_Conn_P_SrcIP,AR_P_Proto_P_Sport,AR_P_Proto_P_Dport,Pkts_P_State_P_Protocol_P_DestIP,Pkts_P_State_P_Protocol_P_SrcIP,attack,category,subcategory
0,1650261,1650261,1528103000.0,e,1,tcp,1,192.168.100.150,54110,192.168.100.3,...,1.21662,40,38,1.56093,1.21662,328,308,1,DDoS,HTTP
1,1650262,1650262,1528103000.0,e,1,tcp,1,192.168.100.150,54112,192.168.100.3,...,1.21662,40,38,1.56107,1.21662,328,308,1,DDoS,HTTP
2,1650263,1650263,1528103000.0,e,1,tcp,1,192.168.100.150,54114,192.168.100.3,...,1.21662,40,38,1.2498,1.21662,328,308,1,DDoS,HTTP
3,1650264,1650264,1528103000.0,e,1,tcp,1,192.168.100.150,54116,192.168.100.3,...,1.21662,40,38,1.24986,1.21662,328,308,1,DDoS,HTTP
4,1650265,1650265,1528103000.0,e,1,tcp,1,192.168.100.150,54118,192.168.100.3,...,1.21662,40,38,1.24991,1.21662,328,308,1,DDoS,HTTP


In [5]:
df.columns

Index(['Unnamed: 0', 'pkSeqID', 'stime', 'flgs', 'flgs_number', 'proto',
       'proto_number', 'saddr', 'sport', 'daddr', 'dport', 'pkts', 'bytes',
       'state', 'state_number', 'ltime', 'seq', 'dur', 'mean', 'stddev', 'sum',
       'min', 'max', 'spkts', 'dpkts', 'sbytes', 'dbytes', 'rate', 'srate',
       'drate', 'TnBPSrcIP', 'TnBPDstIP', 'TnP_PSrcIP', 'TnP_PDstIP',
       'TnP_PerProto', 'TnP_Per_Dport', 'AR_P_Proto_P_SrcIP',
       'AR_P_Proto_P_DstIP', 'N_IN_Conn_P_DstIP', 'N_IN_Conn_P_SrcIP',
       'AR_P_Proto_P_Sport', 'AR_P_Proto_P_Dport',
       'Pkts_P_State_P_Protocol_P_DestIP', 'Pkts_P_State_P_Protocol_P_SrcIP',
       'attack', 'category', 'subcategory'],
      dtype='object')

In [6]:
df.rename(columns = {'mean':'average_dur', 'stddev':'stddev_dur', 
                              'sum':'total_dur','min':'min_dur','max':'max_dur'}, inplace = True) 

In [7]:
df.shape

(1927101, 47)

In [8]:
df.proto.unique()

array(['tcp', 'arp', 'udp', 'icmp', 'ipv6-icmp'], dtype=object)

In [9]:
df.flgs.value_counts()

e      1129681
e s     778517
e g      17825
e *        809
eU         247
e d         17
e &          5
Name: flgs, dtype: int64

In [10]:
pd.set_option('display.float_format', lambda x: '%.5f' % x)
df.stime.value_counts()

1528099338.27983    29
1528099353.01837    29
1528099339.51717    28
1528099327.20760    28
1528099323.15023    28
                    ..
1528102921.38342     1
1528099353.64484     1
1528099337.69590     1
1528099321.76411     1
1526348175.32554     1
Name: stime, Length: 187071, dtype: int64

In [11]:
df.flgs_number.unique()

array([1, 2, 4, 3, 5, 6, 7])

In [12]:
df.saddr.value_counts()[:5]

192.168.100.147    520012
192.168.100.148    494696
192.168.100.150    457002
192.168.100.149    451641
192.168.100.3        3625
Name: saddr, dtype: int64

In [13]:
df.daddr.value_counts()[:5]

192.168.100.3      1923162
192.168.100.147       1340
192.168.100.150       1317
192.168.100.149        583
192.168.100.148        250
Name: daddr, dtype: int64

In [14]:
df.sport.value_counts()[:5]

 80       3496
-1          81
 5353       43
 8612       32
 59552      32
Name: sport, dtype: int64

In [15]:
df.dport.value_counts()[:5]

80      1710165
80       212975
53          251
-1           81
5353         65
Name: dport, dtype: int64

In [16]:
df.pkts.value_counts()

7        296451
6        253330
5        208627
4        190894
8        188133
          ...  
14751         1
20881         1
7586          1
3492          1
97            1
Name: pkts, Length: 75, dtype: int64

In [17]:
df.pkts.describe()

count   1927101.00000
mean          7.91394
std         159.19746
min           1.00000
25%           5.00000
50%           7.00000
75%          10.00000
max       70057.00000
Name: pkts, dtype: float64

In [18]:
df.bytes.value_counts()

420         183844
770         159099
480         141146
616         138020
900         135767
             ...  
845              1
17131488         1
1587             1
4660             1
3060             1
Name: bytes, Length: 626, dtype: int64

In [19]:
df.bytes.describe()

count    1927101.00000
mean        1126.11307
std       154895.09592
min           60.00000
25%          420.00000
50%          616.00000
75%          780.00000
max     71833345.00000
Name: bytes, dtype: float64

In [20]:
df.state.unique()

array(['RST', 'CON', 'FIN', 'REQ', 'ACC', 'INT', 'URP', 'NRS'],
      dtype=object)

In [21]:
df.state_number.unique()

array([1, 2, 6, 3, 7, 4, 5, 8])

In [22]:
df.ltime

0         1528102927.75104
1         1528102927.75106
2         1528102927.75109
3         1528102927.75111
4         1528102927.75114
                ...       
1927096   1526351824.66770
1927097   1526351824.86374
1927098   1526351825.12750
1927099   1526351825.27450
1927100   1526351825.27437
Name: ltime, Length: 1927101, dtype: float64

In [23]:
df.seq.value_counts()

1         11
2         11
41        11
14        11
7         11
          ..
262162     1
262167     1
262168     1
262164     1
262165     1
Name: seq, Length: 262168, dtype: int64

In [24]:
df.dur.value_counts()

0.00000     84317
12.16235      182
12.38465      169
13.96231      167
12.38396      166
            ...  
6.40681         1
14.41112        1
13.80980        1
13.40667        1
9.62721         1
Name: dur, Length: 369058, dtype: int64

In [25]:
df.dur.describe()

count   1927101.00000
mean         14.84886
std          12.38456
min           0.00000
25%          12.12153
50%          13.68344
75%          14.54814
max        1940.85925
Name: dur, dtype: float64

In [26]:
df.average_dur.describe()

count   1927101.00000
mean          2.54913
std           1.40456
min           0.00000
25%           2.01583
50%           2.75968
75%           3.65985
max           4.98188
Name: average_dur, dtype: float64

In [27]:
df.stddev_dur.describe()

count   1927101.00000
mean          0.94513
std           0.75185
min           0.00000
25%           0.12290
50%           0.93757
75%           1.69005
max           2.49676
Name: stddev_dur, dtype: float64

In [28]:
df.total_dur.describe()

count   1927101.00000
mean          7.25685
std           8.14079
min           0.00000
25%           4.53265
50%           8.11673
75%          10.52108
max        1913.19360
Name: total_dur, dtype: float64

In [29]:
df.min_dur.describe()

count   1927101.00000
mean          1.30163
std           1.49103
min           0.00000
25%           0.00000
50%           0.16957
75%           2.76341
max           4.98047
Name: min_dur, dtype: float64

In [30]:
df.spkts.value_counts()[:10]

6     277866
5     272505
7     240939
4     193098
8     155965
15    135780
11    129710
3     117821
2      91799
1      84570
Name: spkts, dtype: int64

In [31]:
df.dpkts.value_counts()[:10]

0     1463522
1      353455
2       93371
3       14606
4        2103
5          11
12          3
14          3
15          2
16          2
Name: dpkts, dtype: int64

In [32]:
df.sbytes.value_counts()

420     183843
770     159640
480     141141
616     139199
900     135770
         ...  
711          1
4808         1
721          1
5843         1
2048         1
Name: sbytes, Length: 540, dtype: int64

In [33]:
df.sbytes.describe()

count    1927101.00000
mean         953.44279
std        99240.94647
min           42.00000
25%          420.00000
50%          616.00000
75%          770.00000
max     37747017.00000
Name: sbytes, dtype: float64

In [34]:
df.rate.describe()

count   1927101.00000
mean          0.90928
std         119.10445
min           0.00000
25%           0.27143
50%           0.46384
75%           0.65159
max       90909.09375
Name: rate, dtype: float64

In [35]:
df.srate.describe()

count   1927101.00000
mean          1.98643
std         918.27705
min           0.00000
25%           0.24985
50%           0.41008
75%           0.63466
max     1000000.00000
Name: srate, dtype: float64

In [36]:
df.drate.describe()

count   1927101.00000
mean          0.00977
std           2.10783
min           0.00000
25%           0.00000
50%           0.00000
75%           0.00000
max        2178.64917
Name: drate, dtype: float64

In [37]:
df.columns

Index(['Unnamed: 0', 'pkSeqID', 'stime', 'flgs', 'flgs_number', 'proto',
       'proto_number', 'saddr', 'sport', 'daddr', 'dport', 'pkts', 'bytes',
       'state', 'state_number', 'ltime', 'seq', 'dur', 'average_dur',
       'stddev_dur', 'total_dur', 'min_dur', 'max_dur', 'spkts', 'dpkts',
       'sbytes', 'dbytes', 'rate', 'srate', 'drate', 'TnBPSrcIP', 'TnBPDstIP',
       'TnP_PSrcIP', 'TnP_PDstIP', 'TnP_PerProto', 'TnP_Per_Dport',
       'AR_P_Proto_P_SrcIP', 'AR_P_Proto_P_DstIP', 'N_IN_Conn_P_DstIP',
       'N_IN_Conn_P_SrcIP', 'AR_P_Proto_P_Sport', 'AR_P_Proto_P_Dport',
       'Pkts_P_State_P_Protocol_P_DestIP', 'Pkts_P_State_P_Protocol_P_SrcIP',
       'attack', 'category', 'subcategory'],
      dtype='object')

In [38]:
df_ml = df.copy()

In [39]:
#df.drop(['column_nameA', 'column_nameB'], axis=1, inplace=True)

## Data Cleaning and Information of basic features

### 1. Remove the first and second column

#### Define:
 The first and second column is basically the id number of each row and is not required for analysis.

#### Code:

In [40]:
df.drop(['Unnamed: 0','pkSeqID'], axis=1, inplace=True)

#### Test:

In [41]:
df.columns

Index(['stime', 'flgs', 'flgs_number', 'proto', 'proto_number', 'saddr',
       'sport', 'daddr', 'dport', 'pkts', 'bytes', 'state', 'state_number',
       'ltime', 'seq', 'dur', 'average_dur', 'stddev_dur', 'total_dur',
       'min_dur', 'max_dur', 'spkts', 'dpkts', 'sbytes', 'dbytes', 'rate',
       'srate', 'drate', 'TnBPSrcIP', 'TnBPDstIP', 'TnP_PSrcIP', 'TnP_PDstIP',
       'TnP_PerProto', 'TnP_Per_Dport', 'AR_P_Proto_P_SrcIP',
       'AR_P_Proto_P_DstIP', 'N_IN_Conn_P_DstIP', 'N_IN_Conn_P_SrcIP',
       'AR_P_Proto_P_Sport', 'AR_P_Proto_P_Dport',
       'Pkts_P_State_P_Protocol_P_DestIP', 'Pkts_P_State_P_Protocol_P_SrcIP',
       'attack', 'category', 'subcategory'],
      dtype='object')

### 2. Drop flgs and flgno as its of no use for analytics

#### Define:
We have our second column as fgs which is "Flow state flags seen in transactions" and flgs_number which is associated with the flow state. We are removing this because we are dealing with the flags alone in an upcoming column and dont require this for analysis now.


#### Code:

In [42]:
df.drop(['flgs', 'flgs_number'], axis=1, inplace=True)

#### Test:

In [43]:
df.columns

Index(['stime', 'proto', 'proto_number', 'saddr', 'sport', 'daddr', 'dport',
       'pkts', 'bytes', 'state', 'state_number', 'ltime', 'seq', 'dur',
       'average_dur', 'stddev_dur', 'total_dur', 'min_dur', 'max_dur', 'spkts',
       'dpkts', 'sbytes', 'dbytes', 'rate', 'srate', 'drate', 'TnBPSrcIP',
       'TnBPDstIP', 'TnP_PSrcIP', 'TnP_PDstIP', 'TnP_PerProto',
       'TnP_Per_Dport', 'AR_P_Proto_P_SrcIP', 'AR_P_Proto_P_DstIP',
       'N_IN_Conn_P_DstIP', 'N_IN_Conn_P_SrcIP', 'AR_P_Proto_P_Sport',
       'AR_P_Proto_P_Dport', 'Pkts_P_State_P_Protocol_P_DestIP',
       'Pkts_P_State_P_Protocol_P_SrcIP', 'attack', 'category', 'subcategory'],
      dtype='object')

### 3. stime(start time) and ltime(last time) required for our analysis and can it be dropped?

#### Define:
Start time is the time at which the machine started recording the packet transfer and end time is the time at which the packet transfer was completed. SInce in the upcoming columns we are making flow based analysis from this features we dont actually need this as it is of no use for either analysis nor machine learning. This can be dropped from the datafram for further analysis.

#### Code:

In [44]:
df.drop(['stime', 'ltime'], axis=1, inplace=True)

#### Test:

In [45]:
df.columns

Index(['proto', 'proto_number', 'saddr', 'sport', 'daddr', 'dport', 'pkts',
       'bytes', 'state', 'state_number', 'seq', 'dur', 'average_dur',
       'stddev_dur', 'total_dur', 'min_dur', 'max_dur', 'spkts', 'dpkts',
       'sbytes', 'dbytes', 'rate', 'srate', 'drate', 'TnBPSrcIP', 'TnBPDstIP',
       'TnP_PSrcIP', 'TnP_PDstIP', 'TnP_PerProto', 'TnP_Per_Dport',
       'AR_P_Proto_P_SrcIP', 'AR_P_Proto_P_DstIP', 'N_IN_Conn_P_DstIP',
       'N_IN_Conn_P_SrcIP', 'AR_P_Proto_P_Sport', 'AR_P_Proto_P_Dport',
       'Pkts_P_State_P_Protocol_P_DestIP', 'Pkts_P_State_P_Protocol_P_SrcIP',
       'attack', 'category', 'subcategory'],
      dtype='object')

### 4.sport and dport are port numbers but the type available for them is object.

#### Define:
We need to convert both dport and sport into int type as they are numbers.
But icmp have strings so we need to convert them to -ve number for our conversion purpose

#### Code:

In [46]:
df['sport'] = df[df.proto == 'icmp'].sport = '-2'
df['dport'] = df[df.proto == 'icmp'].sport = '-2'

A value is trying to be set on a copy of a slice from a DataFrame.
Try using .loc[row_indexer,col_indexer] = value instead

See the caveats in the documentation: https://pandas.pydata.org/pandas-docs/stable/user_guide/indexing.html#returning-a-view-versus-a-copy
  self[name] = value


In [47]:
df["sport"] = pd.to_numeric(df['sport'])
df["dport"] = pd.to_numeric(df['dport'])

#### Test:

In [48]:
df.sport.dtype

dtype('int64')

In [49]:
df.dport.dtype

dtype('int64')

In [50]:
df[df.proto == 'icmp'].sport

978389    -2
994630    -2
1043479   -2
1044937   -2
1275820   -2
1289843   -2
1342616   -2
1347138   -2
1563276   -2
1573762   -2
1647848   -2
1650122   -2
1812831   -2
1823392   -2
1909210   -2
1913051   -2
Name: sport, dtype: int64

In [51]:
df[df.proto == 'icmp'].dport

978389    -2
994630    -2
1043479   -2
1044937   -2
1275820   -2
1289843   -2
1342616   -2
1347138   -2
1563276   -2
1573762   -2
1647848   -2
1650122   -2
1812831   -2
1823392   -2
1909210   -2
1913051   -2
Name: dport, dtype: int64

### 5.we have -1 as port number so we need to see what is wrong and remove it if needed?

#### INFO:
The valid port numbers can range as,
(2^16)-1, or 0-65,535 (the -1 is because port 0 is reserved and unavailable). -ve can also occur if there is a NAT translation occuring.
NAT: Transmision of private ip to public ip.



The -1 indicates port 0 itself and can be ignored and in dataset we have port as -2 which is an translation of icmp string for port number to -2. We wont use it for analysis but it dont need to be removed.

### 6.Sate number just tells us about the state and which isnt needed and can be removed.

#### Define:
In state_number it is a numerical representation of states which we already have and can be used for analytics. We can add it later if needed and remove it for now.

#### Code:

In [53]:
df.drop(['state_number'], axis=1, inplace=True)

#### Test:

In [54]:
df.columns

Index(['proto', 'proto_number', 'saddr', 'sport', 'daddr', 'dport', 'pkts',
       'bytes', 'state', 'seq', 'dur', 'average_dur', 'stddev_dur',
       'total_dur', 'min_dur', 'max_dur', 'spkts', 'dpkts', 'sbytes', 'dbytes',
       'rate', 'srate', 'drate', 'TnBPSrcIP', 'TnBPDstIP', 'TnP_PSrcIP',
       'TnP_PDstIP', 'TnP_PerProto', 'TnP_Per_Dport', 'AR_P_Proto_P_SrcIP',
       'AR_P_Proto_P_DstIP', 'N_IN_Conn_P_DstIP', 'N_IN_Conn_P_SrcIP',
       'AR_P_Proto_P_Sport', 'AR_P_Proto_P_Dport',
       'Pkts_P_State_P_Protocol_P_DestIP', 'Pkts_P_State_P_Protocol_P_SrcIP',
       'attack', 'category', 'subcategory'],
      dtype='object')

### 7.sequence number also isnt required for analysis and can be removed.

#### Define:
Sequence number is of no use in deciding about botnets attack and is used for transfer of data with number and hence it can be removed for analysis phase.


#### Code:

In [57]:
df.drop(['seq'], axis=1, inplace=True)

#### Test:

In [60]:
df.columns

Index(['proto', 'proto_number', 'saddr', 'sport', 'daddr', 'dport', 'pkts',
       'bytes', 'state', 'dur', 'average_dur', 'stddev_dur', 'total_dur',
       'min_dur', 'max_dur', 'spkts', 'dpkts', 'sbytes', 'dbytes', 'rate',
       'srate', 'drate', 'TnBPSrcIP', 'TnBPDstIP', 'TnP_PSrcIP', 'TnP_PDstIP',
       'TnP_PerProto', 'TnP_Per_Dport', 'AR_P_Proto_P_SrcIP',
       'AR_P_Proto_P_DstIP', 'N_IN_Conn_P_DstIP', 'N_IN_Conn_P_SrcIP',
       'AR_P_Proto_P_Sport', 'AR_P_Proto_P_Dport',
       'Pkts_P_State_P_Protocol_P_DestIP', 'Pkts_P_State_P_Protocol_P_SrcIP',
       'attack', 'category', 'subcategory'],
      dtype='object')

### 1. Remove the first column

#### Define:

#### Code:


#### Test: