# Project 2: Web Traffic Analysis
**This is the second of three mandatory projects to be handed in as part of the assessment for the course 02807 Computational Tools for Data Science at Technical University of Denmark, autumn 2019.**

#### Practical info
- **The project is to be done in groups of at most 3 students**
- **Each group has to hand in _one_ Jupyter notebook (this notebook) with their solution**
- **The hand-in of the notebook is due 2019-11-10, 23:59 on DTU Inside**

#### Your solution
- **Your solution should be in Python**
- **For each question you may use as many cells for your solution as you like**
- **You should document your solution and explain the choices you've made (for example by using multiple cells and use Markdown to assist the reader of the notebook)**
- **You should not remove the problem statements**
- **Your notebook should be runnable, i.e., clicking [>>] in Jupyter should generate the result that you want to be assessed**
- **You are not expected to use machine learning to solve any of the exercises**
- **You will be assessed according to correctness and readability of your code, choice of solution, choice of tools and libraries, and documentation of your solution**

## Introduction
In this project your task is to analyze a stream of log entries. A log entry consists of an [IP address](https://en.wikipedia.org/wiki/IP_address) and a [domain name](https://en.wikipedia.org/wiki/Domain_name). For example, a log line may look as follows:

`192.168.0.1 somedomain.dk`

One log line is the result of the event that the domain name was visited by someone having the corresponding IP address. Your task is to analyze the traffic on a number of domains. Counting the number of unique IPs seen on a domain doesn't correspond to the exact number of unique visitors, but it is a good estimate.

Specifically, you should answer the following questions from the stream of log entries.

- How many unique IPs are there in the stream?
- How many unique IPs are there for each domain?
- How many times was IP X seen on domain Y? (for some X and Y provided at run time)

**The answers to these questions can be approximate!**

You should also try to answer one or more of the following, more advanced, questions. The answers to these should also be approximate.

- How many unique IPs are there for the domains $d_1, d_2, \ldots$?
- How many times was IP X seen on domains $d_1, d_2, \ldots$?
- What are the X most frequent IPs in the stream?

You should use algorithms and data structures that you've learned about in the lectures, and you should provide your own implementations of these.

Furthermore, you are expected to:

- Document the accuracy of your answers when using algorithms that give approximate answers
- Argue why you are using certain parameters for your data structures

This notebook is in three parts. In the first part you are given an example of how to read from the stream (which for the purpose of this project is a remote file). In the second part you should implement the algorithms and data structures that you intend to use, and in the last part you should use these for analyzing the stream.

## Reading the stream
The following code reads a remote file line by line. It is wrapped in a generator to make it easier to extend. You may modify this if you want to, but your solution should remain parametrized, so that your notebook can be run without having to consume the entire file.

In [17]:
# Install pip packages phmmh3 and scipy in the current Jupyter kernel
import sys
!{sys.executable} -m pip install pymmh3
!{sys.executable} -m pip install scipy



In [5]:
import pymmh3 as mmh3
import math
import urllib
import statistics
import random
import numpy as np
import collections
import pandas as pd
from scipy.integrate import quad

In [114]:
url="https://files.dtu.dk/fss/public/link/public/stream/read/traffic_2?linkToken=_DcyO-U3MjjuNzI-&itemName=traffic_2"

In [115]:
def stream(n):
    i = 0
    with urllib.request.urlopen(url) as f:
        for line in f:
            element = line.rstrip().decode("utf-8")
            yield element
            i += 1
            if i == n:
                break

In [109]:
STREAM_SIZE = 10
web_traffic_stream = stream(STREAM_SIZE)

In [110]:
# test run to print the first 5 lines in the traffic stream
for x in web_traffic_stream:
    print(x)

186.99.192.116	python.org
202.152.82.171	wikipedia.org
130.126.231.205	python.org
116.142.112.214	pandas.pydata.org
113.124.204.127	python.org
143.30.183.87	wikipedia.org
138.74.228.219	python.org
56.120.106.87	wikipedia.org
189.119.55.225	wikipedia.org
180.110.73.101	wikipedia.org


## Data structures

### How many unique IPs are there in the stream?

>There are many implementations available for HyperLogLog. Our group decides to implement the one introduced by Wikipedia. Source : https://en.wikipedia.org/wiki/HyperLogLog.

There are two main differences between the one introduced in lecture and in Wikipedia:

* The hash function. In the lecture slides, the chosen hash function should map variable x to a number in [0, ..., w-1] where w = 32 or 64. In Wikipedia, the chosen hash function can map x to any range of integer.

* The count estimation. In lecture slides, the multiplication of m and the hormonic mean of the array M is returned. However, in Wikipedia, a more sophisticated estimation is presented which results in smaller error in estimation. We have attached a screenshot of the estimation formula below.

![Screenshot%202019-11-04%20at%2004.57.50.png](attachment:Screenshot%202019-11-04%20at%2004.57.50.png)

In [23]:
def hyperLogLog(stream, w=32, m=16): # m has to be power of 2
    
    # initiate an array M with m counters
    M = [0,] * (m+1) # index 0 is dummy, we only focus on index 1 to m
    
    # print functions for improved readability
    print("Receiving incoming data")
    print("Updating the unique count")
    print("...")
    print("...")
    
    while (True):
        
        # try getting the next element
        try:
            IP=next(stream).split()[0]
            
        # function should end here
        # enter the except block when there is no more incoming data
        # in our case, this would mean that all the sample data have been processed
        # since all data are processed, we then calculate the estimated count according to the formula presented above
        except: 
            print("No more incoming streaming data")
            print("Calculating the estimated number of distinct elements")
            print("...")
            print("...")
            
            # get Z (note, exclude index 0 in array M)
            Z = sum(list(map(lambda x : 2**-M[x], M[1:]))) ** -1
            a_m = (quad(lambda u : math.log((2+u)/(1+u),2)**m , 0, np.inf)[0] * m)** -1
            E = a_m * (m**2) * Z
                        
            # return the estimated count of distinct elements in the stream
            print("The estimated number of distinct elements is {}".format(E))
            return E
    
        # hash the IP address
        # mmh3 stands for MurmurHash (MurmurHash3), a set of fast and robust hash functions
        hashing=mmh3.hash(IP)
        
        # obtain a binary representation of the IP address
        binary="{0:b}".format(hashing)

        # split the binary string into upper and lower parts
        upper=binary[0: int(math.log(m,2))]
        lower=binary[int(math.log(m,2)):]

        # compute position p of the leftmost 1-bit of the lower part
        # if there is no 1 in the lower part, just return the length of the lower part
        # this is based on the fact that 0000 occurs with the same probability as 0001
        p=lower.find("1") + 1 if lower.find("1") != -1 else len(lower)

        # obtain the index j which is the integer representation of the upper part + 1
        j=abs(int(upper, 2)) + 1

        # update array M
        M[j]= max(M[j],p)
    
    # dummy return value
    return None

In [24]:
# test out hyperLogLog() on 10000 lines of traffic stream data
STREAM_SIZE = 10000
web_traffic_stream = stream(STREAM_SIZE)
distinct_count = hyperLogLog(web_traffic_stream)

Receiving incoming data
Updating the unique count
...
...
No more incoming streaming data
Calculating the estimated number of distinct elements
...
...
The estimated number of distinct elements is 43.01814029250092


### How many unique IPs are there for each domain?

Our Approach:

1. Maintain a dictionary where key is domain and value is a HyperLogLog array.

2. For each incoming record, update corresponding HLL array, depending on the domain.

3. Compute unique IPs for each domain. 

In [25]:
def hyperLogLog_at_scale(stream, w=32, m=16): # m has to be power of 2
    
    # initialize a domain dictionary with format {key = domain name : value = M array}
    domain_dic={}
    
    # print functions for improved readability
    print("Receiving incoming data")
    print("Updating the unique IP counts")
    print("...")
    print("...")
    
    while (True):
        
        # try getting the next element
        try:
            element=next(stream).split()
            IP=element[0]
            domain=element[1]
    
        # function should end here
        # enter the except block when there is no more incoming data
        # in our case, this would mean that all the sample data have been processed
        # since all data are processed, we then calculate the estimated count according to the formula presented above
        except: 
            print("No more incoming streaming data")
            print("Calculating the estimated number of unique IPs")
            print("...")
            print("...")
            
            # init a new dictionary with format {key = domain name : value = estimated count}
            count_dic={}
            
            for (domain, M) in domain_dic.items():
                # get Z (note, exclude index 0 in array M)
                Z = sum(list(map(lambda x : 2**-M[x], M[1:]))) ** -1
                a_m = (quad(lambda u : math.log((2+u)/(1+u),2)**m , 0, np.inf)[0] * m)** -1
                E = a_m * (m**2) * Z
                # add the domain and its corresponding unique counts to the dictionary
                count_dic[domain]=E
                       
            return count_dic
        
        # first time seeing this domain
        # create a M array of m counters
        if domain not in domain_dic:
            domain_dic[domain] = [0,] * (m+1)
        
        # hash the IP address
        # mmh3 stands for MurmurHash (MurmurHash3), a set of fast and robust hash functions
        hashing=mmh3.hash(IP)
        
        # obtain a binary representation of the IP address
        binary="{0:b}".format(hashing)

        # split the binary string into upper and lower parts
        upper=binary[0: int(math.log(m,2))]
        lower=binary[int(math.log(m,2)):]

        # compute position p of the leftmost 1-bit of the lower part
        # if there is no 1 in the lower part, just return the length of the lower part
        # this is based on the fact that 0000 occurs with the same probability as 0001
        p=lower.find("1") + 1 if lower.find("1") != -1 else len(lower)

        # obtain the index j which is the integer representation of the upper part + 1
        j=abs(int(upper, 2)) + 1

        # update array M for that specific domain
        value = domain_dic[domain]
        value[j] = max(value[j],p)
        domain_dic[domain] = value
    
    # dummy return value
    return None

In [26]:
# test out hyperLogLog_at_scale() on 10000 lines of traffic stream data
STREAM_SIZE = 10000
web_traffic_stream = stream(STREAM_SIZE)
hyperLogLog_at_scale(web_traffic_stream)

Receiving incoming data
Updating the unique IP counts
...
...
No more incoming streaming data
Calculating the estimated number of unique IPs
...
...


{'python.org': 42.57184557446545,
 'wikipedia.org': 42.754297262221165,
 'pandas.pydata.org': 33.69932332787732,
 'dtu.dk': 16.70292095274192,
 'google.com': 16.88513463586274,
 'databricks.com': 14.01283806740515,
 'github.com': 13.120884662757708,
 'spark.apache.org': 11.883732283456737,
 'datarobot.com': 10.76963238188267}

The dictionary above shows the estimated unique IPs for each domain.

### How many times was IP X seen on domain Y? (for some X and Y provided at run time)

In [27]:
def countMin(stream, w, d):
    
    # initialize a domain dictionary with format (key=domain name : value = M matrix)
    domain_dic={}
    
    while (True):
        
        # try getting the next element
        try:
            element=next(stream).split()
            IP=element[0]
            domain=element[1]
    
        # function should end here
        # enter the except block when there is no more incoming data
        # in our case, this would mean that all the sample data have been processed
        except:
            # return the final dictionary
            return domain_dic
        
        # create a w*d matrix for each domain
        if domain not in domain_dic:
            outer=[]
            for i in range(d):
                inner=[0,] * w
                outer.append(inner)
            # add the domain and its matrix to the dictionary
            domain_dic[domain] = outer
        
        # iterate through each hash function
        for s in range(0,d):
            # hash the IP address
            hashing=mmh3.hash(IP, seed=s) % w

            # obtain the current matrix for that domain
            value = domain_dic[domain]
            
            # increment the number of occurrences by 1 and update the matrix
            value[s][hashing] +=1
            
            # assign the updated matrix back to the dictionary
            domain_dic[domain] = value
            
    # dummy return value
    return None

In [28]:
# makes use of the countMin function
# provide IP_X and Domain_Y at runtime to extract from the dictionary obtained from the countMin function

def getResult(stream, IP_X, Domain_Y, w=16, d=5):
    
    # obtain the countMin_Dic from countMin()
    countMin_Dic = countMin(stream, w, d)
    
    # obtain the frequency matrix for a particular domain
    Matrix=countMin_Dic[Domain_Y]
    
    # initialize an empty list to store the all the estimated numbers of occurrences from d hashing functions
    res_list=[]
    for s in range(0,d):
        hashing=mmh3.hash(IP_X, seed=s) % w
        res_list.append(Matrix[s][hashing])
    return min(res_list)

In [29]:
# test out getResult() on 10000 lines of traffic stream data
STREAM_SIZE = 10000
web_traffic_stream = stream(STREAM_SIZE)

In [30]:
# test run
result = getResult(web_traffic_stream,"186.99.192.116", 'python.org')
result

79

### How many unique IPs are there for the domains  𝑑1,𝑑2,… ?

Our approach:

1. Maintain a dictionary where key is domain and value is a HyperLogLog array.

2. For each incoming record, update HLL array if it is in the dictionary. Else, ignore.

3. Compute unique IPs for each domain. 

In [31]:
def hyperLogLog_multiple_domains(stream, domain1, *domains, w=32, m=16): 
    # minimum number of domains to be specified: 1
    # additionally, user can specify more than 1 domain
    
    # create a domain list containing all the domains at interest
    domain_list = [domain1,]
    domain_list.extend(list(domains))
    
    # initialize a domain dictionary with format {key = domain name : value = M array}
    domain_dic={}
    
    # print functions for improved readability
    print("Receiving incoming data")
    print("Updating the unique IP counts")
    print("...")
    print("...")
    
    while (True):
        
        # try getting the next IP adress
        try:
            element=next(stream).split()
            IP=element[0]
            domain=element[1]
    
        # function should end here
        # enter the except block when there is no more incoming data
        # in our case, this would mean that all the sample data have been processed
        # since all data are processed, we then calculate the estimated count according to the formula presented above
        except: 
            print("No more incoming streaming data")
            print("Calculating the estimated number of unique IPs")
            print("...")
            print("...")
            
            # init a new dictionary with format {key = domain name : value = estimated count}
            count_dic={}
            
            for (domain, M) in domain_dic.items():
                # get Z (note, exclude index 0 in array M)
                Z = sum(list(map(lambda x : 2**-M[x], M[1:]))) ** -1
                a_m = (quad(lambda u : math.log((2+u)/(1+u),2)**m , 0, np.inf)[0] * m)** -1
                E = a_m * (m**2) * Z
                # add the domain and its corresponding unique counts to the dictionary
                count_dic[domain]=E
                       
            return count_dic
        
        # if the incoming domain is of our interest, and that it is the first time we see this domain
        # create a M array of m counters
        if domain in domain_list and domain not in domain_dic:
            domain_dic[domain] = [0,] * (m+1)
        
        # hash the IP address
        # mmh3 stands for MurmurHash (MurmurHash3), a set of fast and robust hash functions
        hashing=mmh3.hash(IP)

        # obtain a binary representation of the IP address
        binary="{0:b}".format(hashing)

        # split the binary string into upper and lower parts
        upper=binary[0: int(math.log(m,2))]
        lower=binary[int(math.log(m,2)):]

        # compute position p of the leftmost 1-bit of the lower part
        # if there is no 1 in the lower part, just return the length of the lower part
        # this is based on the fact that 0000 occurs with the same probability as 0001
        p=lower.find("1") + 1 if lower.find("1") != -1 else len(lower)

        # obtain the index j which is the integer representation of the upper part + 1
        j=abs(int(upper, 2)) + 1

        # update array M for that specific domain
        if domain in domain_list:
            value = domain_dic[domain]
            value[j] = max(value[j],p)
            domain_dic[domain] = value
    
    # dummy return value
    return None

In [32]:
# test out hyperLogLog_multiple_domains() on 10000 lines of traffic stream data
STREAM_SIZE = 10000
web_traffic_stream = stream(STREAM_SIZE)
hyperLogLog_multiple_domains(web_traffic_stream, "pandas.pydata.org", "python.org", "wikipedia.org")

Receiving incoming data
Updating the unique IP counts
...
...
No more incoming streaming data
Calculating the estimated number of unique IPs
...
...


{'python.org': 42.57184557446545,
 'wikipedia.org': 42.754297262221165,
 'pandas.pydata.org': 33.69932332787732}

### How many times was IP X seen on domains  𝑑1,𝑑2,… ?

In [33]:
def countMin_multiple_domains(stream, domain_list, w, d):
        
    # initialize a domain dictionary with format (key=domain name : value = M matrix)
    domain_dic={}
    
    while (True):
        
        # try getting the next element
        try:
            element=next(stream).split()
            IP=element[0]
            domain=element[1]
    
        # function should end here
        # enter the except block when there is no more incoming data
        # in our case, this would mean that all the sample data have been processed
        except:
            # return the final dictionary
            return domain_dic
        
        # create a w*d matrix for each domain at interest
        if domain in domain_list:
            if domain not in domain_dic:
                outer=[]
                for i in range(d):
                    inner=[0,] * w
                    outer.append(inner)
                # add the domain and its matrix to the dictionary
                domain_dic[domain] = outer
        
            # iterate through each hash function
            for s in range(0,d):
                # hash the IP address
                hashing=mmh3.hash(IP, seed=s) % w

                # obtain the current matrix for that domain
                value = domain_dic[domain]

                # increment the number of occurrences by 1 and update the matrix
                value[s][hashing] +=1

                # assign the updated matrix back to the dictionary
                domain_dic[domain] = value
            
    # dummy return value
    return None

In [34]:
# makes use of the countMin_multiple_domains function
# provide IP_X and domains at runtime to extract from the dictionary obtained from the countMin_multiple_domains fucntion

def getResult_multiple_domains(stream, IP_X, domain1, *domains, w=16, d=5):
        
    # create a domain list containing all the domains at interest
    domain_list = list(domains)
    domain_list.append(domain1) # append the mandatory input argument domain1 into the domain list
    
    # obtain the countMin_dic from countMin_multiple_domains()
    countMin_Dic = countMin_multiple_domains(stream, domain_list, w, d)
    
    # initialize a dictionary to store the number of times IP X is seen on different domains
    # {domain1:n times, domain2: m times, ...}
    res_dic = {}
    
    # iterate through the domain list
    for domain in domain_list:  
    
        # obtain the frequency matrix for a particular domain
        Matrix=countMin_Dic[domain]

        # initialize an empty list to store the all the estimated numbers of occurrences from d hashing functions
        res_list=[]
        
        for s in range(0,d):
            hashing=mmh3.hash(IP_X, seed=s) % w
            res_list.append(Matrix[s][hashing])
            count = min(res_list)
            # add the count for this particular domain to res_dic
            res_dic[domain] = count
    
    return res_dic

In [35]:
# test out getResult_multiple_domains() on 10000 lines of traffic stream data
STREAM_SIZE = 10000
web_traffic_stream = stream(STREAM_SIZE)

In [36]:
# test run
results_dictionary = getResult_multiple_domains(web_traffic_stream,
                                                "186.99.192.116", "pandas.pydata.org", "python.org", "wikipedia.org")
results_dictionary

{'python.org': 79, 'wikipedia.org': 149, 'pandas.pydata.org': 31}

### What are the X most frequent IPs in the stream?

> Finding the top X most frequent IPs is an extension of finding the most frequent IP. 

> Our group will modify the Boyer–Moore majority vote algorithm. Source: https://en.wikipedia.org/wiki/Boyer%E2%80%93Moore_majority_vote_algorithm

Our approach :

1. Maintain a dictionary of size X. Key is IP and value is corresponding frequency.

2. For each new record e, if e is in the dictionary, increment the frequency by 1.

3. If e is not in the dictionary and the dictionary size is smaller than X, add e to the dictionary with frequency being 1.

4. If the dictionary size is X, then decrement all frequencies by 1.

5. Remove the key-value pair from the dictionary if the value becomes 0.

In [116]:
def majority_voting_modified(stream, X):
    # initiate a dictionary with format {key = IP : value = freqency}
    topX = {}
    
    while (True):
        # getting next IP
        try:
            IP = next(stream).split("\t")[0]
        
        # when no more incoming record
        except:
            print("No more data")
            return topX
        
        # Case 1 : IP in the dictionary
        if IP in topX:
            topX[IP] += 1
        
        # Case 2: IP not in dictionary
        else:
            
            # Case 2a : topX has vacancy
            if len(topX) < X:
                topX[IP] = 1
                
            # Case 2b: topX does not have vacancy
            else:
                remove=[]
                for key in topX:
                    topX[key] -= 1
                    if topX[key] == 0:
                        remove.append(key)
                        
                # remove key-value pair with value == 0
                for rm in remove:
                    topX.pop(rm)
    
    return
            


In [122]:
STREAM_SIZE = 10000
web_traffic_stream = stream(STREAM_SIZE)

In [123]:
majority_voting_modified(web_traffic_stream, 5)

No more data


{'68.128.158.127': 1,
 '47.183.55.112': 1,
 '202.24.90.90': 1,
 '84.99.148.212': 1}

First, define some helper functions for us to keep track of the X most frequent IPs and their frequencies in the streaming data.

In [75]:
# define a helper function to update topX_dic
# topX_dic is a dictionary of the following format: {frequency1 : [IP1, IP2, ...], frequency2 : [IP3, IP4, ...], ...}
# The maximum number of pairs in the dictionary is X. This happens when each frequency corresponds to one and only one IP.
def add_to_topX_dic(topX_dic, IP, count):    
    
    # firstly, iterate through the dictionary to find if this IP already exists
    for freq, IPs in topX_dic.items():
        # remove the IP from its old count key if it exists
        if IP in IPs:
            IPs.remove(IP)
            topX_dic[freq] = IPs
    
    # if it is the first time this count is seen in the dictionary, create a key-value pair straightaway
    if count not in topX_dic.keys():
        topX_dic[count] = [IP,]
    
    # if this count already exists in the dictionary
    else:
        # add IP as a value of its new count key in the dictionary
        lst = topX_dic[count]
        lst.append(IP)
        topX_dic[count] = lst
    
    return topX_dic
    
    
    
# define a function to check whether we should put an IP into the topX dictionary, and do so when necessary
def update_topX_dic(topX_dic, IP, count, X):
        
    # if topX_dic is not fully filled (fewer than X pairs)
    if len(topX_dic) < X:
        # add this IP to topX_dic
        topX_dic = add_to_topX_dic(topX_dic, IP, count)
    
    else:
        # sort the current top frequencies in ascending order
        top_frequencies = sorted(list(topX_dic.keys()))
        # find the current minimum frequency accepted by the topX dictionary
        min_freq = top_frequencies[0]
        # if the count is no smaller than min_freq, add this item to topX_dictionary
        if count >= min_freq:
            topX_dic = add_to_topX_dic(topX_dic, IP, count)
    
    return topX_dic
 
    
    
# a tie occurs when the last few most frequent IPs have the same frequency
# e.g. X = 10; both the 10th and the 11th IP in the top X list have the same frequency. In such cases, we will include both
# therefore, the actual number of IPs in the top X list may exceed X.
def settle_ties(topX_dic, X):
    
    # initialize a counter to keep track of the total number of IPs in the top X list
    counter = 0
    
    # initialize a list that stores the top X most frequent counts and their IPs
    # [(IP1, frequency1), (IP2, frequency2), ...]
    topX_list = []
    
    # obtain the sorted frequencies in the dictionary in descending order
    sorted_frequencies = sorted(topX_dic.keys(), reverse = True)
    
    for freq in sorted_frequencies:
        # if no IPs have been added to topX_list, at least add the first set of IPs to the list
        if counter == 0:
            for IP in topX_dic[freq]:
                topX_list.append((IP, freq))
            # increment the counter by the number of IPs
            counter += len(topX_dic[freq]) 
        
        # if after adding the previous IPs to the list, len(topX_list) equals to X exactly, escape the for loop
        elif counter == X:
            break
        
        # if adding IPs with this frequency to the topX list does not make the length go beyond X, add these to the list 
        elif counter + len(topX_dic[freq]) < X:
            for IP in topX_dic[freq]:
                topX_list.append((IP, freq))
            # increment the counter by the number of IPs
            counter += len(topX_dic[freq]) 
        
        # else settle ties by add the IPs, then escape the for loop
        else:
            for IP in topX_dic[freq]:
                topX_list.append((IP, freq))
            break
        
    # sort the topX list in descending order of counts
    topX_list.sort(key=lambda tup: tup[1], reverse=True)
    
    # return the topX IPs and their counts in the form of a dictionary
    return dict(topX_list)

Time to put everything together! Define a function that takes in streaming customer data, and returns the top X most frequent IPs

In [90]:
def topX_frequency(stream, X, w=16, d=5):
    
    # initialize an IP dictionary with format (key=IP name : value = M matrix)
    IP_dic={}
    
    # initialize a dictionary to store the top frequencies and also settle ties (if any)
    # {frequency1 : [IP1, IP2, ...], frequency2 : [IP3, IP4, ...], ...}
    # maximum number of pairs in the dictionary is X. This happens when each frequency corresponds to one and only one IP.
    topX_dic = {}    
    
    while (True):
        
        # try getting the next element
        try:
            element=next(stream).split()
            IP=element[0]
    
        # function should end here
        # enter the except block when there is no more incoming data
        # in our case, this would mean that all the sample data have been processed
        except:
            final_topX = settle_ties(topX_dic, X)
            return final_topX
        
        # create a w*d matrix for each IP
        if IP not in IP_dic:
            outer=[]
            for i in range(d):
                inner=[0,] * w
                outer.append(inner)
            # add the IP and its matrix to the dictionary
            IP_dic[IP] = outer
                
        # initialize an empty list to calculate the current count of an element
        res_list = []
        
        # iterate through each hash function
        for s in range(0,d):
            # hash the IP address
            hashing=mmh3.hash(IP, seed=s) % w

            # obtain the current matrix for that IP
            value = IP_dic[IP]
            
            # increment the number of occurrences by 1 and update the matrix
            value[s][hashing] +=1
            
            # assign the updated matrix back to the dictionary
            IP_dic[IP] = value
            
            # store the value of the 
            res_list.append(value[s][hashing])
        
        # find the current estimate of the number of occurrences of an IP address
        count = min(res_list)
        
        # check and update the topX dictionary accordingly
        topX_dic = update_topX_dic(topX_dic, IP, count, X)
    
    # dummy return value
    return None

In [124]:
# test out topX_frequency() on 10000 lines of traffic stream data
STREAM_SIZE = 100000
web_traffic_stream = stream(STREAM_SIZE)

In [125]:
# test run on the 3 most frequent IPs
topX = topX_frequency(web_traffic_stream, 3)
topX

{'108.41.112.108': 27, '72.187.84.158': 26, '54.29.199.129': 8}

In [None]:
# def reservoir_sampling(stream, k, domainY, IPX):
#     test=0
    
#     # define some helper functions
#     def getIP(ele): # get the IP address
#         return ele[0]
    
#     def checkDomain(ele): # return true if domainY is matched
#         return ele[1] == domainY
    
#     # keep a counter for total number of domainY
#     count_Y = 0
       
#     # Initialize the reservoir array with size k, index [0, k-1]
#     reservoir = [" "] * k
    
#     # keep a count for reservoir array
#     count_reservoir = 0
    
#     # Fill the reservoir array by the first k elements from streaming data (match domainY)
#     while count_reservoir < k: 
#         element = next(stream).split("\t") ## [IP , Domain]
#         test+=1
#         if checkDomain(element): # check if it is from domainY
#             count_Y += 1 # update count+Y
#             reservoir[count_reservoir] = getIP(element) # fill one slot in reservoir array
#             count_reservoir += 1 # update count_reservoir
    
#     # Iterate all incoming streaming elements
#     while (True):
#         # get the next incoming element
#         try:
#             new_element = next(stream).split("\t")
#             test+=1
#         # finish processing all streaming data
#         except:
#             print(test)
#             print("No incoming streaming data anymore")
#             count_IP=0
#             for IP in reservoir:
#                 if IP == IPX:
#                     count_IP += 1
#             return count_IP/k * count_Y
        
#         if checkDomain(new_element):
#             count_Y += 1
#             # keep the element with a probability of k/count_Y
#             if k < random.randrange(count_Y + 1):
#                 # replace a slot in reservoir array selected uniformly at random
#                 reservoir[random.randrange(k)] = getIP(new_element)
            
#     return None

In [None]:
# STREAM_SIZE = 1000000
# web_traffic_stream = stream(STREAM_SIZE)
# reservoir_sampling(web_traffic_stream, 3000, "pandas.pydata.org", "42.128.176.139")

## Analysis

Define a function to store the EXACT occurrences of each IP for each domain

In [249]:
def find_exact_counts(stream):
    
    # initialize a dictionary of dictionaries that stores the exact counts for each IP for each domain
    # {domain1 : {IP1 : occurrences1, IP2 : occurrences2, ...}, domain2: {IP1 : occurrences1, ...}, ...}
    exact_dic = {}
    
    while (True):
        
        # try getting the next element
        try:
            element=next(stream).split()
            IP=element[0]
            domain=element[1]
        
        # function should end here
        # enter the except block when there is no more incoming data
        except:
            return exact_dic
        
        if domain not in exact_dic.keys():
            exact_dic[domain] = {}
            exact_dic[domain][IP] = 1
        
        else:
            sub_dic = exact_dic[domain]
            if IP not in sub_dic.keys():
                sub_dic[IP] = 1
            else:
                sub_dic[IP] += 1
            # replace the original sub_dic by the updated one
            exact_dic[domain] = sub_dic

    # dummy return value    
    return None

In [250]:
# test out exact_counts_dic() on 10000 lines of traffic stream data
STREAM_SIZE = 10000
web_traffic_stream = stream(STREAM_SIZE)

In [251]:
# test run
exact_counts_dic = find_exact_counts(web_traffic_stream)
exact_counts_dic

{'python.org': {'186.99.192.116': 1,
  '130.126.231.205': 1,
  '113.124.204.127': 1,
  '138.74.228.219': 1,
  '125.147.103.124': 1,
  '98.200.179.72': 1,
  '118.134.162.177': 1,
  '166.31.84.181': 1,
  '188.184.111.204': 1,
  '118.132.34.85': 1,
  '139.135.81.115': 1,
  '58.119.72.88': 1,
  '73.112.136.99': 1,
  '181.223.154.91': 1,
  '203.85.185.49': 1,
  '69.185.128.164': 1,
  '161.134.127.210': 1,
  '105.98.155.244': 1,
  '110.220.151.140': 1,
  '99.121.45.126': 1,
  '125.142.128.86': 1,
  '208.114.96.119': 1,
  '175.132.133.122': 1,
  '110.181.109.83': 1,
  '121.68.38.141': 1,
  '149.112.137.51': 1,
  '134.193.104.115': 1,
  '120.101.134.186': 1,
  '145.66.255.140': 1,
  '89.77.227.69': 1,
  '191.126.126.59': 1,
  '113.113.65.155': 1,
  '88.133.137.210': 1,
  '110.193.102.46': 1,
  '103.42.49.44': 1,
  '110.60.144.62': 1,
  '89.149.83.80': 1,
  '67.232.160.201': 1,
  '67.114.70.30': 1,
  '78.122.148.55': 1,
  '93.113.116.30': 1,
  '53.32.199.128': 1,
  '139.35.186.34': 1,
  '148.13

In [None]:
# check the accuracy of IP counting
def CountIP_accuracy(stream): 
    #create a dictionary(key is IP,value is count)
    IP_dict={}
    
    element=next(stream).split()
    IP=element[0]
    domain=element[1]
      
    for count in stream: 
        if (count in IP_dict): 
            IP_dict[count] += 1
        else: 
            IP_dict[count] = 1
  
    for IP, count in IP_dict.counts(): 
        print ("% d : % d"%(IP, count)) 
        return IP_dict

In [None]:
#check the accuracy of CountMin function
def CountMin_accuracy(stream):
    #create a dictionary (key is domain, value is IP_dict)
    domain_dict={}
    
    element=next(stream).split()
    IP=element[0]
    domain=element[1]
    
    for IP_dict in stream:
        if (IP_dict in domain_dict): 
            domain_dict[IP_dict] += 1
        else: 
            domain_dict[IP_dict] = 1
  
    for domain, IP_dict in IP_dict.counts(): 
        print ("% d : % d"%(domain, IP_dict)) 