In [1]:
from pyspark.sql import SparkSession
import csv
import ast
import pandas as pd
from pyspark.sql.types import StringType, ArrayType, IntegerType, FloatType

In [2]:
from pyspark.sql import SparkSession
import findspark
findspark.init()
spark = SparkSession.builder \
    .appName("ProcessGrouping1") \
    .master("local[*]") \
    .getOrCreate()


In [3]:
# Load the data into a DataFrame
data_path = "logs2.csv"
df = spark.read.csv(data_path, header=True, inferSchema=True)
df.show()

+----------+--------+----+--------+---------+
|FromServer|ToServer|time|  action|processId|
+----------+--------+----+--------+---------+
|      null| lkVpiJ4|   0| Request|        1|
|   lkVpiJ4|    null|   6|Response|        1|
|      null| lkVpiJ4|   9| Request|        2|
|   lkVpiJ4|    null|  12|Response|        2|
|      null| OZBsEf0|  11| Request|        3|
|   OZBsEf0|    null|  13|Response|        3|
|      null|    Aum3|  18| Request|        4|
|      Aum3|    null|  28|Response|        4|
|      null|    Aum3|  22| Request|        5|
|      Aum3|    null|  24|Response|        5|
|      null|   qZGv1|  27| Request|        6|
|     qZGv1|    null|  36|Response|        6|
+----------+--------+----+--------+---------+



In [4]:
from pyspark.sql.functions import col, collect_list, struct

# Group by processID and collect the sequence of actions
processes_df = df.groupBy("processID").agg(collect_list(struct("FromServer", "ToServer", "time", "action")).alias("actions"))

# Convert actions to string for MinHash LSH
def actions_to_string(actions):
    return "".join([f"{action['FromServer']}{action['ToServer']}" for action in actions])

from pyspark.sql.functions import udf
from pyspark.sql.types import StringType

actions_to_string_udf = udf(actions_to_string, StringType())
processes_df = processes_df.withColumn("actions_str", actions_to_string_udf(col("actions")))
processes_df.show()

+---------+--------------------+--------------------+
|processID|             actions|         actions_str|
+---------+--------------------+--------------------+
|        1|[{null, lkVpiJ4, ...|nulllkVpiJ4lkVpiJ...|
|        6|[{null, qZGv1, 27...|  nullqZGv1qZGv1null|
|        3|[{null, OZBsEf0, ...|nullOZBsEf0OZBsEf...|
|        5|[{null, Aum3, 22,...|    nullAum3Aum3null|
|        4|[{null, Aum3, 18,...|    nullAum3Aum3null|
|        2|[{null, lkVpiJ4, ...|nulllkVpiJ4lkVpiJ...|
+---------+--------------------+--------------------+



In [5]:
# Convert actions string into shingles
def get_shingles(row, k=5):
    concatenated_str = ''.join(row)
    shingles = [concatenated_str[i:i+k] for i in range(len(concatenated_str) - (k - 1))]
    return shingles
from pyspark.sql.types import ArrayType

get_shingles_udf = udf(lambda x: get_shingles(x), ArrayType(StringType()))
processes_df = processes_df.withColumn("shingles", get_shingles_udf(col("actions_str")))
processes_df.show()


+---------+--------------------+--------------------+--------------------+
|processID|             actions|         actions_str|            shingles|
+---------+--------------------+--------------------+--------------------+
|        1|[{null, lkVpiJ4, ...|nulllkVpiJ4lkVpiJ...|[nulll, ulllk, ll...|
|        6|[{null, qZGv1, 27...|  nullqZGv1qZGv1null|[nullq, ullqZ, ll...|
|        3|[{null, OZBsEf0, ...|nullOZBsEf0OZBsEf...|[nullO, ullOZ, ll...|
|        5|[{null, Aum3, 22,...|    nullAum3Aum3null|[nullA, ullAu, ll...|
|        4|[{null, Aum3, 18,...|    nullAum3Aum3null|[nullA, ullAu, ll...|
|        2|[{null, lkVpiJ4, ...|nulllkVpiJ4lkVpiJ...|[nulll, ulllk, ll...|
+---------+--------------------+--------------------+--------------------+



In [6]:
from pyspark.ml.feature import CountVectorizer

cv = CountVectorizer(inputCol="shingles", outputCol="features",binary=True)
cv_model = cv.fit(processes_df)
vectorized_df = cv_model.transform(processes_df)
print(vectorized_df.show(truncate=True))

print("Distinct Attributes (Vocabulary):")
for i, attr in enumerate(cv_model.vocabulary):
    print(f"{i}. {attr}")

+---------+--------------------+--------------------+--------------------+--------------------+
|processID|             actions|         actions_str|            shingles|            features|
+---------+--------------------+--------------------+--------------------+--------------------+
|        1|[{null, lkVpiJ4, ...|nulllkVpiJ4lkVpiJ...|[nulll, ulllk, ll...|(55,[0,1,2,6,9,13...|
|        6|[{null, qZGv1, 27...|  nullqZGv1qZGv1null|[nullq, ullqZ, ll...|(55,[4,31,33,37,3...|
|        3|[{null, OZBsEf0, ...|nullOZBsEf0OZBsEf...|[nullO, ullOZ, ll...|(55,[8,21,26,32,3...|
|        5|[{null, Aum3, 22,...|    nullAum3Aum3null|[nullA, ullAu, ll...|(55,[3,5,7,10,11,...|
|        4|[{null, Aum3, 18,...|    nullAum3Aum3null|[nullA, ullAu, ll...|(55,[3,5,7,10,11,...|
|        2|[{null, lkVpiJ4, ...|nulllkVpiJ4lkVpiJ...|[nulll, ulllk, ll...|(55,[0,1,2,6,9,13...|
+---------+--------------------+--------------------+--------------------+--------------------+

None
Distinct Attributes (Vocabulary):


In [7]:
from pyspark.ml.feature import MinHashLSH

mh = MinHashLSH(inputCol="features", outputCol="hashes", numHashTables=10)
mh_model = mh.fit(vectorized_df)
hashed_df = mh_model.transform(vectorized_df)


In [8]:
from pyspark.sql.functions import array, array_union, collect_list, explode, col
from pyspark.ml.linalg import Vectors
from pyspark.ml.feature import HashingTF

threshold = 0.8
# Find similar candidate process IDs using MinHashLSH
similarity_df = mh_model.approxSimilarityJoin(hashed_df, hashed_df, threshold, distCol="JaccardDistance") \
    .select(col("datasetA.processID").alias("processID_A"),
            col("datasetB.processID").alias("processID_B"),
            col("JaccardDistance"))

# Filter out self-joins and duplicates
similarity_df = similarity_df.filter(col("processID_A") < col("processID_B"))
similarity_df.show()
# Function to calculate Jaccard similarity
def jaccard_similarity(x, y):
    x_set = set(x)
    y_set = set(y)
    intersection = len(x_set & y_set)
    union = len(x_set | y_set)
    return float(intersection) / union

# Register the function as a UDF
from pyspark.sql.types import FloatType
jaccard_similarity_udf = udf(jaccard_similarity, FloatType())
print("processes_df")
processes_df.show()
print("similarity_df")
similarity_df.show()

# Join with original DataFrame to get shingles for each process
similarity_df = similarity_df \
    .join(processes_df.select("processID", "shingles"), similarity_df.processID_A == processes_df.processID) \
    .withColumnRenamed("shingles", "shingles_A") \
    .drop("processID") \
    .join(processes_df.select("processID", "shingles"), similarity_df.processID_B == processes_df.processID) \
    .withColumnRenamed("shingles", "shingles_B") \
    .drop("processID")

# Calculate Jaccard similarity for each candidate pair
similarity_df = similarity_df.withColumn("JaccardSimilarity", jaccard_similarity_udf(col("shingles_A"), col("shingles_B")))

# Filter pairs with Jaccard similarity above a threshold (e.g., 0.8)
similarity_df = similarity_df.filter(col("JaccardSimilarity") >= 1- threshold)

# Group by processID_A and collect similar processIDs
grouped_df = similarity_df.groupBy("processID_A").agg(collect_list("processID_B").alias("similar_processIDs"))

# Convert processID_A to an array and concatenate with similar_processIDs
grouped_df = grouped_df.withColumn("all_processIDs", array_union(array(col("processID_A")), col("similar_processIDs")))

# Explode the all_processIDs array to get a mapping of each process ID to its group
exploded_df = grouped_df.select(explode(col("all_processIDs")).alias("processID"), col("processID_A").alias("group_representative"))
similarity_df.show()

+-----------+-----------+---------------+
|processID_A|processID_B|JaccardDistance|
+-----------+-----------+---------------+
|          4|          5|            0.0|
|          1|          2|            0.0|
+-----------+-----------+---------------+

processes_df
+---------+--------------------+--------------------+--------------------+
|processID|             actions|         actions_str|            shingles|
+---------+--------------------+--------------------+--------------------+
|        1|[{null, lkVpiJ4, ...|nulllkVpiJ4lkVpiJ...|[nulll, ulllk, ll...|
|        6|[{null, qZGv1, 27...|  nullqZGv1qZGv1null|[nullq, ullqZ, ll...|
|        3|[{null, OZBsEf0, ...|nullOZBsEf0OZBsEf...|[nullO, ullOZ, ll...|
|        5|[{null, Aum3, 22,...|    nullAum3Aum3null|[nullA, ullAu, ll...|
|        4|[{null, Aum3, 18,...|    nullAum3Aum3null|[nullA, ullAu, ll...|
|        2|[{null, lkVpiJ4, ...|nulllkVpiJ4lkVpiJ...|[nulll, ulllk, ll...|
+---------+--------------------+--------------------+------

In [9]:
# Merge overlapping groups
def merge_groups(group_list):
    groups = []
    for group in group_list:
        merged = False
        for existing_group in groups:
            if any(item in group for item in existing_group):
                existing_group.update(group)
                merged = True
                break
        if not merged:
            groups.append(set(group))
    return [list(group) for group in groups]

merge_groups_udf = udf(lambda x: merge_groups(x), ArrayType(ArrayType(IntegerType())))

grouped_lists = exploded_df.groupBy("group_representative") \
    .agg(collect_list("processID").alias("group_list")) \
    .agg(collect_list("group_list").alias("group_lists"))

merged_groups = grouped_lists.withColumn("merged_groups", merge_groups_udf(col("group_lists"))) \
    .select(explode(col("merged_groups")).alias("final_group"))

# Convert the final groups to a DataFrame
from pyspark.sql.functions import concat_ws

final_groups_df = merged_groups.select(concat_ws("_", col("final_group")).alias("Group"), col("final_group"))

# Find the representative process for each final group
final_groups_exploded = final_groups_df.withColumn("processID", explode(col("final_group")))

# Join with the original DataFrame to keep only the representative process
filtered_df = df.join(final_groups_exploded, on="processID", how="inner")

# Select the smallest processID in each group as the representative
from pyspark.sql.functions import min

group_representative_df = final_groups_exploded.groupBy("Group").agg(min("processID").alias("representative_processID"))

# Join to get the full details of the representative processes
representative_processes_df = group_representative_df.join(filtered_df, filtered_df["processID"] == group_representative_df.representative_processID, "inner") \
    .select("processID", "FromServer", "ToServer", "time", "action")
representative_processes_df.show()
final_groups_df.show()

+---------+----------+--------+----+--------+
|processID|FromServer|ToServer|time|  action|
+---------+----------+--------+----+--------+
|        1|      null| lkVpiJ4|   0| Request|
|        1|   lkVpiJ4|    null|   6|Response|
|        4|      null|    Aum3|  18| Request|
|        4|      Aum3|    null|  28|Response|
+---------+----------+--------+----+--------+

+-----+-----------+
|Group|final_group|
+-----+-----------+
|  1_2|     [1, 2]|
|  4_5|     [4, 5]|
+-----+-----------+



In [10]:
# Show the final result
representative_processes_df.show(truncate=False)

# Optional: Write the final groups to a file
# final_groups_df.write.csv("path_to_output_groups_file.csv", header=True)
# representative_processes_df.write.csv("path_to_output_filtered_file.csv", header=True)


+---------+----------+--------+----+--------+
|processID|FromServer|ToServer|time|action  |
+---------+----------+--------+----+--------+
|1        |null      |lkVpiJ4 |0   |Request |
|1        |lkVpiJ4   |null    |6   |Response|
|4        |null      |Aum3    |18  |Request |
|4        |Aum3      |null    |28  |Response|
+---------+----------+--------+----+--------+



In [12]:
from pyspark.sql.functions import col, expr
# Step 1: Remove Processes in Groups
# Get the list of process IDs to remove
processes_to_remove = final_groups_df.selectExpr("explode(final_group) as processID").distinct()

# Filter out rows where processID is in processes_to_remove
df_without_groups = df.join(processes_to_remove, "processID", "left_anti")

# Add a constant number to processID
constant_number = df.agg({"processID": "max"}).first()[0]
new_representative_processes_df = representative_processes_df.withColumn(
    "processID",
    expr(f"processID + {constant_number}")
)

# Show the final DataFrame
new_representative_processes_df.select("processID", "FromServer", "ToServer", "time", "action").orderBy("time")

# Combine original DataFrame and representatives DataFrame
combined_df = df_without_groups.union(new_representative_processes_df)

# Show final combined DataFrame
combined_df.show(truncate=False)

+---------+----------+--------+----+--------+
|processId|FromServer|ToServer|time|action  |
+---------+----------+--------+----+--------+
|3        |null      |OZBsEf0 |11  |Request |
|3        |OZBsEf0   |null    |13  |Response|
|6        |null      |qZGv1   |27  |Request |
|6        |qZGv1     |null    |36  |Response|
|7        |null      |lkVpiJ4 |0   |Request |
|7        |lkVpiJ4   |null    |6   |Response|
|10       |null      |Aum3    |18  |Request |
|10       |Aum3      |null    |28  |Response|
+---------+----------+--------+----+--------+

