In [0]:
! pip install -r requirements.txt
! pip install tensorflow-gpu
! pip install tldextract

In [15]:
! pip install --upgrade keras

# Predicting Domain Generation Algorithms using LSTMs
This notebook contains code for classifying domains as malicious or benign. The dataset consists of the Alexa Top 1M combined with 500,000 pre-generated malicious domains.

In [0]:
"""Generates data for train/test algorithms"""
from datetime import datetime
import StringIO
from urllib import urlopen
from zipfile import ZipFile

import cPickle as pickle
import os
import random
import tldextract

# Our input file containg all the training data
DATA_FILE = 'traindata.pkl'

def get_data(force=False):
    return pickle.load(open(DATA_FILE))

## What are Neural Networks?

A neural network is a series of algorithms that endeavors to recognize underlying relationships in a set of data through a process that mimics the way the human brain operates. 
In this sense, neural networks refer to systems of neurons, either organic or artificial in nature. 

Neural networks can adapt to changing input; so, the network generates the best possible result without needing to redesign the output criteria. 

The concept of neural networks, which has its roots in artificial intelligence, is swiftly gaining popularity.

<img src='https://miro.medium.com/max/1592/1*yGMk1GSKKbyKr_cMarlWnA.jpeg'>



**Three fundamental components** of neural networks:

1. **Structure** - what the neural network looks like, including all the mathematical functions involved, the number of inputs and outputs, and the parameters, called **weights** that the network has to learn.
    
2. **Loss Function** - a metric that tells us how good or bad the network's predictions are. 
3. **Optimizer** - the algorithm used for **learning the weights** that give the network the best predictions.


### The Simplest Neural Network - The Perceptron
The perceptron, arguably the simplest neural network, was invented by psychologist Frank Rosenblatt in 1957 and looks something like this:
![perceptron](https://docs.google.com/uc?export=download&id=1SbHK9XPrP1PSO9T-lh9uG9CTCNjdXhU1)

(image source: http://ataspinar.com/2016/12/22/the-perceptron/)

A perceptron is basically a neural network with a single **artificial neuron**. Similar to the biological neuron, a perceptron has the following characteristics:

- **inputs** - the perceptron receives a given number of real-valued inputs (the inputs are numbers).
- **weights** - the perceptron has a weight $ w_i $ associated with each input $ x_i $. These weighted connections are like synapses and they are parameters that the perceptron must "learn".
- **weighted sum (basically a dot product)** - the inputs are multiplied by the weights and the results are added together to produce a weighted sum.
- **activation function** - the perceptron has an activation function called the unit-step function that produces an output of 1 if the weighted sum is greater than some threshold $\theta$ and -1 otherwise.
  

*tanh*:
tanh is like logistic sigmoid but better. The range of the tanh function is from (-1 to 1). tanh is also sigmoidal (s - shaped).

![tanh](https://miro.medium.com/max/744/1*f9erByySVjTjohfFdNkJYQ.jpeg)

*Softmax*: 
Softmax function takes a vector as input and produces a vector of the same shape as the output. In a way, this function basically acts on an entire layer. The softmax function basically converts a vector of real values into a probability distribution and is useful for representing the probabilities of different classes.




**Hidden layers** : layer of neurons other than the input and output layers

**Dropout** : Technique to reduce overfitting in neural networks by shutting particular or random neurons at a point of time.

**Loss function** :  Method of evaluating how well specific algorithm models the given data. If predictions deviates too much from actual results, loss function would cough up a very large number. Gradually, with the help of some optimization function, loss function learns to reduce the error in prediction.

*Cross-entropy loss*: measures the performance of a classification model whose output is a probability value between 0 and 1.


**Forward Pass**: The forward pass refers to calculation process, values of the output layers from the inputs data. It's traversing through all neurons from first to last layer.

**Backpropagation**:
Backward pass refers to process of counting changes in weights, using gradient descent algorithm (or similar). Computation is made from last layer, backward to the first layer.


## What are Recurrent Neural Networks?
A recurrent neural network (RNN) is a class of artificial neural network where connections between units form a directed graph along a sequence. This allows it to exhibit dynamic temporal behavior for a time sequence. Unlike feedforward neural networks, RNNs can use their internal state (memory) to process sequences of inputs. This makes them applicable to tasks such as unsegmented, connected handwriting recognition or speech recognition.


RNNs are designed to take sequences of text as inputs or return sequences of text as outputs, or both. 

They're called recurrent because the network's hidden layers have a loop in which the output from one time step becomes an input at the next time step. This recurrence serves as a form of memory. 

It allows contextual information to flow through the network so that relevant outputs from previous time steps can be applied to network operations at the current time step. 

<img src="https://qph.fs.quoracdn.net/main-qimg-6eced51767f5bcd94b32bbe50da438e9">

# **Vanishing Gradient Problem **

As more layers using certain activation functions are added to neural networks, the gradients of the loss function approaches zero, making the network hard to train.

A large change in the input of the sigmoid function will cause a small change in the output. Hence, the derivative becomes small.

A small gradient means that the weights and biases of the initial layers will not be updated effectively with each training session. Since these initial layers are often crucial to recognizing the core elements of the input data, it can lead to overall inaccuracy of the whole network.



## What are LSTMs (Long short-term memory)?

Long short-term memory (LSTM) is an artificial recurrent neural network (RNN) architecture used in the field of deep learning. Unlike standard feedforward neural networks, LSTM has feedback connections. It can not only process single data points (such as images), but also entire sequences of data (such as speech or video). For example, LSTM is applicable to tasks such as unsegmented, connected handwriting recognition or speech recognition.


A common LSTM unit is composed of a **cell**, an **input gate**, an **output gate** and a **forget gate**. The cell remembers values over arbitrary time intervals and the three gates regulate the flow of information into and out of the cell.

RNNs using LSTM units partially solve the vanishing gradient problem, because LSTM units allow gradients to also flow unchanged.



<img src='https://blog.keras.io/img/seq2seq/seq2seq-teacher-forcing.png'>



**The cell** : Responsible for keeping track of the dependencies between the elements in the input sequence. 

**The input gate** : Controls the extent to which a new value flows into the cell.

**The forget gate**: Controls the extent to which a value remains in the cell and the output gate controls the extent to which the value in the cell is used to compute the output activation of the LSTM unit. 

The activation function of the LSTM gates is often the logistic sigmoid function.

<img src='https://miro.medium.com/max/2840/1*0f8r3Vd-i4ueYND1CUrhMA.png'>



In [2]:
"""Train and test LSTM classifier"""
import numpy as np
from keras.preprocessing import sequence
from keras.optimizers import rmsprop
from keras.models import Sequential, load_model
from keras.layers.core import Dense, Dropout, Activation
from keras.layers.embeddings import Embedding
from keras.layers.recurrent import LSTM
import sklearn
from sklearn.model_selection import train_test_split

def build_model(max_features, maxlen):
    """Build LSTM model"""
    model = Sequential()
    model.add(Embedding(max_features, 128, input_length=maxlen))
    model.add(LSTM(128))
    model.add(Dropout(0.5))
    model.add(Dense(1))
    model.add(Activation('sigmoid'))

    model.compile(loss='binary_crossentropy',
                  optimizer='rmsprop')

    return model

def run(max_epoch=25, nfolds=10, batch_size=128):
    """Run train/test on logistic regression model"""
    indata = get_data()

    # Extract data and labels
    X = [x[1] for x in indata]
    labels = [x[0] for x in indata]

    # Generate a dictionary of valid characters
    valid_chars = {x:idx+1 for idx, x in enumerate(set(''.join(X)))}

    max_features = len(valid_chars) + 1
    maxlen = np.max([len(x) for x in X])

    # Convert characters to int and pad
    X = [[valid_chars[y] for y in x] for x in X]
    X = sequence.pad_sequences(X, maxlen=maxlen)

    # Convert labels to 0-1
    y = [0 if x == 'benign' else 1 for x in labels]

    final_data = []

    for fold in range(nfolds):
        print "fold %u/%u" % (fold+1, nfolds)
        X_train, X_test, y_train, y_test, _, label_test = train_test_split(X, y, labels, 
                                                                           test_size=0.2)

        print 'Build model...'
        #model = build_model(max_features, maxlen)
        model = load_model('lstm.h5')

        print "Train..."
        X_train, X_holdout, y_train, y_holdout = train_test_split(X_train, y_train, test_size=0.05)
        best_iter = -1
        best_auc = 0.0
        out_data = {}

        for ep in range(max_epoch):
            model.fit(X_train, y_train, batch_size=batch_size, nb_epoch=1)

            t_probs = model.predict_proba(X_holdout)
            t_auc = sklearn.metrics.roc_auc_score(y_holdout, t_probs)

            print 'Epoch %d: auc = %f (best=%f)' % (ep, t_auc, best_auc)

            if t_auc > best_auc:
                best_auc = t_auc
                best_iter = ep

                probs = model.predict_proba(X_test)

                out_data = {'y':y_test, 'labels': label_test, 'probs':probs, 'epochs': ep,
                            'confusion_matrix': sklearn.metrics.confusion_matrix(y_test, probs > .5)}

                print sklearn.metrics.confusion_matrix(y_test, probs > .5)
            else:
                # No longer improving...break and calc statistics
                if (ep-best_iter) > 2:
                    break

        final_data.append(out_data)
        model.save('lstm.h5')

    return final_data

See the results from the code below:

In [0]:
"""Run experiments and create figs"""
import itertools
import os
import pickle
import matplotlib
matplotlib.use('Agg')
import numpy as np

from scipy import interp
from sklearn.metrics import roc_curve, auc

RESULT_FILE = 'results.pkl'

def run_experiments(nfolds=10):
    """Runs all experiments"""
    lstm_results = None

    lstm_results = run(nfolds=nfolds)

    return lstm_results

def create_figs(nfolds=10, force=False):
    """Create figures"""
    # Generate results if needed
    if force or (not os.path.isfile(RESULT_FILE)):
        lstm_results = run_experiments(nfolds)

        results = {'lstm': lstm_results}

        pickle.dump(results, open(RESULT_FILE, 'w'))
    else:
        results = pickle.load(open(RESULT_FILE))

    # Extract and calculate LSTM ROC
    if results['lstm']:
        lstm_results = results['lstm']
        fpr = []
        tpr = []
        for lstm_result in lstm_results:
            t_fpr, t_tpr, _ = roc_curve(lstm_result['y'], lstm_result['probs'])
            fpr.append(t_fpr)
            tpr.append(t_tpr)
        lstm_binary_fpr, lstm_binary_tpr, lstm_binary_auc = calc_macro_roc(fpr, tpr)

    # Save figure
    from matplotlib import pyplot as plt
    with plt.style.context('bmh'):
        plt.plot(lstm_binary_fpr, lstm_binary_tpr,
                 label='LSTM (AUC = %.4f)' % (lstm_binary_auc, ), rasterized=True)
        plt.xlim([0.0, 1.0])
        plt.ylim([0.0, 1.05])
        plt.xlabel('False Positive Rate', fontsize=22)
        plt.ylabel('True Positive Rate', fontsize=22)
        plt.title('ROC - Binary Classification', fontsize=26)
        plt.legend(loc="lower right", fontsize=22)

        plt.tick_params(axis='both', labelsize=22)
        plt.savefig('results.png')

def calc_macro_roc(fpr, tpr):
    """Calcs macro ROC on log scale"""
    # Create log scale domain
    all_fpr = sorted(itertools.chain(*fpr))

    # Then interpolate all ROC curves at this points
    mean_tpr = np.zeros_like(all_fpr)
    for i in range(len(tpr)):
        mean_tpr += interp(all_fpr, fpr[i], tpr[i])

    return all_fpr, mean_tpr / len(tpr), auc(all_fpr, mean_tpr) / len(tpr)

if __name__ == "__main__":
    create_figs(nfolds=1) # Run with 1 to make it fast