![](http://spark.apache.org/images/spark-logo.png) ![](https://upload.wikimedia.org/wikipedia/commons/f/f8/Python_logo_and_wordmark.svg)

In [1]:
%autosave 10

Autosaving every 10 seconds


# MLlib: Classification with Decision Trees

In this notebook we will use Spark's machine learning library MLlib to build a **Decision Tree classifier** for network attack detection. We will use the complete [KDD Cup 1999 datasets](http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html) in order to test Spark capabilities with large datasets.

Decision trees are a popular machine learning tool in part because:
- they are easy to interpret, 
- handle categorical features, 
- extend to the multiclass classification setting, 
- do not require feature scaling, and 
- are able to capture non-linearities and feature interactions. 

In this notebook, we will first train a classification tree including every single predictor. Then we will use our results to perform model selection. Once we find out the most important ones (the main splits in the tree) we will build a minimal tree using just three of them (the first two levels of the tree in order to compare performance and accuracy.

# Getting the data and creating the RDD

In [2]:
import urllib
f = urllib.urlretrieve ("http://kdd.ics.uci.edu/databases/kddcup99/kddcup.data.gz", "kddcup.data.gz")

In [3]:
data_file = "./kddcup.data.gz"
raw_data = sc.textFile(data_file)

print "Train data size is {}".format(raw_data.count())

Train data size is 4898431


In [4]:
# Test dataset
ft = urllib.urlretrieve("http://kdd.ics.uci.edu/databases/kddcup99/corrected.gz", "corrected.gz")

In [5]:
test_data_file = "./corrected.gz"
test_raw_data = sc.textFile(test_data_file)

print "Test data size is {}".format(test_raw_data.count())

Test data size is 311029


# Detecting network attacks using Decision Trees
In this section we will train a *classification tree* that, as we did with *logistic regression*, will predict if a network interaction is either normal or attack.

Training a classification tree using **MLlib** requires some parameters:

- Training data
- Num classes
- Categorical features info: a map from column to categorical variables arity. This is optional, although it should increase model accuracy. However it requires that we know the levels in our categorical variables in advance. second we need to parse our data to convert labels to integer values within the arity range.
- Impurity metric
- Tree maximum depth
- And tree maximum number of bins


# Training Data Preprocessing

In order to benefits from trees ability to seamlessly work with categorical variables, we need to convert them to numerical factors. But first we need to obtain all the possible levels. We will use **set transformations** on csv parsed RDD.

In [6]:
from pyspark.mllib.regression import LabeledPoint
import numpy as np

In [7]:
csv_data = raw_data.map(lambda x: x.split(","))
test_csv_data = test_raw_data.map(lambda x: x.split(","))

protocols = csv_data.map(lambda x: x[1]).distinct().collect()
services = csv_data.map(lambda x: x[2]).distinct().collect()
flags = csv_data.map(lambda x: x[3]).distinct().collect()

Now we can use this Python list in our ```create_labeled_point``` function. If a factor level is not in the training data, we assign an especial level. 

Note: We cannot use testing data for training our model, not even the factor levels. The testing data represents the unknown to us in a real case.

In [8]:
def create_labeled_point(line_split):
    # leave out =[41]
    clean_line_split = line_split[0:41]
    # convert protocol to numeric categorical variable
    try:
        clean_line_split[1] = protocols.index(clean_line_split[1])
        
    except:
        clean_line_split[1] = len(protocols)
 
    # convert service to numeric categorical variable
    try:
        clean_line_split[2] = services.index(clean_line_split[2])
        
    except:
        clean_line_split[2] = len(services)

    # convert flag to numeric categorical variable
    try:
        clean_line_split[3] = flags.index(clean_line_split[3])
        
    except:
        clean_line_split[3] = len(flags)
        
    attack = 1.0
    if line_split[41] =="normal.":
        attack = 0.0
        
    return LabeledPoint(attack, np.array([float(x) for x in clean_line_split]))



In [9]:
training_data = csv_data.map(create_labeled_point)

In [10]:
training_data.take(2)

[LabeledPoint(0.0, [0.0,2.0,58.0,10.0,215.0,45076.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,1.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0]),
 LabeledPoint(0.0, [0.0,2.0,58.0,10.0,162.0,4528.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,2.0,2.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,1.0,1.0,1.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0])]

# Test Data Preprocessing


In [11]:
test_data = test_csv_data.map(create_labeled_point)

In [12]:
test_data.take(1)

[LabeledPoint(0.0, [0.0,0.0,5.0,10.0,105.0,146.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,1.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,255.0,254.0,1.0,0.01,0.0,0.0,0.0,0.0,0.0,0.0])]

# Training a classifier

We are now ready to train our classification tree. We will keep the maxDepth value small. This will lead to smaller accuracy, but we will obtain less splits so later on we can better interpret the tree. In a production system we will try to increase this value in order to find a better accuracy.

In [13]:
from pyspark.mllib.tree import DecisionTree, DecisionTreeModel
from time import time

# Build the model
t0 = time()
tree_model = DecisionTree.trainClassifier(training_data, numClasses=2,
                                          categoricalFeaturesInfo={1: len(protocols),
                                                                   2: len(services),
                                                                   3: len(flags)},
                                          impurity='gini', maxDepth=8, maxBins=200)
tt = time() - t0

print "Classifier trained in {} seconds".format(round(tt,3))

Classifier trained in 352.452 seconds


# Evaluating the model on new data
In order to measure the classification error on our test data, we use map on the ```test_data``` RDD and the model to predict each test point class.

In [14]:
predictions = tree_model.predict(test_data.map(lambda p: p.features))
labels_and_preds = test_data.map(lambda p: p.label).zip(predictions)

Classification results are returned in pars, with the actual test label and the predicted one. This is used to calculate the classification error by using ```filter``` and ```count``` as follows:

In [15]:
t0 = time()
test_accuracy = labels_and_preds.filter(
             lambda (v, p): v==p).count() / float(test_data.count())
tt = time() - t0

print "Prediction made in {} seconds. Test accuracy is {}".format(round(tt,3), round(test_accuracy,4))

Prediction made in 23.542 seconds. Test accuracy is 0.9215


# Interpreting the model

Understanding our tree splits is a great exercise in order to explaiin our classification labels in terms of predictors and the values they take. Using the ```toDebugString``` method in our tree model we can obtain a lot of information regarding splits, nodes, etc.


In [16]:
print "Learned classification tree model:"
print tree_model.toDebugString()

Learned classification tree model:
DecisionTreeModel classifier of depth 8 with 157 nodes
  If (feature 22 <= 43.0)
   If (feature 3 in {2.0,3.0,4.0,7.0,9.0,10.0})
    If (feature 36 <= 0.45)
     If (feature 12 <= 0.0)
      If (feature 34 <= 0.91)
       If (feature 7 <= 0.0)
        If (feature 36 <= 0.24)
         If (feature 28 <= 0.19)
          Predict: 0.0
         Else (feature 28 > 0.19)
          Predict: 0.0
        Else (feature 36 > 0.24)
         If (feature 2 in {0.0,3.0,15.0,18.0,27.0,32.0,36.0,42.0,58.0,67.0})
          Predict: 0.0
         Else (feature 2 not in {0.0,3.0,15.0,18.0,27.0,32.0,36.0,42.0,58.0,67.0})
          Predict: 1.0
       Else (feature 7 > 0.0)
        Predict: 1.0
      Else (feature 34 > 0.91)
       If (feature 4 <= 1.0)
        If (feature 39 <= 0.5)
         If (feature 0 <= 0.0)
          Predict: 0.0
         Else (feature 0 > 0.0)
          Predict: 1.0
        Else (feature 39 > 0.5)
         Predict: 1.0
       Else (feature 4 > 1.0)
  

For example, a network interaction with the following features (see description [here](http://kdd.ics.uci.edu/databases/kddcup99/task.html)) will be classified as an attack by our model:

- ```count```, the number of connections to the same host as the current connection in the past two seconds, being greater than 32.
- ```dst_bytes```, the number of data bytes from destination to source, is 0.
- ```service``` is neither level 0 nor 52.
- ```logged_in``` is false.
From our services list we know that:

In [17]:
print "Service 0 is {}".format(services[0])
print "Service 52 is {}".format(services[52])

Service 0 is urp_i
Service 52 is tftp_u


So we can characterise network interactions with more than 32 connections to the same server in the last 3 seconds, transferring zero bytes from destination to source, where service is neither ```urp_i``` nor ```tftp_u```, and not loggen in, as network attacks. A similar approach can be used for each tree terminal node.

We can see that ```count``` is the first node split in the tree. Remember that each partition is chosen greedily by selecting the best split from a set of possible splits, in order to maximize the information gain at a tree node (see more [here](https://spark.apache.org/docs/latest/mllib-decision-tree.html#basic-algorithm)). At a second level we find variables ```flag``` (normal or error status of the connection) and ```dst_bytes``` (the number of data bytes from destination to source) and so on.

This explaining capability of a classification(or regression) tree is one of its main benefits. Understanding data is a key factor to build better models.

# Building a minimal model using the three main splits

So now that we know the main features predicting a network attack, thanks to our classification tree splits, let's use them to build a minimal classification tree with just the main three variables: count, dst_bytes, and flag.

In [18]:
def create_labeled_point_minimal(line_split):
    # leave out =[41]
    clean_line_split = line_split[3:4] + line_split[5:6] + line_split[22:23]
    
    # convert protocol to numeric categorical variable
    try:
        clean_line_split[0] = flags.index(clean_line_split[0])
        
    except:
        clean_line_split[0] = len(flags)
 
        
    attack = 1.0
    if line_split[41] =="normal.":
        attack = 0.0
        
    return LabeledPoint(attack, np.array([float(x) for x in clean_line_split]))



In [19]:
training_data_minimal = csv_data.map(create_labeled_point_minimal)
training_data_minimal.take(2)

[LabeledPoint(0.0, [10.0,45076.0,1.0]), LabeledPoint(0.0, [10.0,4528.0,2.0])]

In [20]:
test_data_minimal = test_csv_data.map(create_labeled_point_minimal)
test_data_minimal.take(1)

[LabeledPoint(0.0, [10.0,146.0,1.0])]

In [24]:
# Build the model
t0 = time()
tree_model_minimal = DecisionTree.trainClassifier(training_data_minimal, numClasses=2,
                                          categoricalFeaturesInfo={0: len(flags)},
                                          impurity='gini', maxDepth=8, maxBins=32)
tt = time() - t0

print "Classifier trained in {} seconds".format(round(tt,3))

Classifier trained in 282.922 seconds


In [25]:
predictions_minimal = tree_model_minimal.predict(test_data_minimal.map(lambda p: p.features))
labels_and_preds_minimal = test_data_minimal.map(lambda p: p.label).zip(predictions_minimal)

In [26]:
t0 = time()
test_accuracy = labels_and_preds_minimal.filter(lambda (v, p): v == p).count() / float(test_data_minimal.count())
tt = time() - t0

print "Prediction made in {} seconds. Test accuracy is {}".format(round(tt,3), round(test_accuracy,4))

Prediction made in 13.915 seconds. Test accuracy is 0.918


So we have trained a classification tree with just the three most important predictors, in half of the time, and with a not so bad accuracy. In fact, a classification tree is a very good model selection tool!
