# **Fase inicial: Preprocesamiento de los datos**
---
### Fusión todos los archivos con extension .pcap del conjunto de datos CTU-13:  

Con el fin de realizar diversos análisis, se optó por transformar los archivos del conjunto CTU-13 a formato de dataframe, posteriormente, además de fusionarlos en un solo archivo con formato dataframe de la librería pandas.

In [4]:
import os
import pandas as pd
import matplotlib.pyplot as plt
import seaborn as sns
data_path = './CTU-13_data' #Ruta de la carpeta con archivos .pcap correspondientes

data_file_names = [file for file in os.listdir(data_path)] # Lectura de los nombres de los archivos del directorio
#print(data_file_names)  # Lista de strings que contiene el nombre de los archivos .parquet

### Iteramos sobre los archivos que estan en la ruta especificada en ``` data_path = './CTU-13_data' ``` donde se hace la lectura de los archivos de .pcap para convertirlos a .csv.

In [5]:
# Diccionario que contendra los dataframes despues de hacer el cast de parquet a pandas df
data_frames = {}
'''
Iteramos sobre la lista de nombres para añadirlos al diccionario de dataframes

Ejemplo del formato del diccionario seria: 

    {'1-Neris-20110810.binetflow.parquet': pd.DataFrame('./CTU-13_data/1-Neris-20110810.binetflow.parquet')}

'''
for file in data_file_names:
    data_frames[file] = pd.read_parquet(f'{data_path}/{file}') 

### Ahora fusionamos todos los datasets

In [13]:
all_data = pd.concat([ data_frames[file] for file in data_file_names ])
print(all_data.head())
print(all_data.shape)

        dur proto    dir state  stos  dtos  tot_pkts  tot_bytes  src_bytes  \
0  1.026539   tcp     ->  S_RA   0.0   0.0         4        276        156   
1  1.009595   tcp     ->  S_RA   0.0   0.0         4        276        156   
2  3.056586   tcp     ->  SR_A   0.0   0.0         3        182        122   
3  3.111769   tcp     ->  SR_A   0.0   0.0         3        182        122   
4  3.083411   tcp     ->  SR_A   0.0   0.0         3        182        122   

                                    label                  Family  
0  flow=Background-Established-cmpgw-CVUT  20110810.binetflow.csv  
1  flow=Background-Established-cmpgw-CVUT  20110810.binetflow.csv  
2             flow=Background-TCP-Attempt  20110810.binetflow.csv  
3             flow=Background-TCP-Attempt  20110810.binetflow.csv  
4             flow=Background-TCP-Attempt  20110810.binetflow.csv  
(10598771, 11)


In [14]:
#Visualizar una muestra del contenido de los registros:
all_data.sample(10)


Unnamed: 0,dur,proto,dir,state,stos,dtos,tot_pkts,tot_bytes,src_bytes,label,Family
183512,0.000494,udp,<->,CON,0.0,0.0,2,306,78,flow=To-Background-UDP-CVUT-DNS-Server,20110815
1269332,2517.015869,udp,<->,CON,0.0,0.0,4,272,152,flow=Background-UDP-Established,20110812.binetflow.csv
171666,0.000392,udp,<->,CON,0.0,0.0,2,197,76,flow=To-Background-UDP-CVUT-DNS-Server,20110815.binetflow.csv
389136,0.000801,udp,<->,CON,0.0,0.0,2,659,81,flow=Background-UDP-Established,20110818.binetflow.csv
447627,0.135391,tcp,->,FSPA_FSPA,0.0,0.0,39,30691,1033,flow=Background-TCP-Established,20110815
687582,116.114838,tcp,->,FSPA_FSPA,0.0,0.0,17,8381,1273,flow=Background-TCP-Established,20110818.binetflow.csv
384053,0.001786,udp,<->,CON,0.0,0.0,2,199,72,flow=To-Background-UDP-CVUT-DNS-Server,20110815.binetflow.csv
1778108,0.000436,udp,<->,CON,0.0,0.0,2,574,75,flow=To-Background-UDP-CVUT-DNS-Server,20110812.binetflow.csv
716709,0.026624,tcp,->,SRPA_SPA,0.0,0.0,16,10206,982,flow=Background-TCP-Established,20110812.binetflow.csv
759213,310.584015,tcp,->,FSPA_FSRPA,0.0,0.0,16,2255,1442,flow=Background-TCP-Established,20110818.binetflow.csv


Las columnas "label" y "family" serán modificadas para su personalización.

1. Análisis de la columna *label*:  
- Se observa que la columna posee una etiqueta de flow, donde indica el tipo de conexipon solicitada/establecida, o bien, el registro de la presencia de un Botnet.  
- Se propone el método de etiquetado 0 == normal, 1 == ataque (presencia de botnets)


In [24]:
#Visualizacion de las columnas con registro de Botnet:
print("Registros que corresponden a ataques:")
print(all_data[all_data['label'].str.contains('Botnet')].shape[0])
print("Registros que corresponden a tráfico normal:")
print(all_data[all_data['label'].str.contains('Botnet') == False].shape[0])

Registros que corresponden a ataques:
262573
Registros que corresponden a tráfico normal:
10336198


In [26]:
dfmod = all_data #Crear una copia del dataframe original para su modificacion

# Crear una nueva columna evaluando si "botnet" está en la columna "label"
dfmod["is_botnet"] = dfmod["label"].astype(str).apply(lambda x: 1 if "botnet" in x.lower() else 0)

dfmod.sample(18, random_state=432)

Unnamed: 0,dur,proto,dir,state,stos,dtos,tot_pkts,tot_bytes,src_bytes,label,Family,is_botnet
425570,0.00111,udp,<->,CON,0.0,0.0,2,618,75,flow=Background-UDP-Established,20110810.binetflow.csv,0
32523,0.000655,udp,->,INT,0.0,,1,107,107,flow=Background-UDP-Attempt,20110815.binetflow.csv,0
1187347,264.363129,tcp,->,SRPA_SPA,0.0,0.0,54,6301,3301,flow=Background-TCP-Established,20110812.binetflow.csv,0
658905,0.135019,udp,<->,CON,0.0,0.0,2,313,64,flow=Background-UDP-Established,20110818.binetflow.csv,0
689170,0.000452,udp,<->,CON,0.0,0.0,2,234,86,flow=To-Background-UDP-CVUT-DNS-Server,20110815.binetflow.csv,0
71394,0.02995,udp,<->,CON,0.0,0.0,2,158,71,flow=Background-UDP-Established,20110818.binetflow.csv,0
1092222,0.135506,tcp,->,FSPA_FSPA,0.0,0.0,33,25654,853,flow=Background-TCP-Established,20110816,0
1256117,1531.3302,udp,<->,CON,0.0,0.0,10,1858,344,flow=Background-UDP-Established,20110810.binetflow.csv,0
1015277,9.032158,tcp,->,S_,0.0,,3,186,186,flow=From-Botnet-V43-TCP-Attempt-SPAM,20110811.binetflow.csv,1
635089,0.004251,tcp,->,FSPA_FSPA,0.0,0.0,10,1343,810,flow=Background-TCP-Established,20110815.binetflow.csv,0
