# Load data

Here we load and preprocess data from CSV file

In [1]:
import modules.patterns as patterns
import tabulate

# bigger number is lower precission
# highest precission is 1
p = patterns.Patterns(10000)

folder_loc = "../data/2015/Network"
stats = p.bootstrap(folder_loc)
table = tabulate.tabulate(stats, tablefmt="html")
table




0,1,2
Total files,Skipped,Loaded
786,2,784


## Detect anomalies from input data

We can get the information about attacks from SWaT dataset `data/2015/List_of_attacks_Final.csv. They represent are divided into groups:

- Single stage single point (SSSP)
- Single stage multi point (SSMP)
- Multi stage single point (MSSP)
- Multi stage multi point attacks (MSMP)

In [2]:
import modules.load as load

attacks_file_loc = "../data/2015/List_of_attacks_Final_fixed.xlsx"
stages, anomalies = load.anomalies(attacks_file_loc)

print("Loaded %d anomalies\n" %(len(anomalies)))

Loaded 35 anomalies



# Process data

Here we process every single file for finding possible patterns

In [3]:
from IPython import display

for stats in p.process_all(anomalies, skip_first=500, max_process=10):
    table = tabulate.tabulate(stats, tablefmt="html")
    display.display_html(table, raw=True)



[ 500 / 784 ] processing file ../data/2015/Network/2015-12-29_190411_104.log.part09_sorted.csv
{'Modbus_Function_Description': {'Read Tag Service - Response': 29}, 'proxy_src_ip': {'192.168.1.60': 14, '192.168.1.30': 3, '192.168.1.10': 5, '192.168.1.20': 7}, 'src': {'192.168.1.60': 14, '192.168.1.30': 3, '192.168.1.10': 5, '192.168.1.20': 7}, 'dst': {'192.168.1.20': 12, '192.168.1.40': 3, '192.168.1.30': 7, '192.168.1.10': 7}, 's_port': {'53250': 7, '52544': 3, '54592': 5, '53326': 7, '53260': 7}, 'modbus_value': {'0x9e 0x0f 0x06 0x41': 1, ' 0x00 0x00 0x00 0x00': 68, ' 0x00 0x00 0x20 0x41': 7, ' 0x9a 0x99 0xe1 0x40': 7, ' 0x66 0x66 0xde 0x40': 7, ' 0x00 0x00 0x40 0x40': 7, ' 0x9e 0x0f 0x06 0x41': 1, '0x4d 0x45 0x5b 0x44': 1, ' 0x00 0x80 0x89 0x44': 3, ' 0x00 0x00 0x7a 0x44': 10, ' 0x00 0x00 0x48 0x44': 17, ' 0x00 0x00 0x7a 0x43': 17, ' 0x4d 0x45 0x5b 0x44': 1, '0x30 0x94 0x1c 0x40': 1, ' 0x00 0x00 0x60 0x40': 5, ' 0x00 0x00 0x00 0x40': 5, ' 0xba 0x20 0x02 0x44': 1, ' 0x30 0x94 0x1c 0x4

0,1,2,3,4,5,6
# rows,Attack,Normal,# Attack points,Attack points,# Attacked stages,Attacked stages
50,50,0,3,"LIT101, LIT301, FIT401",3,"P1, P3, P4"


[ 501 / 784 ] processing file ../data/2015/Network/2015-12-29_190411_104.log.part10_sorted.csv
{'Modbus_Function_Description': {'Read Tag Service - Response': 50}, 'proxy_src_ip': {'192.168.1.60': 23, '192.168.1.30': 7, '192.168.1.10': 12, '192.168.1.20': 8}, 'src': {'192.168.1.60': 23, '192.168.1.30': 7, '192.168.1.10': 12, '192.168.1.20': 8}, 'dst': {'192.168.1.20': 24, '192.168.1.40': 7, '192.168.1.30': 8, '192.168.1.10': 11}, 's_port': {'53250': 12, '52544': 7, '54592': 12, '53326': 8, '53260': 11}, 'modbus_value': {'0x9e 0x0f 0x06 0x41': 1, ' 0x00 0x00 0x00 0x00': 124, ' 0x00 0x00 0x20 0x41': 12, ' 0x9a 0x99 0xe1 0x40': 12, ' 0x66 0x66 0xde 0x40': 12, ' 0x00 0x00 0x40 0x40': 12, ' 0x9e 0x0f 0x06 0x41': 1, '0x4d 0x45 0x5b 0x44': 1, ' 0x00 0x80 0x89 0x44': 7, ' 0x00 0x00 0x7a 0x44': 15, ' 0x00 0x00 0x48 0x44': 26, ' 0x00 0x00 0x7a 0x43': 26, ' 0x4d 0x45 0x5b 0x44': 1, '0x30 0x94 0x1c 0x40': 1, ' 0x00 0x00 0x60 0x40': 12, ' 0x00 0x00 0x00 0x40': 12, ' 0xba 0x20 0x02 0x44': 1, ' 0x30 

0,1,2,3,4,5,6
# rows,Attack,Normal,# Attack points,Attack points,# Attacked stages,Attacked stages
50,50,0,3,"LIT101, LIT301, FIT401",3,"P1, P3, P4"


[ 502 / 784 ] processing file ../data/2015/Network/2015-12-29_190411_104.log.part11_sorted.csv
{'Modbus_Function_Description': {'Read Tag Service - Response': 78}, 'proxy_src_ip': {'192.168.1.60': 34, '192.168.1.30': 9, '192.168.1.10': 21, '192.168.1.20': 14}, 'src': {'192.168.1.60': 34, '192.168.1.30': 9, '192.168.1.10': 21, '192.168.1.20': 14}, 'dst': {'192.168.1.20': 37, '192.168.1.40': 9, '192.168.1.30': 14, '192.168.1.10': 18}, 's_port': {'53250': 16, '52544': 9, '54592': 21, '53326': 14, '53260': 18}, 'modbus_value': {'0x9e 0x0f 0x06 0x41': 1, ' 0x00 0x00 0x00 0x00': 205, ' 0x00 0x00 0x20 0x41': 16, ' 0x9a 0x99 0xe1 0x40': 16, ' 0x66 0x66 0xde 0x40': 16, ' 0x00 0x00 0x40 0x40': 16, ' 0x9e 0x0f 0x06 0x41': 1, '0x4d 0x45 0x5b 0x44': 1, ' 0x00 0x80 0x89 0x44': 9, ' 0x00 0x00 0x7a 0x44': 23, ' 0x00 0x00 0x48 0x44': 41, ' 0x00 0x00 0x7a 0x43': 41, ' 0x4d 0x45 0x5b 0x44': 1, '0x30 0x94 0x1c 0x40': 1, ' 0x00 0x00 0x60 0x40': 21, ' 0x00 0x00 0x00 0x40': 21, ' 0xba 0x20 0x02 0x44': 1, ' 0

0,1,2,3,4,5,6
# rows,Attack,Normal,# Attack points,Attack points,# Attacked stages,Attacked stages
50,50,0,3,"LIT101, LIT301, FIT401",3,"P1, P3, P4"


[ 503 / 784 ] processing file ../data/2015/Network/2015-12-29_190411_104.log.part12_sorted.csv
{'Modbus_Function_Description': {'Read Tag Service - Response': 103}, 'proxy_src_ip': {'192.168.1.60': 44, '192.168.1.30': 13, '192.168.1.10': 25, '192.168.1.20': 21}, 'src': {'192.168.1.60': 44, '192.168.1.30': 13, '192.168.1.10': 25, '192.168.1.20': 21}, 'dst': {'192.168.1.20': 47, '192.168.1.40': 13, '192.168.1.30': 21, '192.168.1.10': 22}, 's_port': {'53250': 22, '52544': 13, '54592': 25, '53326': 21, '53260': 22}, 'modbus_value': {'0x9e 0x0f 0x06 0x41': 1, ' 0x00 0x00 0x00 0x00': 263, ' 0x00 0x00 0x20 0x41': 22, ' 0x9a 0x99 0xe1 0x40': 22, ' 0x66 0x66 0xde 0x40': 22, ' 0x00 0x00 0x40 0x40': 22, ' 0x9e 0x0f 0x06 0x41': 1, '0x4d 0x45 0x5b 0x44': 1, ' 0x00 0x80 0x89 0x44': 13, ' 0x00 0x00 0x7a 0x44': 34, ' 0x00 0x00 0x48 0x44': 56, ' 0x00 0x00 0x7a 0x43': 56, ' 0x4d 0x45 0x5b 0x44': 1, '0x30 0x94 0x1c 0x40': 1, ' 0x00 0x00 0x60 0x40': 25, ' 0x00 0x00 0x00 0x40': 25, ' 0xba 0x20 0x02 0x44': 

0,1,2,3,4,5,6
# rows,Attack,Normal,# Attack points,Attack points,# Attacked stages,Attacked stages
50,50,0,4,"LIT101, LIT301, FIT401, AIT504",4,"P1, P3, P4, P5"


[ 504 / 784 ] processing file ../data/2015/Network/2015-12-29_190411_104.log.part13_sorted.csv
{'Modbus_Function_Description': {'Read Tag Service - Response': 135}, 'proxy_src_ip': {'192.168.1.60': 59, '192.168.1.30': 17, '192.168.1.10': 35, '192.168.1.20': 24}, 'src': {'192.168.1.60': 59, '192.168.1.30': 17, '192.168.1.10': 35, '192.168.1.20': 24}, 'dst': {'192.168.1.20': 67, '192.168.1.40': 17, '192.168.1.30': 24, '192.168.1.10': 27}, 's_port': {'53250': 32, '52544': 17, '54592': 35, '53326': 24, '53260': 27}, 'modbus_value': {'0x9e 0x0f 0x06 0x41': 1, ' 0x00 0x00 0x00 0x00': 347, ' 0x00 0x00 0x20 0x41': 32, ' 0x9a 0x99 0xe1 0x40': 32, ' 0x66 0x66 0xde 0x40': 32, ' 0x00 0x00 0x40 0x40': 32, ' 0x9e 0x0f 0x06 0x41': 1, '0x4d 0x45 0x5b 0x44': 1, ' 0x00 0x80 0x89 0x44': 17, ' 0x00 0x00 0x7a 0x44': 41, ' 0x00 0x00 0x48 0x44': 68, ' 0x00 0x00 0x7a 0x43': 68, ' 0x4d 0x45 0x5b 0x44': 1, '0x30 0x94 0x1c 0x40': 1, ' 0x00 0x00 0x60 0x40': 35, ' 0x00 0x00 0x00 0x40': 35, ' 0xba 0x20 0x02 0x44': 

0,1,2,3,4,5,6
# rows,Attack,Normal,# Attack points,Attack points,# Attacked stages,Attacked stages
50,50,0,5,"LIT101, LIT301, FIT401, AIT504, LIT101, MV101",4,"P1, P3, P4, P5"


[ 505 / 784 ] processing file ../data/2015/Network/2015-12-29_190411_104.log.part14_sorted.csv
{'Modbus_Function_Description': {'Read Tag Service - Response': 160}, 'proxy_src_ip': {'192.168.1.60': 71, '192.168.1.30': 18, '192.168.1.10': 44, '192.168.1.20': 27}, 'src': {'192.168.1.60': 71, '192.168.1.30': 18, '192.168.1.10': 44, '192.168.1.20': 27}, 'dst': {'192.168.1.20': 79, '192.168.1.40': 18, '192.168.1.30': 27, '192.168.1.10': 36}, 's_port': {'53250': 35, '52544': 18, '54592': 44, '53326': 27, '53260': 36}, 'modbus_value': {'0x9e 0x0f 0x06 0x41': 1, ' 0x00 0x00 0x00 0x00': 420, ' 0x00 0x00 0x20 0x41': 35, ' 0x9a 0x99 0xe1 0x40': 35, ' 0x66 0x66 0xde 0x40': 35, ' 0x00 0x00 0x40 0x40': 35, ' 0x9e 0x0f 0x06 0x41': 1, '0x4d 0x45 0x5b 0x44': 1, ' 0x00 0x80 0x89 0x44': 18, ' 0x00 0x00 0x7a 0x44': 45, ' 0x00 0x00 0x48 0x44': 81, ' 0x00 0x00 0x7a 0x43': 81, ' 0x4d 0x45 0x5b 0x44': 1, '0x30 0x94 0x1c 0x40': 1, ' 0x00 0x00 0x60 0x40': 44, ' 0x00 0x00 0x00 0x40': 44, ' 0xba 0x20 0x02 0x44': 

0,1,2,3,4,5,6
# rows,Attack,Normal,# Attack points,Attack points,# Attacked stages,Attacked stages
43,43,0,4,"LIT101, LIT301, FIT401, LIT101, MV101",3,"P1, P3, P4"


[ 506 / 784 ] processing file ../data/2015/Network/2015-12-30_001940_105.log.part01_sorted.csv


  yield self.process(file)


{'Modbus_Function_Description': {'Read Tag Service - Response': 194}, 'proxy_src_ip': {'192.168.1.60': 85, '192.168.1.30': 26, '192.168.1.10': 50, '192.168.1.20': 33}, 'src': {'192.168.1.60': 85, '192.168.1.30': 26, '192.168.1.10': 50, '192.168.1.20': 33}, 'dst': {'192.168.1.20': 91, '192.168.1.40': 26, '192.168.1.30': 33, '192.168.1.10': 44}, 's_port': {'53250': 41, '52544': 26, '54592': 50, '53326': 33, '53260': 44}, 'modbus_value': {'0x9e 0x0f 0x06 0x41': 1, ' 0x00 0x00 0x00 0x00': 503, ' 0x00 0x00 0x20 0x41': 41, ' 0x9a 0x99 0xe1 0x40': 41, ' 0x66 0x66 0xde 0x40': 41, ' 0x00 0x00 0x40 0x40': 41, ' 0x9e 0x0f 0x06 0x41': 1, '0x4d 0x45 0x5b 0x44': 1, ' 0x00 0x80 0x89 0x44': 26, ' 0x00 0x00 0x7a 0x44': 59, ' 0x00 0x00 0x48 0x44': 103, ' 0x00 0x00 0x7a 0x43': 103, ' 0x4d 0x45 0x5b 0x44': 1, '0x30 0x94 0x1c 0x40': 1, ' 0x00 0x00 0x60 0x40': 50, ' 0x00 0x00 0x00 0x40': 50, ' 0xba 0x20 0x02 0x44': 1, ' 0x30 0x94 0x1c 0x40': 1, '0x54 0xb3 0x50 0x44': 1, ' 0x00 0x00 0x96 0x44': 77, ' 0x54 0x

0,1,2,3,4,5,6
# rows,Attack,Normal,# Attack points,Attack points,# Attacked stages,Attacked stages
50,50,0,3,"LIT101, LIT301, FIT401",3,"P1, P3, P4"


[ 507 / 784 ] processing file ../data/2015/Network/2015-12-30_001940_105.log.part02_sorted.csv
{'Modbus_Function_Description': {'Read Tag Service - Response': 219}, 'proxy_src_ip': {'192.168.1.60': 93, '192.168.1.30': 30, '192.168.1.10': 59, '192.168.1.20': 37}, 'src': {'192.168.1.60': 93, '192.168.1.30': 30, '192.168.1.10': 59, '192.168.1.20': 37}, 'dst': {'192.168.1.20': 103, '192.168.1.40': 30, '192.168.1.30': 37, '192.168.1.10': 49}, 's_port': {'53250': 44, '52544': 30, '54592': 59, '53326': 37, '53260': 49}, 'modbus_value': {'0x9e 0x0f 0x06 0x41': 1, ' 0x00 0x00 0x00 0x00': 571, ' 0x00 0x00 0x20 0x41': 44, ' 0x9a 0x99 0xe1 0x40': 44, ' 0x66 0x66 0xde 0x40': 44, ' 0x00 0x00 0x40 0x40': 44, ' 0x9e 0x0f 0x06 0x41': 1, '0x4d 0x45 0x5b 0x44': 1, ' 0x00 0x80 0x89 0x44': 30, ' 0x00 0x00 0x7a 0x44': 67, ' 0x00 0x00 0x48 0x44': 116, ' 0x00 0x00 0x7a 0x43': 116, ' 0x4d 0x45 0x5b 0x44': 1, '0x30 0x94 0x1c 0x40': 1, ' 0x00 0x00 0x60 0x40': 59, ' 0x00 0x00 0x00 0x40': 59, ' 0xba 0x20 0x02 0x44

0,1,2,3,4,5,6
# rows,Attack,Normal,# Attack points,Attack points,# Attacked stages,Attacked stages
50,50,0,3,"LIT101, LIT301, FIT401",3,"P1, P3, P4"


[ 508 / 784 ] processing file ../data/2015/Network/2015-12-30_001940_105.log.part03_sorted.csv
{'Modbus_Function_Description': {'Read Tag Service - Response': 237}, 'proxy_src_ip': {'192.168.1.60': 102, '192.168.1.30': 32, '192.168.1.10': 63, '192.168.1.20': 40}, 'src': {'192.168.1.60': 102, '192.168.1.30': 32, '192.168.1.10': 63, '192.168.1.20': 40}, 'dst': {'192.168.1.20': 108, '192.168.1.40': 32, '192.168.1.30': 40, '192.168.1.10': 57}, 's_port': {'53250': 45, '52544': 32, '54592': 63, '53326': 40, '53260': 57}, 'modbus_value': {'0x9e 0x0f 0x06 0x41': 1, ' 0x00 0x00 0x00 0x00': 615, ' 0x00 0x00 0x20 0x41': 45, ' 0x9a 0x99 0xe1 0x40': 45, ' 0x66 0x66 0xde 0x40': 45, ' 0x00 0x00 0x40 0x40': 45, ' 0x9e 0x0f 0x06 0x41': 1, '0x4d 0x45 0x5b 0x44': 1, ' 0x00 0x80 0x89 0x44': 32, ' 0x00 0x00 0x7a 0x44': 72, ' 0x00 0x00 0x48 0x44': 129, ' 0x00 0x00 0x7a 0x43': 129, ' 0x4d 0x45 0x5b 0x44': 1, '0x30 0x94 0x1c 0x40': 1, ' 0x00 0x00 0x60 0x40': 63, ' 0x00 0x00 0x00 0x40': 63, ' 0xba 0x20 0x02 0x

0,1,2,3,4,5,6
# rows,Attack,Normal,# Attack points,Attack points,# Attacked stages,Attacked stages
50,50,0,3,"LIT101, LIT301, FIT401",3,"P1, P3, P4"


[ 509 / 784 ] processing file ../data/2015/Network/2015-12-30_001940_105.log.part04_sorted.csv
{'Modbus_Function_Description': {'Read Tag Service - Response': 261}, 'proxy_src_ip': {'192.168.1.60': 108, '192.168.1.30': 40, '192.168.1.10': 70, '192.168.1.20': 43}, 'src': {'192.168.1.60': 108, '192.168.1.30': 40, '192.168.1.10': 70, '192.168.1.20': 43}, 'dst': {'192.168.1.20': 119, '192.168.1.40': 40, '192.168.1.30': 43, '192.168.1.10': 59}, 's_port': {'53250': 49, '52544': 40, '54592': 70, '53326': 43, '53260': 59}, 'modbus_value': {'0x9e 0x0f 0x06 0x41': 1, ' 0x00 0x00 0x00 0x00': 682, ' 0x00 0x00 0x20 0x41': 49, ' 0x9a 0x99 0xe1 0x40': 49, ' 0x66 0x66 0xde 0x40': 49, ' 0x00 0x00 0x40 0x40': 49, ' 0x9e 0x0f 0x06 0x41': 1, '0x4d 0x45 0x5b 0x44': 1, ' 0x00 0x80 0x89 0x44': 40, ' 0x00 0x00 0x7a 0x44': 83, ' 0x00 0x00 0x48 0x44': 142, ' 0x00 0x00 0x7a 0x43': 142, ' 0x4d 0x45 0x5b 0x44': 1, '0x30 0x94 0x1c 0x40': 1, ' 0x00 0x00 0x60 0x40': 70, ' 0x00 0x00 0x00 0x40': 70, ' 0xba 0x20 0x02 0x

0,1,2,3,4,5,6
# rows,Attack,Normal,# Attack points,Attack points,# Attacked stages,Attacked stages
50,50,0,3,"LIT101, LIT301, FIT401",3,"P1, P3, P4"


[ 510 / 784 ] processing file ../data/2015/Network/2015-12-30_001940_105.log.part05_sorted.csv
{'Modbus_Function_Description': {'Read Tag Service - Response': 282}, 'proxy_src_ip': {'192.168.1.60': 116, '192.168.1.30': 41, '192.168.1.10': 78, '192.168.1.20': 47}, 'src': {'192.168.1.60': 116, '192.168.1.30': 41, '192.168.1.10': 78, '192.168.1.20': 47}, 'dst': {'192.168.1.20': 130, '192.168.1.40': 41, '192.168.1.30': 47, '192.168.1.10': 64}, 's_port': {'53250': 52, '52544': 41, '54592': 78, '53326': 47, '53260': 64}, 'modbus_value': {'0x9e 0x0f 0x06 0x41': 1, ' 0x00 0x00 0x00 0x00': 740, ' 0x00 0x00 0x20 0x41': 52, ' 0x9a 0x99 0xe1 0x40': 52, ' 0x66 0x66 0xde 0x40': 52, ' 0x00 0x00 0x40 0x40': 52, ' 0x9e 0x0f 0x06 0x41': 1, '0x4d 0x45 0x5b 0x44': 1, ' 0x00 0x80 0x89 0x44': 41, ' 0x00 0x00 0x7a 0x44': 88, ' 0x00 0x00 0x48 0x44': 152, ' 0x00 0x00 0x7a 0x43': 152, ' 0x4d 0x45 0x5b 0x44': 1, '0x30 0x94 0x1c 0x40': 1, ' 0x00 0x00 0x60 0x40': 78, ' 0x00 0x00 0x00 0x40': 78, ' 0xba 0x20 0x02 0x

0,1,2,3,4,5,6
# rows,Attack,Normal,# Attack points,Attack points,# Attacked stages,Attacked stages
50,50,0,3,"LIT101, LIT301, FIT401",3,"P1, P3, P4"
