## 1. Load and Inspect the Data

1. First, we load the IoT network dataset from a database file. We also tidy up the column names (make them lowercase and remove spaces/dots) so they're easier to work with. Finally, we print out the shape of the dataset (how many rows and columns) to see its size.

In [9]:
import pandas as pd, sqlite3
from pathlib import Path

# Load the entire dataset from the SQLite database
with sqlite3.connect(Path("../data/raw/rt_iot2022.db")) as conn:
    df = pd.read_sql("SELECT * FROM flows", conn)

# Clean column names: lowercase, no spaces or dots
df.columns = df.columns.str.strip().str.lower().str.replace(' ', '_').str.replace('.', '_')

# Show the dataset shape (number of rows, number of columns)
print("Dataset shape:", df.shape)

Dataset shape: (123117, 84)


For a quick overview, we list each column name and what type of data it holds (integer, float, object, etc.). This helps us understand the kinds of features we have – for example, which are numeric counts, which are text categories, etc.

In [10]:
# Print each column's name and data type
for col, dtype in df.dtypes.items():
    print(f"{col}: {dtype}")

id_orig_p: int64
id_resp_p: int64
proto: object
service: object
flow_duration: float64
fwd_pkts_tot: int64
bwd_pkts_tot: int64
fwd_data_pkts_tot: int64
bwd_data_pkts_tot: int64
fwd_pkts_per_sec: float64
bwd_pkts_per_sec: float64
flow_pkts_per_sec: float64
down_up_ratio: float64
fwd_header_size_tot: int64
fwd_header_size_min: int64
fwd_header_size_max: int64
bwd_header_size_tot: int64
bwd_header_size_min: int64
bwd_header_size_max: int64
flow_fin_flag_count: int64
flow_syn_flag_count: int64
flow_rst_flag_count: int64
fwd_psh_flag_count: int64
bwd_psh_flag_count: int64
flow_ack_flag_count: int64
fwd_urg_flag_count: int64
bwd_urg_flag_count: int64
flow_cwr_flag_count: int64
flow_ece_flag_count: int64
fwd_pkts_payload_min: int64
fwd_pkts_payload_max: int64
fwd_pkts_payload_tot: int64
fwd_pkts_payload_avg: float64
fwd_pkts_payload_std: float64
bwd_pkts_payload_min: int64
bwd_pkts_payload_max: int64
bwd_pkts_payload_tot: int64
bwd_pkts_payload_avg: float64
bwd_pkts_payload_std: float64
flow_

## 2. Remove Unnecessary Columns

1. Some columns in the data aren't useful for prediction, or could even mislead the model:
    - **Identifiers** like source or destination port numbers (`id_orig_p`, `id_resp_p`) don’t help predict duration (they're more like IDs, not behaviors).
    - **Rate features** such as `fwd_pkts_per_sec` or `flow_pkts_per_sec` are calculated using `flow_duration` itself – including them would be like giving the model the answer (this is called target leakage).
    - **Attack label** (`attack_type`) is a label for classification (attack vs. normal). We are doing regression to predict duration, so we don’t use the attack labels here.

We remove these columns to make the dataset smaller and prevent any leakage “cheating” or noise from irrelevant data.

In [11]:
# Drop columns that are IDs, leak target info, or are not needed for regression
cols_to_drop = [
    "id_orig_p", "id_resp_p",           # connection identifiers (ports)
    "fwd_pkts_per_sec", "bwd_pkts_per_sec", "flow_pkts_per_sec", "payload_bytes_per_second",  # rate features (target leakage)
    "attack_type"                      # attack label (not used in predicting duration)
]
df_clean = df.drop(columns=[c for c in cols_to_drop if c in df.columns])
print("After drop:", df_clean.shape)

After drop: (123117, 77)


(After this drop, the dataset still has all the features we need, but without those unhelpful columns.)

## 3. Detect Outliers

1. Now we check each numeric feature for **outliers** – extreme values that are much higher or lower than most of the data. We use the **IQR (Interquartile Range)** method:
    - For each feature, find Q1 (25th percentile) and Q3 (75th percentile).
    - Compute IQR = Q3 – Q1, which is the range of the middle 50% of values.
    - Flag any value that is below `Q1 - 1.5*IQR` or above `Q3 + 1.5*IQR` as an outlier.

We won't remove data just for being an outlier here; we just want to **identify** which features have a lot of outliers. This can tell us if a feature has a very **long tail** or unusual distribution. Knowing this, we might later apply transformations (like taking a log) or handle these features carefully so that a few extreme values don’t distort our model.

In [12]:
# Calculate outlier share for numeric features (excluding the target if present)
numeric_cols = df_clean.select_dtypes(include='number').columns
outlier_share = {}
for col in numeric_cols:
    if col == 'flow_duration':
        continue
    Q1 = df_clean[col].quantile(0.25)
    Q3 = df_clean[col].quantile(0.75)
    IQR = Q3 - Q1
    lower_bound = Q1 - 1.5 * IQR
    upper_bound = Q3 + 1.5 * IQR
    # Fraction of rows that are outliers in this feature
    share = ((df_clean[col] < lower_bound) | (df_clean[col] > upper_bound)).mean()
    outlier_share[col] = share

# Print the top 5 features by outlier frequency
top_outliers = sorted(outlier_share.items(), key=lambda x: x[1], reverse=True)[:5]
for col, share in top_outliers:
    print(f"{col}: {share*100:.1f}% outliers")

flow_pkts_payload_avg: 31.0% outliers
bwd_header_size_tot: 26.9% outliers
bwd_header_size_max: 26.9% outliers
flow_ack_flag_count: 26.9% outliers
bwd_pkts_tot: 26.3% outliers


*The code above will list a few features with the highest percentage of outliers. For instance, we might see something like `flow_pkts_payload_avg: 31.3% outliers`, meaning about 31% of the rows have values in `flow_pkts_payload_avg` that are quite extreme. This tells us that feature has a **long tail** of unusual values.*

*(We are just observing these; no automatic removal is done at this point.)*

## 4. Remove Almost-Constant Features

1. With many features, some might be **almost constant** – they hardly vary across the dataset. For example, imagine a column that's `0` for 99.9% of the entries and `1` for a few others; it doesn’t carry much information. Such features can safely be removed:
    - We consider features that have very few unique values (e.g. 3 or fewer unique values in all 100k+ rows).
    - Or if one value dominates the column (for instance, the same value appears in ≥98.5% of the rows).
    - These columns add little to no predictive signal and can even act as noise.

Removing them reduces the “dimension” of our data, making training faster and the model less likely to get confused by meaningless data.

In [13]:
# Identify quasi-constant features (very low variability)
quasi_cols = []
for col in df_clean.columns:
    if col == 'flow_duration':
        continue
    values = df_clean[col]
    top_freq = values.value_counts(normalize=True, dropna=False).max()
    if values.nunique(dropna=False) <= 3 or top_freq >= 0.985:
        quasi_cols.append(col)

# Drop quasi-constant features
df_clean = df_clean.drop(columns=quasi_cols)
print(f"Dropped {len(quasi_cols)} quasi-constant features.")
print("Remaining shape:", df_clean.shape)



Dropped 13 quasi-constant features.
Remaining shape: (123117, 64)


(The code flags features with ≤3 unique values, or where one value appears in ≥98.5% of rows, as quasi-constant. We then drop them. Suppose it drops 12 columns; that will be reported. This step helps us by eliminating columns that were almost always the same, which do not help the model learn anything distinct.)

## 5. Remove Constant Features

1. A **constant** feature is an even simpler case: it has **exactly one** value for every row (no variation at all). This feature has zero predictive power (it’s the same for everything!). We scan for any constant columns and drop them if found:
    - This ensures we only keep features that have at least some variation.
    - (Often, constant columns would already be caught by our quasi-constant check above, but we double-check just in case.)

In [14]:
# Check for any constant columns remaining
const_cols = [c for c in df_clean.columns if df_clean[c].nunique(dropna=False) == 1]
print("Constant columns:", const_cols)
if const_cols:
    df_clean = df_clean.drop(columns=const_cols)
    print("Dropped constant features. New shape:", df_clean.shape)

Constant columns: []


*Usually, after the previous steps, there should be **0 constant columns** left (the list will be empty). If there were any, this code would remove them and print the updated shape.*

*(By removing constant and quasi-constant features, we ensure that every column left has some variability that could be useful for prediction.)*

## 6. Remove Duplicate Rows

1. Next, we look for **duplicate rows** – exact copies of data entries. Duplicates can happen in data collection and can bias the model (it would effectively see the same example twice and might give it more weight).
    - We remove duplicate entries to ensure each flow appears only once. This way, each training example is unique.
    - This also dramatically reduces the dataset size if many duplicates exist.

In [15]:
initial_rows = df_clean.shape[0]
df_clean = df_clean.drop_duplicates().reset_index(drop=True)
removed = initial_rows - df_clean.shape[0]
print(f"Removed {removed} duplicate rows. New shape:", df_clean.shape)

Removed 104847 duplicate rows. New shape: (18270, 64)


*In our dataset, it turns out **a lot** of rows were exact duplicates (the output will show how many were removed). For example, if it prints “Removed 99793 duplicate rows,” that means initially we had many repeated flows and now we’re down to only unique ones. After removing duplicates, our dataset might have around 18k unique rows left (just as an example).*

*(Removing duplicates is important so the model doesn't get a false sense of confidence by seeing the same thing multiple times.)*

## 7. Drop Highly Correlated Features

1. Sometimes two features are **highly correlated**, meaning they essentially contain the same information. For example, `fwd_pkts_tot` (forward packet count) and `bwd_pkts_tot` (backward packet count) might individually not be perfectly correlated, but imagine if we had `total_pkts` as another column which is just their sum – `total_pkts` would be very strongly correlated with those. Including all of them can be redundant and might confuse or overfit certain models (especially linear models which don’t handle multicollinearity well).
    - We compute the correlation between every pair of numeric features.
    - If a pair of features has a correlation above 0.95 (very similar behavior), we drop one of them.
    - This reduces redundancy. It’s like if two sensors always give the same reading, you only need one of them.

In [16]:
import numpy as np

# Compute absolute correlation matrix for numeric features
corr_matrix = df_clean.corr(numeric_only=True).abs()
# Create a mask for the upper triangle of the matrix (to avoid duplicate checks)
upper_mask = np.triu(np.ones_like(corr_matrix, dtype=bool), k=1)

# Find features with correlation > 0.95
to_drop_corr = [col for col in corr_matrix.columns if any(corr_matrix[col][upper_mask] > 0.95)]

# Drop these highly correlated features
df_clean = df_clean.drop(columns=to_drop_corr)
print("Dropped highly correlated features:", to_drop_corr)
print("New shape:", df_clean.shape)

IndexError: too many indices for array: array is 1-dimensional, but 2 were indexed

*This code scans the correlation matrix and drops any feature that is extremely (≥95%) correlated with another. We print which columns were dropped due to high correlation.*

*For example, if `bwd_pkts_tot` and `flow_pkts_payload_tot` have a 0.99 correlation, one of them will be dropped. By doing this, we keep only one representative from any group of super-similar features. This helps simplify the data without losing much information.*

## 8. Simplify Categorical Features

1. The dataset has some **categorical features** (`proto` for protocol type, and `service` for service/application type). These are text labels. There could be many unique values, some appearing very rarely. For modeling, it’s better to reduce the number of categories:
    - We group **rare categories** into an "other" category. For example, if `service` has 15 possible values but 5 of them only appear a few times, we label those 5 as "other."
    - Specifically, we'll keep the **top 10 most frequent** values for each categorical feature and replace the rest with `"other"`.
    - This way, our model focuses on the common categories and doesn't get bogged down by very infrequent ones (which might not provide reliable patterns).

This is like saying, for the purpose of learning, we distinguish the major types and lump all miscellaneous minor types together.

In [None]:
for col in ['proto', 'service']:
    if col in df_clean.columns:
        top10 = df_clean[col].value_counts().nlargest(10).index
        df_clean[col] = df_clean[col].where(df_clean[col].isin(top10), 'other')

if 'proto' in df_clean.columns:
    print("Unique protocols after simplification:", df_clean['proto'].nunique())
if 'service' in df_clean.columns:
    print("Unique services after simplification:", df_clean['service'].nunique())

*After this, the `proto` column might have a few unique values (for example: `"tcp"`, `"udp"`, and `"other"` if those were the main ones) instead of possibly more. The `service` column will also be reduced to its top categories plus `"other"`. This simplification makes our next steps (like one-hot encoding for machine learning) more manageable.*

## 9. Feature Engineering

So far, we have only **cleaned and filtered** the raw features. The next step is to create **new, informative features** that might capture the patterns in the data better than the raw features alone. This is called **feature engineering**. We will combine or transform existing columns to highlight important aspects of the network flow.

Why do this? Some relationships or behaviors are not directly given by a single raw column. By creating new features, we help the model by giving it more meaningful signals to learn from (instead of expecting the model to discover these signals on its own from the raw data).

Below is a table summarizing the new features we will create, which source columns they come from, and **why** they are useful:

| New Column | Source Columns | Why we do this |
| --- | --- | --- |
| **pkts_tot** | fwd_pkts_tot, bwd_pkts_tot | Total number of packets in the flow (forward + backward). This gives the overall size of the flow in terms of packet count. |
| **data_pkts_tot** | fwd_data_pkts_tot, bwd_data_pkts_tot | Total **data-carrying** packets (both directions). This focuses on packets that carry payload, indicating the volume of actual data transfer. |
| **hdr_size_tot_sum** | fwd_header_size_tot, bwd_header_size_tot | Total header bytes from both directions. This measures the total overhead size of the flow. |
| **X_ratio_fb** (e.g., **pkts_ratio_fb**, **data_pkts_ratio_fb**, **hdr_size_ratio_fb**) | forward vs. backward counts (packets, data packets, header bytes) | The ratio of forward to backward values. It shows if traffic was balanced or mostly one-sided. For example, if **pkts_ratio_fb** ≫ 1, the client sent many more packets than it received (mostly one-way communication). A ratio ≈ 1 means a balanced two-way exchange. |
| **X_symmetry** (e.g., **pkts_symmetry**, **hdr_size_symmetry**) | forward vs. backward values (packets, header bytes) | A different way to measure balance: `(fwd - bwd) / (fwd + bwd)`. This ranges from -1 to +1. **0** means perfectly symmetric (equal forward and backward), **+0.8** (for example) would mean heavily skewed to forward, **-0.8** skewed to backward. This feature captures direction *bias* in the communication. |
| **fwd_iat_cv** (and **bwd_iat_cv**, **flow_iat_cv**) | X_iat_std, X_iat_avg (for forward, backward, overall flow) | **Coefficient of Variation** of Inter-Arrival Time: basically `std/avg` of packet timing gaps. This measures **burstiness** of traffic. A high CV means packet arrivals are erratic (some quick bursts and some long pauses), whereas a low CV means packets come at a steady rate. |
| **active_share** | active_tot, idle_tot | Fraction of time the flow was active: `active_tot / (active_tot + idle_tot)`. This tells us if a flow spent most of its life transmitting data or waiting. **active_share** near 1 means the flow was busy almost the whole time. |
| **idle_share** | active_tot, idle_tot | Fraction of time the flow was idle (complement of active_share). If idle_share is high, the flow was mostly waiting around. |
| **flag_count_density** (for each TCP flag type, e.g., **flow_syn_flag_count_density**) | That flag’s count, and pkts_tot | We take counts of certain TCP flags (SYN, ACK, FIN, etc.) and divide by total packets. This gives the **percentage of packets** that had each flag. It normalizes flag counts by flow length so we can compare flows of different lengths. (For example, “30% of packets in this flow were SYN packets” is a meaningful ratio.) Flags can indicate connection setup, teardown, or unusual events in the flow. |
| **fwd_window_delta** | fwd_init_window_size, fwd_last_window_size | Change in the TCP window size (forward direction) from start to end of the flow. This shows how the sender’s TCP buffer window evolved. A large change might indicate network congestion control kicking in or other network behavior. |
| **proto_top** | proto | Simplified **protocol** category. This is just the `proto` feature we already simplified (grouped minor ones into "other"). It’s a categorical feature we will use in modeling (via one-hot encoding). |
| **service_top** | service | Simplified **service** category (same idea as proto_top). |
| **log1p__X** *(optional)* | any skewed numeric column X | The natural log of (1 + X). This is a transformation we might apply to very skewed features (just like we'll do for the target) to reduce their range. Taking log of a feature can make extreme values more manageable for the model (turning multiplicative differences into additive ones). For example, if we had a feature where most values are 1-10 but a few are 10000, log1p would compress that 10000 down to ~9.21, making it less dramatically different. |

Now, let's actually create these new features in our DataFrame:

In [None]:
import numpy as np

# Make a copy to add features (to keep original clean data if needed)
df_fe = df_clean.copy()

# Total counts
df_fe['pkts_tot'] = df_fe['fwd_pkts_tot'] + df_fe['bwd_pkts_tot']
df_fe['data_pkts_tot'] = df_fe['fwd_data_pkts_tot'] + df_fe['bwd_data_pkts_tot']
df_fe['hdr_size_tot_sum'] = df_fe['fwd_header_size_tot'] + df_fe['bwd_header_size_tot']

# Ratios and symmetry between forward/backward
df_fe['pkts_ratio_fb'] = (df_fe['fwd_pkts_tot'] + 1) / (df_fe['bwd_pkts_tot'] + 1)
df_fe['data_pkts_ratio_fb'] = (df_fe['fwd_data_pkts_tot'] + 1) / (df_fe['bwd_data_pkts_tot'] + 1)
df_fe['hdr_size_ratio_fb'] = (df_fe['fwd_header_size_tot'] + 1) / (df_fe['bwd_header_size_tot'] + 1)
df_fe['pkts_symmetry'] = (df_fe['fwd_pkts_tot'] - df_fe['bwd_pkts_tot']) / (df_fe['fwd_pkts_tot'] + df_fe['bwd_pkts_tot'] + 1e-9)
df_fe['hdr_size_symmetry'] = (df_fe['fwd_header_size_tot'] - df_fe['bwd_header_size_tot']) / (df_fe['fwd_header_size_tot'] + df_fe['bwd_header_size_tot'] + 1e-9)

# Burstiness: coefficient of variation for inter-arrival times
df_fe['fwd_iat_cv'] = df_fe['fwd_iat_std'] / (df_fe['fwd_iat_avg'] + 1e-9)
df_fe['bwd_iat_cv'] = df_fe['bwd_iat_std'] / (df_fe['bwd_iat_avg'] + 1e-9)
df_fe['flow_iat_cv'] = df_fe['flow_iat_std'] / (df_fe['flow_iat_avg'] + 1e-9)

# Active vs idle time share
df_fe['active_share'] = df_fe['active_tot'] / (df_fe['active_tot'] + df_fe['idle_tot'] + 1e-9)
df_fe['idle_share'] = df_fe['idle_tot'] / (df_fe['active_tot'] + df_fe['idle_tot'] + 1e-9)

# Flag densities (as an example, we'll do SYN and ACK flags; similar can be done for others)
df_fe['flow_syn_flag_count_density'] = df_fe['flow_syn_flag_count'] / (df_fe['pkts_tot'] + 1e-9)
df_fe['flow_ack_flag_count_density'] = df_fe['flow_ack_flag_count'] / (df_fe['pkts_tot'] + 1e-9)

# TCP window size change
df_fe['fwd_window_delta'] = df_fe['fwd_last_window_size'] - df_fe['fwd_init_window_size']

print("Added new features. New shape:", df_fe.shape)

*We added a bunch of new columns to `df_fe`. The printed new shape will show an increase in the number of columns. For example, if we had 20 columns before, we might now have around 30+ columns.*

*(Note: We still have the original columns like `fwd_pkts_tot`, `idle_tot`, etc. We could drop some original ones that have been replaced by new features – for instance, after creating `active_share` and `idle_share`, the raw `active_tot` and `idle_tot` might not be needed. However, we can keep them for now or drop them later if we want to avoid feeding redundant information to the model.)*

## 10. Save the Cleaned Dataset

1. Finally, we save our cleaned and feature-enhanced dataset so we can use it in the modeling stage (next notebook) without repeating all these steps. We’ll save it into the `data/processed/` folder. By saving, we ensure reproducibility (we can always load this processed data) and keep our raw data untouched.

We’ll use a SQLite database to save the DataFrame as a table (alternatively, we could use a CSV or pickle file, but a database table is handy for structured data):

In [None]:
# Save the cleaned & feature-engineered data to a processed SQLite database
with sqlite3.connect(Path("data/processed/rt_iot2022_processed.db")) as conn:
    df_fe.to_sql("flows_clean", conn, if_exists="replace", index=False)

print("Saved cleaned data to data/processed/rt_iot2022_processed.db")

*This writes `df_fe` to a SQLite database file named `rt_iot2022_processed.db` under the table name `"flows_clean"`. Later, our modeling notebook will load this table.*

*(By saving now, we **freeze** our preprocessing results. The raw data remains unchanged in `data/raw/`, and any future analysis or modeling will start from this cleaned dataset we just saved.)*

---

**Conclusion:** After all these steps, our data is much **cleaner, smaller, and richer in information** than what we started with. We removed unhelpful or misleading features, dealt with anomalies like duplicates and constant columns, and even created new features that capture important patterns (like ratios and shares). Now our dataset is ready for the next stage: Machine learning.

Next file: 02. IC2_regression_IoT_Preprocessing.ipynb