In [1]:
import pandas as pd
import numpy as np
from tqdm import tqdm

In [2]:
TP = "TP"
FP = "FP"
TN = "TN"
FN = "FN"

In [3]:
def pre(x): return x[TP] / (x[TP] + x[FP]) if x[TP] + x[TP] != 0 else 1.
def rec(x): return x[TP] / (x[TP] + x[FN]) if x[TP] + x[FN] != 0 else 1.
def spe(x): return x[TN] / (x[TN] + x[FP]) if x[TN] + x[FP] != 0 else 1.
def f1s(x): return 2*pre(x)*rec(x) / (pre(x) + rec(x)) if pre(x) + rec(x) != 0. else 1.
def abnorm(x): return x[TN] + x[FP]
def norm(x):   return x[TP] + x[FN]

def metric(X):
  PRE = list()
  REC = list()
  SPE = list()
  F1S = list()
  POS = list()
  NEG = list()
  FUL = list()

  for i, fold in enumerate(X):
    PRE.append(pre(fold))
    REC.append(rec(fold))
    SPE.append(spe(fold))
    F1S.append(f1s(fold))

    pos = norm(fold)
    neg = abnorm(fold)
    ful = pos + neg
    POS.append(pos)
    NEG.append(neg)
    FUL.append(ful)

  print("\t".join([ f"FOLD-{i}\t\t " for i in range(len(X)) ]))
  print("\t".join([ f"{POS[i]:>8,} ({POS[i]/FUL[i] * 100:.2f}%)" for i in range(len(X)) ]))
  print("\t".join([ f"{NEG[i]:>8,} ({NEG[i]/FUL[i] * 100:.2f}%)" for i in range(len(X)) ]))
  print("\t".join([ f"{FUL[i]:>8,} (100.0%)" for i in range(len(X)) ]))
  print("PRE\t\t\tREC\t\t\tSPE\t\t\tF1")
  print(f"{np.mean(PRE):.4f} (±{np.std(PRE):.4f})", end="\t")
  print(f"{np.mean(REC):.4f} (±{np.std(REC):.4f})", end="\t")
  print(f"{np.mean(SPE):.4f} (±{np.std(SPE):.4f})", end="\t")
  print(f"{np.mean(F1S):.4f} (±{np.std(F1S):.4f})")

  

In [4]:
AIT_report = '''evaluation result spiral.com
(onion.com, daemon) TP: 1361, FP: 0, TN: 0, FN: 768
(onion.com, auth) TP: 2, FP: 92, TN: 2, FN: 950
(onion.com, user) TP: 15856, FP: 252, TN: 0, FN: 0
(onion.com, access) TP: 75530, FP: 142, TN: 6287, FN: 0
(onion.com, mail) TP: 4020, FP: 6, TN: 85, FN: 63758
(insect.com, auth) TP: 1, FP: 176, TN: 4, FN: 949
(insect.com, daemon) TP: 1377, FP: 2, TN: 0, FN: 770
(insect.com, mail) TP: 8463, FP: 35, TN: 510, FN: 101004
(insect.com, access) TP: 162363, FP: 3230, TN: 3743, FN: 0
(insect.com, user) TP: 31438, FP: 6426, TN: 0, FN: 0
(cup.com, daemon) TP: 825, FP: 2, TN: 0, FN: 99
(cup.com, auth) TP: 2, FP: 284, TN: 4, FN: 930
(cup.com, user) TP: 33550, FP: 775, TN: 0, FN: 0
(cup.com, mail) TP: 7800, FP: 9, TN: 295, FN: 114705
(cup.com, access) TP: 141741, FP: 512, TN: 6277, FN: 0

evaluation result onion.com
(spiral.com, auth) TP: 39, FP: 271, TN: 2, FN: 886
(spiral.com, daemon) TP: 200, FP: 4, TN: 0, FN: 697
(spiral.com, user) TP: 16594, FP: 6667, TN: 0, FN: 5
(spiral.com, mail) TP: 58741, FP: 482, TN: 5, FN: 534
(spiral.com, access) TP: 93068, FP: 759, TN: 6611, FN: 3
(insect.com, auth) TP: 68, FP: 178, TN: 2, FN: 882
(insect.com, daemon) TP: 1111, FP: 2, TN: 0, FN: 1036
(insect.com, mail) TP: 108451, FP: 540, TN: 5, FN: 1016
(insect.com, access) TP: 162355, FP: 355, TN: 6618, FN: 8
(insect.com, user) TP: 31433, FP: 6426, TN: 0, FN: 5
(cup.com, daemon) TP: 198, FP: 0, TN: 2, FN: 726
(cup.com, auth) TP: 46, FP: 286, TN: 2, FN: 886
(cup.com, user) TP: 33545, FP: 775, TN: 0, FN: 5
(cup.com, mail) TP: 121244, FP: 298, TN: 6, FN: 1261
(cup.com, access) TP: 141738, FP: 488, TN: 6301, FN: 3

evaluation result insect.com
(spiral.com, auth) TP: 0, FP: 0, TN: 273, FN: 925
(spiral.com, daemon) TP: 17, FP: 0, TN: 4, FN: 880
(spiral.com, user) TP: 2805, FP: 10, TN: 6657, FN: 13794
(spiral.com, mail) TP: 0, FP: 0, TN: 487, FN: 59275
(spiral.com, access) TP: 93066, FP: 413, TN: 6957, FN: 5
(onion.com, daemon) TP: 3, FP: 0, TN: 0, FN: 2126
(onion.com, auth) TP: 0, FP: 0, TN: 94, FN: 952
(onion.com, user) TP: 2920, FP: 1, TN: 251, FN: 12936
(onion.com, access) TP: 75526, FP: 22, TN: 6407, FN: 4
(onion.com, mail) TP: 0, FP: 0, TN: 91, FN: 67778
(cup.com, daemon) TP: 22, FP: 0, TN: 2, FN: 902
(cup.com, auth) TP: 0, FP: 0, TN: 288, FN: 932
(cup.com, user) TP: 6378, FP: 4, TN: 771, FN: 27172
(cup.com, mail) TP: 0, FP: 0, TN: 304, FN: 122505
(cup.com, access) TP: 141737, FP: 121, TN: 6668, FN: 4

evaluation result cup.com
(spiral.com, auth) TP: 0, FP: 0, TN: 273, FN: 925
(spiral.com, daemon) TP: 71, FP: 0, TN: 4, FN: 826
(spiral.com, user) TP: 16524, FP: 57, TN: 6610, FN: 75
(spiral.com, mail) TP: 0, FP: 0, TN: 487, FN: 59275
(spiral.com, access) TP: 0, FP: 18, TN: 7352, FN: 93071
(onion.com, daemon) TP: 373, FP: 0, TN: 0, FN: 1756
(onion.com, auth) TP: 0, FP: 0, TN: 94, FN: 952
(onion.com, user) TP: 15108, FP: 6, TN: 246, FN: 748
(onion.com, access) TP: 0, FP: 89, TN: 6340, FN: 75530
(onion.com, mail) TP: 0, FP: 0, TN: 91, FN: 67778
(insect.com, auth) TP: 0, FP: 0, TN: 180, FN: 950
(insect.com, daemon) TP: 374, FP: 0, TN: 2, FN: 1773
(insect.com, mail) TP: 0, FP: 0, TN: 545, FN: 109467
(insect.com, access) TP: 0, FP: 111, TN: 6862, FN: 162363
(insect.com, user) TP: 31341, FP: 40, TN: 6386, FN: 97

testing result spiral.com
(auth.) TP: 3, FP: 269, TN: 4, FN: 922
(daemon.) TP: 804, FP: 4, TN: 0, FN: 93
(user.) TP: 16599, FP: 6667, TN: 0, FN: 0
(mail.) TP: 4542, FP: 32, TN: 455, FN: 54733
(access.) TP: 93071, FP: 3666, TN: 3704, FN: 0

testing result onion.com
(daemon.) TP: 1123, FP: 0, TN: 0, FN: 1006
(auth.) TP: 41, FP: 94, TN: 0, FN: 911
(user.) TP: 15851, FP: 252, TN: 0, FN: 5
(access.) TP: 75524, FP: 124, TN: 6305, FN: 6
(mail.) TP: 67053, FP: 91, TN: 0, FN: 725

testing result insect.com
(auth.) TP: 0, FP: 0, TN: 180, FN: 950
(daemon.) TP: 0, FP: 0, TN: 2, FN: 2147
(mail.) TP: 0, FP: 0, TN: 545, FN: 109467
(access.) TP: 162358, FP: 149, TN: 6824, FN: 5
(user.) TP: 4668, FP: 3, TN: 6423, FN: 26770

testing result cup.com
(daemon.) TP: 71, FP: 0, TN: 2, FN: 853
(auth.) TP: 0, FP: 0, TN: 288, FN: 932
(user.) TP: 33244, FP: 29, TN: 746, FN: 306
(mail.) TP: 0, FP: 0, TN: 304, FN: 122505
(access.) TP: 0, FP: 87, TN: 6702, FN: 141741
'''

In [5]:
lines = AIT_report.split('\n')
_confusion = dict()
TFPN = ["TP", "FP", "TN", "FN"]
topic = ""

for l in lines:
  l = l.replace(' ', '')
  if l.startswith('('):
    i = l.find(')')
    k = (f"[{topic}] " + l[1:i] + " - evaluation") if not l[1:i].endswith('.') else (f"[{topic}] " + l[1:i - 1] + f" - test")

    _confusion[k] = { TFPN[j]: int( 
                              l[l.find(TFPN[j])+3 : ( l.find(',', l.find(TFPN[j])) if j < 3 else len(l) ) ]
                            ) for j in range(len(TFPN)) 
                          }
  else:
    topic = l[ l.find("result") + 6: ]


In [6]:
_confusion

{'[spiral.com] onion.com,daemon - evaluation': {'TP': 1361,
  'FP': 0,
  'TN': 0,
  'FN': 768},
 '[spiral.com] onion.com,auth - evaluation': {'TP': 2,
  'FP': 92,
  'TN': 2,
  'FN': 950},
 '[spiral.com] onion.com,user - evaluation': {'TP': 15856,
  'FP': 252,
  'TN': 0,
  'FN': 0},
 '[spiral.com] onion.com,access - evaluation': {'TP': 75530,
  'FP': 142,
  'TN': 6287,
  'FN': 0},
 '[spiral.com] onion.com,mail - evaluation': {'TP': 4020,
  'FP': 6,
  'TN': 85,
  'FN': 63758},
 '[spiral.com] insect.com,auth - evaluation': {'TP': 1,
  'FP': 176,
  'TN': 4,
  'FN': 949},
 '[spiral.com] insect.com,daemon - evaluation': {'TP': 1377,
  'FP': 2,
  'TN': 0,
  'FN': 770},
 '[spiral.com] insect.com,mail - evaluation': {'TP': 8463,
  'FP': 35,
  'TN': 510,
  'FN': 101004},
 '[spiral.com] insect.com,access - evaluation': {'TP': 162363,
  'FP': 3230,
  'TN': 3743,
  'FN': 0},
 '[spiral.com] insect.com,user - evaluation': {'TP': 31438,
  'FP': 6426,
  'TN': 0,
  'FN': 0},
 '[spiral.com] cup.com,daemo

In [7]:
# ait_confusion = {"eval": list(), "test": list()}
ait_confusion = dict()
for k, v in _confusion.items():
  if k.endswith("evaluation"):
    log = k[k.find(',') + 1:].replace(" - evaluation", "")
    key = f"{log}-eval"
    # prefix = k[k.find("] ") + 2: k.find(',')]
    # ait_confusion["eval"].append(v)
  else:
    log = k[k.find("] ") + 2:].replace(" - test", "")
    key = f"{log}-test"
    # ait_confusion["test"].append(v)
  if key not in ait_confusion: ait_confusion[key] = dict()

  prefix = k[k.find('[') + 1: k.find(']')]
  if prefix not in ait_confusion[key]: ait_confusion[key][prefix] = list()
  ait_confusion[key][prefix].append(v)

In [8]:
n_train = [0, 0]
n_test = [0, 0]

for k, v in _confusion.items():
  if k.endswith("evaluation"):
    n_train[0] += v[TP] + v[FN]
    n_train[1] += v[FP] + v[TN]
  elif k.endswith("test"):
    n_test[0] += v[TP] + v[FN]
    n_test[1] += v[FP] + v[TN]

print(f"{n_train[0]:,} ({n_train[0]/sum(n_train)*100:.2f}%)\n{n_train[1]:,} ({n_train[1]/sum(n_train)*100:.2f}%)\n{sum(n_train):,}")
print(f"{n_test[0]:,} ({n_test[0]/sum(n_test)*100:.2f}%)\n{n_test[1]:,} ({n_test[1]/sum(n_test)*100:.2f}%)\n{sum(n_test):,}")

2,817,087 (95.53%)
131,853 (4.47%)
2,948,940
939,029 (95.53%)
43,951 (4.47%)
982,980


In [13]:
AIT_confusion = dict()
for k, v in ait_confusion.items():
  if k not in AIT_confusion: AIT_confusion[k] = dict() #list()
  for p, c in v.items():
    # AIT_confusion[k].append(
    #     {
    #       TP: sum([ d[TP] for d in c ]),
    #       FP: sum([ d[FP] for d in c ]),
    #       TN: sum([ d[TN] for d in c ]),
    #       FN: sum([ d[FN] for d in c ]),
    #     }
    # )
      AIT_confusion[k][p] = {
                          "normal": sum([ d[TP] for d in c ]) + sum([ d[FN] for d in c ]),
                          "abnormal": sum([ d[FP] for d in c ]) + sum([ d[TN] for d in c ]),
                        }

In [22]:
AIT_confusion

{'daemon-eval': {'spiral.com': {'normal': 5200, 'abnormal': 4},
  'onion.com': {'normal': 3968, 'abnormal': 8},
  'insect.com': {'normal': 3950, 'abnormal': 6},
  'cup.com': {'normal': 5173, 'abnormal': 6}},
 'auth-eval': {'spiral.com': {'normal': 2834, 'abnormal': 562},
  'onion.com': {'normal': 2807, 'abnormal': 741},
  'insect.com': {'normal': 2809, 'abnormal': 655},
  'cup.com': {'normal': 2827, 'abnormal': 547}},
 'user-eval': {'spiral.com': {'normal': 80844, 'abnormal': 7453},
  'onion.com': {'normal': 81587, 'abnormal': 13868},
  'insect.com': {'normal': 66005, 'abnormal': 7694},
  'cup.com': {'normal': 63893, 'abnormal': 13345}},
 'access-eval': {'spiral.com': {'normal': 379634, 'abnormal': 20191},
  'onion.com': {'normal': 397175, 'abnormal': 21132},
  'insect.com': {'normal': 310342, 'abnormal': 20588},
  'cup.com': {'normal': 330964, 'abnormal': 20772}},
 'mail-eval': {'spiral.com': {'normal': 299750, 'abnormal': 940},
  'onion.com': {'normal': 291247, 'abnormal': 1336},
  '

In [37]:
log_types = list(AIT_confusion.keys())
servers = ["spiral.com", "onion.com", "insect.com", "cup.com"]
log_types.sort()

print(f"{servers[0]:>19}\t{servers[1]:>19}\t{servers[2]:>19}\t{servers[3]:>19}")
for t in log_types:
  print(t)
  for s in servers:
    total = AIT_confusion[t][s]['normal'] + AIT_confusion[t][s]['abnormal']
    print(f"{AIT_confusion[t][s]['normal']:>10,} ({AIT_confusion[t][s]['normal']/total * 100:.2f}%)", end="\t")
  print()
  for s in servers:
    total = AIT_confusion[t][s]['normal'] + AIT_confusion[t][s]['abnormal']
    print(f"{AIT_confusion[t][s]['abnormal']:>10,} ({AIT_confusion[t][s]['abnormal']/total * 100:.2f}%)", end="\t")
  print()
  for s in servers:
    print(f"{AIT_confusion[t][s]['normal'] + AIT_confusion[t][s]['abnormal']:>19,}", end="\t")
  print()

         spiral.com	          onion.com	         insect.com	            cup.com
access-eval
   379,634 (94.95%)	   397,175 (94.95%)	   310,342 (93.78%)	   330,964 (94.09%)	
    20,191 (5.05%)	    21,132 (5.05%)	    20,588 (6.22%)	    20,772 (5.91%)	
            399,825	            418,307	            330,930	            351,736	
access-test
    93,071 (92.66%)	    75,530 (92.16%)	   162,363 (95.88%)	   141,741 (95.43%)	
     7,370 (7.34%)	     6,429 (7.84%)	     6,973 (4.12%)	     6,789 (4.57%)	
            100,441	             81,959	            169,336	            148,530	
auth-eval
     2,834 (83.45%)	     2,807 (79.11%)	     2,809 (81.09%)	     2,827 (83.79%)	
       562 (16.55%)	       741 (20.89%)	       655 (18.91%)	       547 (16.21%)	
              3,396	              3,548	              3,464	              3,374	
auth-test
       925 (77.21%)	       952 (91.01%)	       950 (84.07%)	       932 (76.39%)	
       273 (22.79%)	        94 (8.99%)	       180 (15.93%)	       288 (23.

In [145]:
AIT_confusion["total-eval"] = [ {'TP': 0, 'FP': 0, 'TN': 0, 'FN': 0} for _ in range(4) ]
AIT_confusion["total-test"] = [ {'TP': 0, 'FP': 0, 'TN': 0, 'FN': 0} for _ in range(4) ]

for k, v in AIT_confusion.items():
  if k == "total-eval" or k == "total-test": continue
  if k.endswith("eval"): K = "total-eval"
  elif k.endswith("test"): K = "total-test"

  for i in range(len(v)):
    AIT_confusion[K][i][TP] += v[i][TP]
    AIT_confusion[K][i][FP] += v[i][FP]
    AIT_confusion[K][i][TN] += v[i][TN]
    AIT_confusion[K][i][FN] += v[i][FN]

In [146]:
for k, v in AIT_confusion.items():
  if k.endswith("test"): print(k)

auth-test
daemon-test
user-test
mail-test
access-test
total-test


In [147]:
AIT_confusion

{'daemon-eval': [{'TP': 3563, 'FP': 4, 'TN': 0, 'FN': 1637},
  {'TP': 1509, 'FP': 6, 'TN': 2, 'FN': 2459},
  {'TP': 42, 'FP': 0, 'TN': 6, 'FN': 3908},
  {'TP': 818, 'FP': 0, 'TN': 6, 'FN': 4355}],
 'auth-eval': [{'TP': 5, 'FP': 552, 'TN': 10, 'FN': 2829},
  {'TP': 153, 'FP': 735, 'TN': 6, 'FN': 2654},
  {'TP': 0, 'FP': 0, 'TN': 655, 'FN': 2809},
  {'TP': 0, 'FP': 0, 'TN': 547, 'FN': 2827}],
 'user-eval': [{'TP': 80844, 'FP': 7453, 'TN': 0, 'FN': 0},
  {'TP': 81572, 'FP': 13868, 'TN': 0, 'FN': 15},
  {'TP': 12103, 'FP': 15, 'TN': 7679, 'FN': 53902},
  {'TP': 62973, 'FP': 103, 'TN': 13242, 'FN': 920}],
 'access-eval': [{'TP': 379634, 'FP': 3884, 'TN': 16307, 'FN': 0},
  {'TP': 397161, 'FP': 1602, 'TN': 19530, 'FN': 14},
  {'TP': 310329, 'FP': 556, 'TN': 20032, 'FN': 13},
  {'TP': 0, 'FP': 218, 'TN': 20554, 'FN': 330964}],
 'mail-eval': [{'TP': 20283, 'FP': 50, 'TN': 890, 'FN': 279467},
  {'TP': 288436, 'FP': 1320, 'TN': 16, 'FN': 2811},
  {'TP': 0, 'FP': 0, 'TN': 882, 'FN': 249558},
  {'

In [148]:
for k, v in AIT_confusion.items():
  print(k)
  metric(v)
  print()

daemon-eval
FOLD-0		 	FOLD-1		 	FOLD-2		 	FOLD-3		 
   5,200 (99.92%)	   3,968 (99.80%)	   3,950 (99.85%)	   5,173 (99.88%)
       4 (0.08%)	       8 (0.20%)	       6 (0.15%)	       6 (0.12%)
   5,204 (100.0%)	   3,976 (100.0%)	   3,956 (100.0%)	   5,179 (100.0%)
PRE			REC			SPE			F1
0.9987 (±0.0016)	0.3086 (±0.2542)	0.5625 (±0.4463)	0.4143 (±0.2966)

auth-eval
FOLD-0		 	FOLD-1		 	FOLD-2		 	FOLD-3		 
   2,834 (83.45%)	   2,807 (79.11%)	   2,809 (81.09%)	   2,827 (83.79%)
     562 (16.55%)	     741 (20.89%)	     655 (18.91%)	     547 (16.21%)
   3,396 (100.0%)	   3,548 (100.0%)	   3,464 (100.0%)	   3,374 (100.0%)
PRE			REC			SPE			F1
0.5453 (±0.4583)	0.0141 (±0.0234)	0.5065 (±0.4935)	0.0214 (±0.0355)

user-eval
FOLD-0		 	FOLD-1		 	FOLD-2		 	FOLD-3		 
  80,844 (91.56%)	  81,587 (85.47%)	  66,005 (89.56%)	  63,893 (82.72%)
   7,453 (8.44%)	  13,868 (14.53%)	   7,694 (10.44%)	  13,345 (17.28%)
  88,297 (100.0%)	  95,455 (100.0%)	  73,699 (100.0%)	  77,238 (100.0%)
PRE			REC			SPE			F1
0.94