# 6. Data Cleaning - Entries

Thanks to the previous step, Data Profiling - Entries



In [1]:
import datetime
import os
import time
import pandas as pd 
import requests
import urllib3
import json
import sys
import numpy as np
import math

pd.options.display.max_colwidth = 1000
pd.set_option('display.max_columns', None)

In [2]:
file = r'C:\Users\leona\OneDrive\Desktop\Tesi\Pipeline\Datasets\Pipeline\IocSegnalations\PostDataIntegration\Entries.csv'

In [3]:
df = pd.read_csv(file, low_memory = False )
df

Unnamed: 0,ID_ENTRY,source,ioc,ioc_type,threat_type,malware,first_seen,last_seen,reporter,reference,status
0,0,Feodo Tracker,89.101.97.139:443,ip:port,botnet,qakbot,2021-09-29 08:42:47,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/,
1,1,Feodo Tracker,41.228.22.180:443,ip:port,botnet,qakbot,2021-09-29 08:42:51,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/,
2,2,Feodo Tracker,144.139.47.206:443,ip:port,botnet,qakbot,2021-09-30 21:25:38,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/,
3,3,Feodo Tracker,41.86.42.158:995,ip:port,botnet,qakbot,2021-10-08 14:48:30,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/,
4,4,Feodo Tracker,63.143.92.99:995,ip:port,botnet,qakbot,2021-10-08 14:48:31,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/,
...,...,...,...,...,...,...,...,...,...,...,...
15580,2704832,URL Haus,http://219.157.141.108:59808/Mozi.m,,payload_delivery,,2023-08-16 00:03:35,2023-08-16 00:03:35,Gandylyan1,https://urlhaus.abuse.ch/url/2704832/,offline
15581,2704830,URL Haus,http://175.107.13.143:38812/Mozi.m,,payload_delivery,,2023-08-16 00:03:34,2023-08-16 00:03:34,Gandylyan1,https://urlhaus.abuse.ch/url/2704830/,offline
15582,2704831,URL Haus,http://102.33.46.237:54730/Mozi.m,,payload_delivery,,2023-08-16 00:03:34,2023-08-16 00:03:34,Gandylyan1,https://urlhaus.abuse.ch/url/2704831/,offline
15583,2704829,URL Haus,http://158.255.82.182:48683/Mozi.m,,payload_delivery,,2023-08-16 00:03:06,2023-08-18 09:12:32,Gandylyan1,https://urlhaus.abuse.ch/url/2704829/,offline


# Data Cleaning
### Handle missing values

We notice that there is a HIGH number of missing values columns (<=50%) so i have decided to drop those columns which are:

- status

In [4]:
column_name = 'status'
completeness_percentage = (df[column_name].count() / len(df)) * 100

print(f"Completeness of {column_name}: {completeness_percentage:.2f}%")

Completeness of status: 45.27%


In [5]:
df = df.drop(columns = column_name)
df

Unnamed: 0,ID_ENTRY,source,ioc,ioc_type,threat_type,malware,first_seen,last_seen,reporter,reference
0,0,Feodo Tracker,89.101.97.139:443,ip:port,botnet,qakbot,2021-09-29 08:42:47,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
1,1,Feodo Tracker,41.228.22.180:443,ip:port,botnet,qakbot,2021-09-29 08:42:51,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
2,2,Feodo Tracker,144.139.47.206:443,ip:port,botnet,qakbot,2021-09-30 21:25:38,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
3,3,Feodo Tracker,41.86.42.158:995,ip:port,botnet,qakbot,2021-10-08 14:48:30,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
4,4,Feodo Tracker,63.143.92.99:995,ip:port,botnet,qakbot,2021-10-08 14:48:31,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
...,...,...,...,...,...,...,...,...,...,...
15580,2704832,URL Haus,http://219.157.141.108:59808/Mozi.m,,payload_delivery,,2023-08-16 00:03:35,2023-08-16 00:03:35,Gandylyan1,https://urlhaus.abuse.ch/url/2704832/
15581,2704830,URL Haus,http://175.107.13.143:38812/Mozi.m,,payload_delivery,,2023-08-16 00:03:34,2023-08-16 00:03:34,Gandylyan1,https://urlhaus.abuse.ch/url/2704830/
15582,2704831,URL Haus,http://102.33.46.237:54730/Mozi.m,,payload_delivery,,2023-08-16 00:03:34,2023-08-16 00:03:34,Gandylyan1,https://urlhaus.abuse.ch/url/2704831/
15583,2704829,URL Haus,http://158.255.82.182:48683/Mozi.m,,payload_delivery,,2023-08-16 00:03:06,2023-08-18 09:12:32,Gandylyan1,https://urlhaus.abuse.ch/url/2704829/


In 'ioc_type' related to URL Haus as source are all 'NaN'. So, i set them to url because the URL Haus provide only url segnalitions

In [6]:
column_name = 'ioc_type'
completeness_percentage = (df[column_name].count() / len(df)) * 100

print(f"Completeness of {column_name}: {completeness_percentage:.2f}%")

Completeness of ioc_type: 54.73%


In [24]:
tmp = df[df['source'] == 'URL Haus']['ioc_type']
tmp_missings = tmp.isna().count()
print(f"Percentage of missings of {column_name}: {(tmp_missings / len(tmp) ) * 100:.2f}%")

Percentage of missings of ioc_type: 100.00%


In [26]:
df.loc[df['source'] == 'URL Haus','ioc_type'] = 'url'
df

Unnamed: 0,ID_ENTRY,source,ioc,ioc_type,threat_type,malware,first_seen,last_seen,reporter,reference
0,0,Feodo Tracker,89.101.97.139:443,ip:port,botnet,qakbot,2021-09-29 08:42:47,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
1,1,Feodo Tracker,41.228.22.180:443,ip:port,botnet,qakbot,2021-09-29 08:42:51,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
2,2,Feodo Tracker,144.139.47.206:443,ip:port,botnet,qakbot,2021-09-30 21:25:38,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
3,3,Feodo Tracker,41.86.42.158:995,ip:port,botnet,qakbot,2021-10-08 14:48:30,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
4,4,Feodo Tracker,63.143.92.99:995,ip:port,botnet,qakbot,2021-10-08 14:48:31,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
...,...,...,...,...,...,...,...,...,...,...
15580,2704832,URL Haus,http://219.157.141.108:59808/Mozi.m,url,payload_delivery,,2023-08-16 00:03:35,2023-08-16 00:03:35,Gandylyan1,https://urlhaus.abuse.ch/url/2704832/
15581,2704830,URL Haus,http://175.107.13.143:38812/Mozi.m,url,payload_delivery,,2023-08-16 00:03:34,2023-08-16 00:03:34,Gandylyan1,https://urlhaus.abuse.ch/url/2704830/
15582,2704831,URL Haus,http://102.33.46.237:54730/Mozi.m,url,payload_delivery,,2023-08-16 00:03:34,2023-08-16 00:03:34,Gandylyan1,https://urlhaus.abuse.ch/url/2704831/
15583,2704829,URL Haus,http://158.255.82.182:48683/Mozi.m,url,payload_delivery,,2023-08-16 00:03:06,2023-08-18 09:12:32,Gandylyan1,https://urlhaus.abuse.ch/url/2704829/


### Standardization : Field 'threat_type'

 'payload delivery' from 'payload_delivery' in the dataframe

In [27]:
df['threat_type'].unique()

array(['botnet', 'payload_delivery', 'payload'], dtype=object)

In [28]:
df['threat_type'] = df['threat_type'].replace('payload', 'payload delivery').replace('payload_delivery', 'payload delivery')
df

Unnamed: 0,ID_ENTRY,source,ioc,ioc_type,threat_type,malware,first_seen,last_seen,reporter,reference
0,0,Feodo Tracker,89.101.97.139:443,ip:port,botnet,qakbot,2021-09-29 08:42:47,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
1,1,Feodo Tracker,41.228.22.180:443,ip:port,botnet,qakbot,2021-09-29 08:42:51,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
2,2,Feodo Tracker,144.139.47.206:443,ip:port,botnet,qakbot,2021-09-30 21:25:38,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
3,3,Feodo Tracker,41.86.42.158:995,ip:port,botnet,qakbot,2021-10-08 14:48:30,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
4,4,Feodo Tracker,63.143.92.99:995,ip:port,botnet,qakbot,2021-10-08 14:48:31,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
...,...,...,...,...,...,...,...,...,...,...
15580,2704832,URL Haus,http://219.157.141.108:59808/Mozi.m,url,payload delivery,,2023-08-16 00:03:35,2023-08-16 00:03:35,Gandylyan1,https://urlhaus.abuse.ch/url/2704832/
15581,2704830,URL Haus,http://175.107.13.143:38812/Mozi.m,url,payload delivery,,2023-08-16 00:03:34,2023-08-16 00:03:34,Gandylyan1,https://urlhaus.abuse.ch/url/2704830/
15582,2704831,URL Haus,http://102.33.46.237:54730/Mozi.m,url,payload delivery,,2023-08-16 00:03:34,2023-08-16 00:03:34,Gandylyan1,https://urlhaus.abuse.ch/url/2704831/
15583,2704829,URL Haus,http://158.255.82.182:48683/Mozi.m,url,payload delivery,,2023-08-16 00:03:06,2023-08-18 09:12:32,Gandylyan1,https://urlhaus.abuse.ch/url/2704829/


### Normalization

Date attribute as 'first_seen' and 'last_seen' have multiple format so i have decided to standardize it to the minimal one that all of them have in common:  
- year - month - day  

In [11]:
standardized_df = df

In [29]:
from datetime import datetime, timedelta

df['last_seen'] = pd.to_datetime(df['last_seen'], utc=True, format='mixed').dt.strftime("%Y-%m-%d")
df['first_seen'] = pd.to_datetime(df['first_seen'], utc=True, format='mixed').dt.strftime("%Y-%m-%d")
df


Unnamed: 0,ID_ENTRY,source,ioc,ioc_type,threat_type,malware,first_seen,last_seen,reporter,reference
0,0,Feodo Tracker,89.101.97.139:443,ip:port,botnet,qakbot,2021-09-29,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
1,1,Feodo Tracker,41.228.22.180:443,ip:port,botnet,qakbot,2021-09-29,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
2,2,Feodo Tracker,144.139.47.206:443,ip:port,botnet,qakbot,2021-09-30,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
3,3,Feodo Tracker,41.86.42.158:995,ip:port,botnet,qakbot,2021-10-08,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
4,4,Feodo Tracker,63.143.92.99:995,ip:port,botnet,qakbot,2021-10-08,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
...,...,...,...,...,...,...,...,...,...,...
15580,2704832,URL Haus,http://219.157.141.108:59808/Mozi.m,url,payload delivery,,2023-08-16,2023-08-16,Gandylyan1,https://urlhaus.abuse.ch/url/2704832/
15581,2704830,URL Haus,http://175.107.13.143:38812/Mozi.m,url,payload delivery,,2023-08-16,2023-08-16,Gandylyan1,https://urlhaus.abuse.ch/url/2704830/
15582,2704831,URL Haus,http://102.33.46.237:54730/Mozi.m,url,payload delivery,,2023-08-16,2023-08-16,Gandylyan1,https://urlhaus.abuse.ch/url/2704831/
15583,2704829,URL Haus,http://158.255.82.182:48683/Mozi.m,url,payload delivery,,2023-08-16,2023-08-18,Gandylyan1,https://urlhaus.abuse.ch/url/2704829/


#### Missing value
Drop if one of the keys 'ID_ENTRY', 'source' are NaN

In [31]:
df = df.dropna(subset=['ID_ENTRY', 'source'])
df = df.reset_index(drop = True)
df

Unnamed: 0,ID_ENTRY,source,ioc,ioc_type,threat_type,malware,first_seen,last_seen,reporter,reference
0,0,Feodo Tracker,89.101.97.139:443,ip:port,botnet,qakbot,2021-09-29,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
1,1,Feodo Tracker,41.228.22.180:443,ip:port,botnet,qakbot,2021-09-29,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
2,2,Feodo Tracker,144.139.47.206:443,ip:port,botnet,qakbot,2021-09-30,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
3,3,Feodo Tracker,41.86.42.158:995,ip:port,botnet,qakbot,2021-10-08,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
4,4,Feodo Tracker,63.143.92.99:995,ip:port,botnet,qakbot,2021-10-08,2023-08-25,Feodo Tracker blocklist,https://feodotracker.abuse.ch/
...,...,...,...,...,...,...,...,...,...,...
15580,2704832,URL Haus,http://219.157.141.108:59808/Mozi.m,url,payload delivery,,2023-08-16,2023-08-16,Gandylyan1,https://urlhaus.abuse.ch/url/2704832/
15581,2704830,URL Haus,http://175.107.13.143:38812/Mozi.m,url,payload delivery,,2023-08-16,2023-08-16,Gandylyan1,https://urlhaus.abuse.ch/url/2704830/
15582,2704831,URL Haus,http://102.33.46.237:54730/Mozi.m,url,payload delivery,,2023-08-16,2023-08-16,Gandylyan1,https://urlhaus.abuse.ch/url/2704831/
15583,2704829,URL Haus,http://158.255.82.182:48683/Mozi.m,url,payload delivery,,2023-08-16,2023-08-18,Gandylyan1,https://urlhaus.abuse.ch/url/2704829/


# What about malware missings?

They will be managed in Data Enrichment using Tags, Malwares and Alias tables

### Save dataset into DataWrangling folder

In [32]:
df.to_csv(r'C:\Users\leona\OneDrive\Desktop\Tesi\Pipeline\Datasets\Pipeline\IocSegnalations\IntegratedDataset\PostDataCleaning\Entries.csv')