<img src="../img/GTK_Logo_Social Icon.jpg" width=175 align="right" />

# Worksheet 2.1:  Working with Two Dimensional Data
This worksheet covers concepts covered in Module 2 - Exploratory Data Analysis in Two Dimensions.  It should take no more than 20-30 minutes to complete.  Please raise your hand if you get stuck.  

There are many ways to accomplish the tasks that you are presented with, however you will find that by using the techniques covered in class, the exercises should be relatively simple. 

## Import the Libraries
For this exercise, we will be using:
* Pandas (http://pandas.pydata.org/pandas-docs/stable/)
* json (https://docs.python.org/3/library/json.html)
* user-agents (https://pypi.python.org/pypi/user-agents)
* apachelogs (https://pypi.org/project/apachelogs/)

In [3]:
import pandas as pd
import json

## Exercise 2.1: Reading various forms of JSON Data
In the `/data/` folder, you will find a series of `.json` files called `dataN.json`, numbered 1-4.  Each file contains the following data:

<table>
    <tr>
        <th></th>
        <th>birthday</th>
        <th>first_name</th>
        <th>last_name</th>
    </tr>
    <tr>
        <td>0</td>
        <td>5\/3\/67</td>
        <td>Robert</td>
        <td>Hernandez</td>
    </tr>
    <tr>
        <td>1</td>
        <td>8\/4\/84</td>
        <td>Steve</td>
        <td>Smith</td>
    </tr>
    <tr>
        <td>2</td>
        <td>9\/13\/91</td>
        <td>Anne</td>
        <td>Raps</td>
    </tr>    
    <tr>
        <td>3</td>
        <td>4\/15\/75</td>
        <td>Alice</td>
        <td>Muller</td>
    </tr>    
</table>

Using the `.read_json()` function and the various configuration options, read all these files into a dataframe.  The documentation is available here: http://pandas.pydata.org/pandas-docs/stable/generated/pandas.read_json.html.

In [4]:
DATA_HOME = '../data/'
df1 = pd.read_json(DATA_HOME + 'data1.json')
df1

Unnamed: 0,first_name,last_name,birthday
0,Robert,Hernandez,5\/3\/67
1,Steve,Smith,8\/4\/84
2,Anne,Raps,9\/13\/91
3,Alice,Muller,4\/15\/75


In [5]:
df2 = pd.read_json(DATA_HOME + 'data2.json', orient='index')
df2

Unnamed: 0,first_name,last_name,birthday
0,Robert,Hernandez,5\/3\/67
1,Steve,Smith,8\/4\/84
2,Anne,Raps,9\/13\/91
3,Alice,Muller,4\/15\/75


In [6]:
df3 = pd.read_json(DATA_HOME + 'data3.json', orient='columns')
df3

Unnamed: 0,first_name,last_name,birthday
0,Robert,Hernandez,5\/3\/67
1,Steve,Smith,8\/4\/84
2,Anne,Raps,9\/13\/91
3,Alice,Muller,4\/15\/75


In [7]:
df4 = pd.read_json(DATA_HOME + 'data4.json', orient='split')
df4

Unnamed: 0,first_name,last_name,birthday
0,Robert,Hernandez,5\/3\/67
1,Steve,Smith,8\/4\/84
2,Anne,Raps,9\/13\/91
3,Alice,Muller,4\/15\/75


## Exercise 2: 
In the data file, there is a webserver file called `hackers-access.httpd`.  For this exercise, you will use this file to answer the following questions:
1.  Which browsers are the top 3 most used browsers in this data?
2.  Which are the least (3) used operating systems?

In order to accomplish this task, do the following:
1. Parse each log to pull out the following relevant information
        - user agent, bytes, status, remote host, number of bytes sent

2. For each log, store the raw text and each piece of information in a data frame

3.  Write a function which takes a User Agent string as an argument and returns the name of the operating system and the browser family.  HINT:  You might want to use `user_agents` module, the documentation for which is available here: (https://pypi.python.org/pypi/user-agents)

4.  Next, apply this function to the column which contains the user agent string.
5.  Store this series as a new column in the dataframe
6.  Count the occurances of each value in the new columns (top 5 is fine)

First we need to grab another python library with pip 
[https://pypi.org/project/apachelogs/](https://pypi.org/project/apachelogs/)

In [8]:
!pip install apachelogs



In [9]:
from apachelogs import LogParser

line_parser = LogParser("%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"")

raw_text_log = '192.161.57.88 - - [30/Oct/2015:15:59:39 +0100] "POST /login_form HTTP/1.1" 200 18354 "http://niels.basjes.nl/login_form" "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0"'

log_dict = {}
log_dict = line_parser.parse(raw_text_log)
log_dict.entry

'192.161.57.88 - - [30/Oct/2015:15:59:39 +0100] "POST /login_form HTTP/1.1" 200 18354 "http://niels.basjes.nl/login_form" "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0"'

In [10]:
log_dict.remote_host

'192.161.57.88'

In [11]:
log_dict.request_time

datetime.datetime(2015, 10, 30, 15, 59, 39, tzinfo=datetime.timezone(datetime.timedelta(seconds=3600)))

In [12]:
log_dict.request_time_fields

{'timestamp': datetime.datetime(2015, 10, 30, 15, 59, 39, tzinfo=datetime.timezone(datetime.timedelta(seconds=3600)))}

In [13]:
log_dict.bytes_sent

18354

In [14]:
log_dict.directives

{'%h': '192.161.57.88',
 '%l': None,
 '%u': None,
 '%t': datetime.datetime(2015, 10, 30, 15, 59, 39, tzinfo=datetime.timezone(datetime.timedelta(seconds=3600))),
 '%r': 'POST /login_form HTTP/1.1',
 '%>s': 200,
 '%b': 18354,
 '%{Referer}i': 'http://niels.basjes.nl/login_form',
 '%{User-agent}i': 'Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0'}

In [15]:
log_dict.headers_in

dicti({'Referer': 'http://niels.basjes.nl/login_form', 'User-agent': 'Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0'})

In [16]:
#Read in the log file
server_log = open(DATA_HOME + "hackers-access.httpd", "r")

#Create an empty dataframe
parsed_server_data = pd.DataFrame()

# read and parse each line and store the information in the columns of the dataframe
for num, line in enumerate(server_log):
    data = {}
    data = line_parser.parse(line)
    parsed_server_data.loc[num,'raw_log']= data.entry
    parsed_server_data.loc[num,'remote_host']= data.remote_host
    parsed_server_data.loc[num,'user_agent']=data.headers_in["User-agent"]
    parsed_server_data.loc[num,'request_time']=data.request_time
    parsed_server_data.loc[num,'status']=data.final_status
    parsed_server_data.loc[num,'bytes']=data.bytes_sent

parsed_server_data.head()

Unnamed: 0,raw_log,remote_host,user_agent,request_time,status,bytes
0,195.154.46.135 - - [25/Oct/2015:04:11:25 +0100...,195.154.46.135,Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20...,2015-10-25 04:11:25+01:00,200.0,24323.0
1,23.95.237.180 - - [25/Oct/2015:04:11:26 +0100]...,23.95.237.180,Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20...,2015-10-25 04:11:26+01:00,200.0,11114.0
2,23.95.237.180 - - [25/Oct/2015:04:11:27 +0100]...,23.95.237.180,Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20...,2015-10-25 04:11:27+01:00,302.0,9093.0
3,158.222.5.157 - - [25/Oct/2015:04:24:31 +0100]...,158.222.5.157,Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) G...,2015-10-25 04:24:31+01:00,200.0,11114.0
4,158.222.5.157 - - [25/Oct/2015:04:24:32 +0100]...,158.222.5.157,Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) G...,2015-10-25 04:24:32+01:00,302.0,9093.0


In [17]:
!pip install ua-parser user-agents



In [18]:
# Step 3: Fix the functions to parse os and family from the user_agent column
from user_agents import parse

def get_os(x):
    user_agent_os = parse(x).os
    return user_agent_os

def get_browser(x):
    user_agent_browser = parse(x).browser
    return user_agent_browser

First let's see what these functions do on the user_agent portion of our single log

In [19]:
get_os(log_dict.headers_in["User-agent"])

OperatingSystem(family='Windows', version=(7,), version_string='7')

In [20]:
get_browser(log_dict.headers_in["User-agent"])

Browser(family='Firefox', version=(32, 0), version_string='32.0')

In [21]:
# Fixed functions. We need to get only the 'family' item from these objects. 

def get_os(x):
    user_agent_os = parse(x).os.family
    return user_agent_os

def get_browser(x):
    user_agent_browser = parse(x).browser.family
    return user_agent_browser

In [22]:
#Apply the functions to the dataframe
parsed_server_data['os'] = parsed_server_data['user_agent'].apply( get_os )
parsed_server_data['browser'] = parsed_server_data['user_agent'].apply( get_browser )

In [23]:
parsed_server_data.sample(5)

Unnamed: 0,raw_log,remote_host,user_agent,request_time,status,bytes,os,browser
2056,23.231.24.101 - - [28/Oct/2015:12:06:04 +0100]...,23.231.24.101,Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/2...,2015-10-28 12:06:04+01:00,302.0,10170.0,Linux,Firefox
685,23.95.201.243 - - [26/Oct/2015:08:59:14 +0100]...,23.95.201.243,Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20...,2015-10-26 08:59:14+01:00,302.0,10170.0,Windows,Firefox
1386,107.161.83.180 - - [27/Oct/2015:09:46:31 +0100...,107.161.83.180,Mozilla/5.0 (X11; CrOS x86_64 6310.68.0) Apple...,2015-10-27 09:46:31+01:00,200.0,12191.0,Chrome OS,Chrome
269,167.160.127.104 - - [25/Oct/2015:15:03:33 +010...,167.160.127.104,Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20...,2015-10-25 15:03:33+01:00,200.0,10716.0,Windows,Firefox
3268,208.115.125.58 - - [30/Oct/2015:07:09:12 +0100...,208.115.125.58,Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20...,2015-10-30 07:09:12+01:00,200.0,18354.0,Windows,Firefox


In [24]:
#Step 6: Count the values in new columns
parsed_server_data['os'].value_counts()

os
Windows      3185
Linux         125
Mac OS X       80
Chrome OS      60
Ubuntu          6
Name: count, dtype: int64

In [25]:
parsed_server_data['browser'].value_counts()

browser
Firefox    1476
Chrome      789
Opera       556
Dragon      533
IE           78
Safari       24
Name: count, dtype: int64

In [26]:
#Get the top 3 values
parsed_server_data['os'].value_counts().head(3)

os
Windows     3185
Linux        125
Mac OS X      80
Name: count, dtype: int64

In [27]:
#Get lowest 3 values
parsed_server_data['browser'].value_counts(ascending=True).head(3)

browser
Safari     24
IE         78
Dragon    533
Name: count, dtype: int64

# Exercise 3:
Using the `dailybots.csv` film, read the file into a DataFrame and perform the following operations:
1.  Filter the DataFrame to include bots from the Government/Politics Industry.
2.  Calculate the ratio of hosts to orgs and add this as a column to the DataFrame and output the result
3.  Calculate the total number of hosts infected by each BotFam in the Government/Politics Industry.  You should use the `groupby()` function which is documented here: (http://pandas.pydata.org/pandas-docs/stable/groupby.html)


In [28]:
bots = pd.read_csv(DATA_HOME + 'dailybots.csv')
bots.head()

Unnamed: 0,date,botfam,industry,hosts,orgs
0,2016-06-01,Bedep,Education,88,33
1,2016-06-01,Bedep,Finance,387,17
2,2016-06-01,Bedep,Government/Politics,430,42
3,2016-06-01,Bedep,Healthcare/Wellness,42,19
4,2016-06-01,Bedep,Manufacturing,184,18


In [29]:
bots_df = pd.read_csv(DATA_HOME + 'dailybots.csv')

In [30]:
gov_df = bots_df[bots_df['industry'] == "Government/Politics"]

In [31]:
gov_df.head()

Unnamed: 0,date,botfam,industry,hosts,orgs
2,2016-06-01,Bedep,Government/Politics,430,42
8,2016-06-01,ConfickerAB,Government/Politics,255,38
14,2016-06-01,Necurs,Government/Politics,277,25
23,2016-06-01,PushDo,Government/Politics,8,2
28,2016-06-01,Ramnit,Government/Politics,53,6


In [46]:
gov_df.loc[:,'ratio'] = gov_df.loc[:,'hosts']/ gov_df.loc[:,'orgs']
gov_df.head()

Unnamed: 0,date,botfam,industry,hosts,orgs,ratio
2,2016-06-01,Bedep,Government/Politics,430,42,10.238095
8,2016-06-01,ConfickerAB,Government/Politics,255,38,6.710526
14,2016-06-01,Necurs,Government/Politics,277,25,11.08
23,2016-06-01,PushDo,Government/Politics,8,2,4.0
28,2016-06-01,Ramnit,Government/Politics,53,6,8.833333


In [33]:
gov_bots = bots[['botfam', 'hosts']][bots['industry'] == "Government/Politics"]

In [34]:
gov_bots['ratio'] = bots['hosts'] / bots['orgs']

In [35]:
gov_bots.sample(5)

Unnamed: 0,botfam,hosts,ratio
2150,Bedep,6,1.5
751,Necurs,205,12.8125
2114,PushDo,2,1.0
1384,PushDo,1,1.0
2469,Zeus,5,1.25


In [36]:
gov_bots.groupby('botfam', as_index=False).sum()

Unnamed: 0,botfam,hosts,ratio
0,Bedep,6183,439.178237
1,ConfickerAB,28818,845.615097
2,Necurs,12425,1170.878964
3,Olmasco,83,75.5
4,PushDo,2164,1252.5
5,Ramnit,4484,1053.139638
6,Sality,7466,775.046134
7,Zeus,965,157.967915
8,Zusy,227,100.133333
9,zeroaccess,886,205.29127


In [37]:
gov_bots.sum(axis='index')

botfam    BedepConfickerABNecursPushDoRamnitSalityzeroac...
hosts                                                 63701
ratio                                           6075.250588
dtype: object

# Exercise 4:

Read a more ```evil``` JSON ```eve_small.json```, where each line contains a nested JSON object. Derive one DataFrame, where all levels for the ```stats``` key are expanded to a top level column of that DataFrame. Easiest is to natively open the file in Python, loop over each line, use [json.loads](https://docs.python.org/3.5/library/json.html) from the json library, and then [json_normalize](http://pandas.pydata.org/pandas-docs/stable/generated/pandas.io.json.json_normalize.html) to expand the nested structure to top-level columns, append to a simple Python list and finally call [pd.concat](http://pandas.pydata.org/pandas-docs/version/0.20/generated/pandas.concat.html) on the list to get one complete DataFrame.

In [38]:
def nested_json_to_df(fname_str):
    with open(fname_str, 'r') as f:
        l = []
        for line in f:
            if not line.strip():
                continue
            else:
                d = json.loads(line)
                if 'stats' in d.keys():
                    df_tmp = pd.json_normalize(d)
                    l.append(df_tmp)       
    return pd.concat(l, ignore_index=True)

In [39]:
eve = nested_json_to_df(DATA_HOME + 'eve_small.json')

In [40]:
eve.head()

Unnamed: 0,timestamp,event_type,stats.uptime,stats.capture.kernel_packets,stats.capture.kernel_drops,stats.decoder.pkts,stats.decoder.bytes,stats.decoder.invalid,stats.decoder.ipv4,stats.decoder.ipv6,...,stats.flow_mgr.rows_checked,stats.flow_mgr.rows_skipped,stats.flow_mgr.rows_empty,stats.flow_mgr.rows_busy,stats.flow_mgr.rows_maxlen,stats.dns.memuse,stats.dns.memcap_state,stats.dns.memcap_global,stats.http.memuse,stats.http.memcap
0,2017-04-06T18:15:19.000142+0000,stats,8,0,0,0,0,0,0,0,...,65536,65536,0,0,0,0,0,0,0,0
1,2017-04-06T18:15:27.000207+0000,stats,16,0,0,0,0,0,0,0,...,65536,65536,0,0,0,0,0,0,0,0
2,2017-04-06T18:15:34.000173+0000,stats,23,2,0,2,180,0,0,2,...,65536,65536,0,0,0,0,0,0,0,0
3,2017-04-06T18:15:41.000203+0000,stats,30,2,0,2,180,0,0,2,...,65536,65536,0,0,0,0,0,0,0,0
4,2017-04-06T18:15:48.000097+0000,stats,37,2,0,2,180,0,0,2,...,65536,65536,0,0,0,0,0,0,0,0


# Exercise 5
In this exercise, you will learn how to do some basic summarization of PCAP data.  In the `data` directory, you will find a pcap file that has been converted into json format (see [https://kiminewt.github.io/pyshark/](https://kiminewt.github.io/pyshark/) for more on that) called `http-pcap.json`. 

Your assignment is to answer the following questions:
1.  What are the most frequent source IP addresses?
2.  How many differnet source ports were accessed?

To do this you will have to load this data into a DataFrame.  Using what we've learned in class, do the following:
1.  Load the data into a DataFrame using the technique of your choice
2.  Extract the requisite columns from the DataFrame, in this case, you want the source IP and source ports
3.  Execute a `value_counts()` on those columns.  

In [41]:
#Load the data
with open(DATA_HOME + 'http-pcap.json') as data_file:    
    pcap_data = json.load(data_file)

#Normalize it and load it into a DataFrame
df = pd.DataFrame( pd.json_normalize(pcap_data) )

#View the results
df.head()

Unnamed: 0,time,timestamp,IP.version,IP.ttl,IP.proto,IP.options,IP.len,IP.dst,IP.frag,IP.flags,...,DNS.opcode,DNS.rcode,DNS.ra,DNS.id,DNS.cd,DNS.an.rrname,DNS.an.rclass,DNS.an.type,DNS.an.ttl,DNS.an.rdata
0,1084443000.0,2004-05-13T10:17:07.311224,4,128,6,[],48,65.208.228.223,0,2,...,,,,,,,,,,
1,1084443000.0,2004-05-13T10:17:08.222534,4,47,6,[],48,145.254.160.237,0,2,...,,,,,,,,,,
2,1084443000.0,2004-05-13T10:17:08.222534,4,128,6,[],40,65.208.228.223,0,2,...,,,,,,,,,,
3,1084443000.0,2004-05-13T10:17:08.222534,4,128,6,[],519,65.208.228.223,0,2,...,,,,,,,,,,
4,1084443000.0,2004-05-13T10:17:08.783340,4,47,6,[],40,145.254.160.237,0,2,...,,,,,,,,,,


In [42]:
df1 = pd.read_json(DATA_HOME + 'http-pcap.json')

In [43]:
df1.sample(5)

Unnamed: 0,time,timestamp,IP,Ethernet,TCP,UDP,DNS
37,1084443000.0,2004-05-13 10:17:12.158193,"{'version': 4, 'ttl': 47, 'proto': 6, 'options...","{'src': 'fe:ff:20:00:01:00', 'type': 2048, 'ds...","{'reserved': 0, 'window': 6432, 'flags': 24, '...",,
10,1084443000.0,2004-05-13 10:17:09.864896,"{'version': 4, 'ttl': 47, 'proto': 6, 'options...","{'src': 'fe:ff:20:00:01:00', 'type': 2048, 'ds...","{'reserved': 0, 'window': 6432, 'flags': 24, '...",,
6,1084443000.0,2004-05-13 10:17:09.123830,"{'version': 4, 'ttl': 128, 'proto': 6, 'option...","{'src': '00:00:01:00:00:00', 'type': 2048, 'ds...","{'reserved': 0, 'window': 9660, 'sport': 3372,...",,
36,1084443000.0,2004-05-13 10:17:12.088092,"{'version': 4, 'ttl': 128, 'proto': 6, 'option...","{'src': '00:00:01:00:00:00', 'type': 2048, 'ds...","{'reserved': 0, 'window': 8760, 'sport': 3371,...",,
5,1084443000.0,2004-05-13 10:17:08.993643,"{'version': 4, 'ttl': 47, 'proto': 6, 'options...","{'src': 'fe:ff:20:00:01:00', 'type': 2048, 'ds...","{'reserved': 0, 'window': 6432, 'flags': 16, '...",,


In [44]:
#Extract the source port and count the unique values
df['TCP.sport'].value_counts(dropna=False)

TCP.sport
80.0      22
3372.0    16
3371.0     3
NaN        2
Name: count, dtype: int64

In [45]:
#Extract the source IP and count the unique values
df['IP.src'].value_counts(dropna=False)

IP.src
145.254.160.237    20
65.208.228.223     18
216.239.59.99       4
145.253.2.203       1
Name: count, dtype: int64