<img src="../img/GTK_Logo_Social Icon.jpg" width=175 align="right" />

# Worksheet 2.1:  Exploring Two Dimensional Data -  Answers
This worksheet covers concepts covered in Module 2 - Exploratory Data Analysis in Two Dimensions.  It should take no more than 20-30 minutes to complete.  Please raise your hand if you get stuck.  

There are many ways to accomplish the tasks that you are presented with, however you will find that by using the techniques covered in class, the exercises should be relatively simple. 

## Import the Libraries
For this exercise, we will be using:
* Pandas (http://pandas.pydata.org/pandas-docs/stable/)
* Matplotlib (http://matplotlib.org/api/pyplot_api.html)
* User Agents (https://github.com/selwin/python-user-agents)
* Apache Log Parser (https://github.com/amandasaurus/apache-log-parser)


In [2]:
import pandas as pd
import matplotlib.pyplot as plt
import json
import apache_log_parser
from user_agents import parse
plt.style.use('ggplot')
%matplotlib inline

## Exercise 2.1: Reading various forms of JSON Data
In the `/data/` folder, you will find a series of `.json` files called `dataN.json`, numbered 1-4.  Each file contains the following data:

<table>
    <tr>
        <th></th>
        <th>birthday</th>
        <th>first_name</th>
        <th>last_name</th>
    </tr>
    <tr>
        <td>0</td>
        <td>5\/3\/67</td>
        <td>Robert</td>
        <td>Hernandez</td>
    </tr>
    <tr>
        <td>1</td>
        <td>8\/4\/84</td>
        <td>Steve</td>
        <td>Smith</td>
    </tr>
    <tr>
        <td>2</td>
        <td>9\/13\/91</td>
        <td>Anne</td>
        <td>Raps</td>
    </tr>    
    <tr>
        <td>3</td>
        <td>4\/15\/75</td>
        <td>Alice</td>
        <td>Muller</td>
    </tr>    
</table>

Using the `.read_json()` function and the various configuration options, read all these files into a dataframe.  The documentation is available here: http://pandas.pydata.org/pandas-docs/stable/generated/pandas.read_json.html.

In [3]:
DATA_HOME = '../data/'
df1 = pd.read_json(DATA_HOME + 'data1.json')
df1

Unnamed: 0,first_name,last_name,birthday
0,Robert,Hernandez,5\/3\/67
1,Steve,Smith,8\/4\/84
2,Anne,Raps,9\/13\/91
3,Alice,Muller,4\/15\/75


In [4]:
df2 = pd.read_json(DATA_HOME + 'data2.json', orient='index')
df2

Unnamed: 0,first_name,last_name,birthday
0,Robert,Hernandez,5\/3\/67
1,Steve,Smith,8\/4\/84
2,Anne,Raps,9\/13\/91
3,Alice,Muller,4\/15\/75


In [5]:
df3 = pd.read_json(DATA_HOME + 'data3.json', orient='columns')
df3

Unnamed: 0,first_name,last_name,birthday
0,Robert,Hernandez,5\/3\/67
1,Steve,Smith,8\/4\/84
2,Anne,Raps,9\/13\/91
3,Alice,Muller,4\/15\/75


In [6]:
df4 = pd.read_json(DATA_HOME + 'data4.json', orient='split')
df4

Unnamed: 0,first_name,last_name,birthday
0,Robert,Hernandez,5\/3\/67
1,Steve,Smith,8\/4\/84
2,Anne,Raps,9\/13\/91
3,Alice,Muller,4\/15\/75


## Exercise 2: 
In the data file, there is a webserver file called `hackers-access.httpd`.  For this exercise, you will use this file to answer the following questions:
1.  Which browsers are the top 10 most used browsers in this data?
2.  Which are the top 10 most used operating systems?

In order to accomplish this task, do the following:
1.  Write a function which takes a User Agent string as an argument and returns the relevant data.  HINT:  You might want to use python's `user_agents` module, the documentation for which is available here: (https://pypi.python.org/pypi/user-agents)
2.  Next, apply this function to the column which contains the user agent string.
3.  Store this series as a new column in the dataframe
4.  Count the occurances of each value in the new columns

In [7]:
#Read in the log file
line_parser = apache_log_parser.make_parser("%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"")

server_log = open(DATA_HOME + "hackers-access.httpd", "r")
parsed_server_data = []
for line in server_log:
    data = {}
    data = line_parser(line)
    parsed_server_data.append( data )

server_df = pd.DataFrame( parsed_server_data  )

In [8]:
server_df.sample()

Unnamed: 0,remote_host,remote_logname,remote_user,time_received,time_received_datetimeobj,time_received_isoformat,time_received_tz_datetimeobj,time_received_tz_isoformat,time_received_utc_datetimeobj,time_received_utc_isoformat,...,request_url_password,request_url_hostname,request_url_port,request_url_query_dict,request_url_query_list,request_url_query_simple_dict,status,response_bytes_clf,request_header_referer,request_header_user_agent
264,113.215.0.130,-,-,[25/Oct/2015:14:25:42 +0100],2015-10-25 14:25:42,2015-10-25T14:25:42,2015-10-25 14:25:42+01:00,2015-10-25T14:25:42+01:00,2015-10-25 13:25:42+00:00,2015-10-25T13:25:42+00:00,...,,howto.basjes.nl,,{},[],{},200,11114,http://howto.basjes.nl/,Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20...
892,216.244.81.34,-,-,[26/Oct/2015:13:44:22 +0100],2015-10-26 13:44:22,2015-10-26T13:44:22,2015-10-26 13:44:22+01:00,2015-10-26T13:44:22+01:00,2015-10-26 12:44:22+00:00,2015-10-26T12:44:22+00:00,...,,,,{'came_from': ['http://niels.basjes.nl/join_fo...,"[(came_from, http://niels.basjes.nl/join_form)]",{'came_from': 'http://niels.basjes.nl/join_form'},200,11793,http://niels.basjes.nl/,Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20...
1818,104.144.19.69,-,-,[28/Oct/2015:03:00:55 +0100],2015-10-28 03:00:55,2015-10-28T03:00:55,2015-10-28 03:00:55+01:00,2015-10-28T03:00:55+01:00,2015-10-28 02:00:55+00:00,2015-10-28T02:00:55+00:00,...,,,,{},[],{},200,11114,http://howto.basjes.nl/,Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.3...
757,216.244.81.34,-,-,[26/Oct/2015:10:42:45 +0100],2015-10-26 10:42:45,2015-10-26T10:42:45,2015-10-26 10:42:45+01:00,2015-10-26T10:42:45+01:00,2015-10-26 09:42:45+00:00,2015-10-26T09:42:45+00:00,...,,,,{},[],{},200,20622,http://niels.basjes.nl/,Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20...
1968,198.23.149.114,-,-,[28/Oct/2015:10:23:44 +0100],2015-10-28 10:23:44,2015-10-28T10:23:44,2015-10-28 10:23:44+01:00,2015-10-28T10:23:44+01:00,2015-10-28 09:23:44+00:00,2015-10-28T09:23:44+00:00,...,,,,{'came_from': ['http://niels.basjes.nl/join_fo...,"[(came_from, http://niels.basjes.nl/join_form)]",{'came_from': 'http://niels.basjes.nl/join_form'},200,11793,http://niels.basjes.nl/join_form,Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.3...


In [9]:
#Write the functions
def get_os(x):
    user_agent = parse(x)
    return user_agent.os.family

def get_browser(x):
    user_agent = parse(x)
    return user_agent.browser.family

In [10]:
#Apply the functions to the dataframe
server_df['os'] = server_df['request_header_user_agent'].apply( get_os )
server_df['browser'] = server_df['request_header_user_agent'].apply( get_browser )

In [11]:
server_df.sample(5)

Unnamed: 0,remote_host,remote_logname,remote_user,time_received,time_received_datetimeobj,time_received_isoformat,time_received_tz_datetimeobj,time_received_tz_isoformat,time_received_utc_datetimeobj,time_received_utc_isoformat,...,request_url_port,request_url_query_dict,request_url_query_list,request_url_query_simple_dict,status,response_bytes_clf,request_header_referer,request_header_user_agent,os,browser
277,216.158.196.63,-,-,[25/Oct/2015:16:02:58 +0100],2015-10-25 16:02:58,2015-10-25T16:02:58,2015-10-25 16:02:58+01:00,2015-10-25T16:02:58+01:00,2015-10-25 15:02:58+00:00,2015-10-25T15:02:58+00:00,...,,{},[],{},200,24323,http://howto.basjes.nl/,Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20...,Windows,Firefox
642,180.180.108.189,-,-,[26/Oct/2015:07:29:25 +0100],2015-10-26 07:29:25,2015-10-26T07:29:25,2015-10-26 07:29:25+01:00,2015-10-26T07:29:25+01:00,2015-10-26 06:29:25+00:00,2015-10-26T06:29:25+00:00,...,,{},[],{},200,11114,http://howto.basjes.nl/,Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20...,Windows,Firefox
1700,190.63.175.247,-,-,[27/Oct/2015:21:32:56 +0100],2015-10-27 21:32:56,2015-10-27T21:32:56,2015-10-27 21:32:56+01:00,2015-10-27T21:32:56+01:00,2015-10-27 20:32:56+00:00,2015-10-27T20:32:56+00:00,...,,{},[],{},200,11620,http://niels.basjes.nl/,Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.3...,Windows,Chrome
336,104.254.212.109,-,-,[25/Oct/2015:18:01:11 +0100],2015-10-25 18:01:11,2015-10-25T18:01:11,2015-10-25 18:01:11+01:00,2015-10-25T18:01:11+01:00,2015-10-25 17:01:11+00:00,2015-10-25T17:01:11+00:00,...,,{},[],{},302,10170,http://niels.basjes.nl/join_form,Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20...,Windows,Firefox
1508,89.32.251.222,-,-,[27/Oct/2015:15:19:05 +0100],2015-10-27 15:19:05,2015-10-27T15:19:05,2015-10-27 15:19:05+01:00,2015-10-27T15:19:05+01:00,2015-10-27 14:19:05+00:00,2015-10-27T14:19:05+00:00,...,,{},[],{},200,11620,http://niels.basjes.nl/,Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.3...,Windows,Chrome


In [12]:
#Get the top 10 values
server_df['os'].value_counts().head(10)

os
Windows      3185
Linux         125
Mac OS X       80
Chrome OS      60
Ubuntu          6
Name: count, dtype: int64

In [13]:
server_df['browser'].value_counts().head(10)

browser
Firefox    1476
Chrome      789
Opera       556
Dragon      533
IE           78
Safari       24
Name: count, dtype: int64

# Exercise 3:
Using the `dailybots.csv` film, read the file into a DataFrame and perform the following operations:
1.  Filter the DataFrame to include bots from the Government/Politics Industry.
2.  Calculate the ratio of hosts to orgs and add this as a column to the DataFrame and output the result

In [21]:
bots_df = pd.read_csv(DATA_HOME + 'dailybots.csv')
bots_df.sample(5)

Unnamed: 0,date,botfam,industry,hosts,orgs
4630,2016-08-23,zeroaccess,Education,26,15
1291,2016-06-23,zeroaccess,Retail,220,7
4911,2016-08-28,Zusy,Retail,290,2
1410,2016-06-25,Zusy,Finance,22,6
534,2016-06-10,PushDo,Government/Politics,16,2


In [22]:
gov_df = bots_df[bots_df['industry'] == "Government/Politics"]

In [23]:
gov_df.sample(5)

Unnamed: 0,date,botfam,industry,hosts,orgs
1043,2016-06-19,PushDo,Government/Politics,1,1
3099,2016-07-26,Necurs,Government/Politics,220,12
4414,2016-08-19,PushDo,Government/Politics,78,1
4285,2016-08-17,Bedep,Government/Politics,14,6
3776,2016-08-07,Ramnit,Government/Politics,13,3


In [24]:
gov_df['ratio'] = gov_df['hosts'] / gov_df['orgs']
gov_df.sample(5)



A value is trying to be set on a copy of a slice from a DataFrame.
Try using .loc[row_indexer,col_indexer] = value instead

See the caveats in the documentation: https://pandas.pydata.org/pandas-docs/stable/user_guide/indexing.html#returning-a-view-versus-a-copy
  gov_df['ratio'] = gov_df['hosts'] / gov_df['orgs']


Unnamed: 0,date,botfam,industry,hosts,orgs,ratio
166,2016-06-03,Zusy,Government/Politics,2,2,1.0
4920,2016-08-29,ConfickerAB,Government/Politics,376,36,10.444444
1623,2016-06-29,zeroaccess,Government/Politics,13,6,2.166667
1953,2016-07-05,Sality,Government/Politics,29,9,3.222222
3936,2016-08-10,PushDo,Government/Politics,11,3,3.666667


# Exercise 4:

Read a more ```evil``` JSON ```eve_small.json```, where each line contains a nested JSON object. Derive one DataFrame, where all levels for the ```stats``` key are expanded to a top level column of that DataFrame. Easiest is to natively open the file in Python, loop over each line, use [json.loads](https://docs.python.org/3.5/library/json.html) from the json library, and then [json_normalize](http://pandas.pydata.org/pandas-docs/stable/generated/pandas.io.json.json_normalize.html) to expand the nested structure to top-level columns, append to a simple Python list and finally call [pd.concat](http://pandas.pydata.org/pandas-docs/version/0.20/generated/pandas.concat.html) on the list to get one complete DataFrame.

In [25]:
def nested_json_to_df(fname_str):
    with open(fname_str, 'r') as f:
        l = []
        for line in f:
            if not line.strip():
                continue
            else:
                d = json.loads(line)
                if 'stats' in d.keys():
                    df_tmp = pd.json_normalize(d)
                    l.append(df_tmp)       
    return pd.concat(l, ignore_index=True)

In [26]:
eve = nested_json_to_df(DATA_HOME + 'eve_small.json')

In [28]:
eve.sample(5)

Unnamed: 0,timestamp,event_type,stats.uptime,stats.capture.kernel_packets,stats.capture.kernel_drops,stats.decoder.pkts,stats.decoder.bytes,stats.decoder.invalid,stats.decoder.ipv4,stats.decoder.ipv6,...,stats.flow_mgr.rows_checked,stats.flow_mgr.rows_skipped,stats.flow_mgr.rows_empty,stats.flow_mgr.rows_busy,stats.flow_mgr.rows_maxlen,stats.dns.memuse,stats.dns.memcap_state,stats.dns.memcap_global,stats.http.memuse,stats.http.memcap
62,2017-04-06T18:22:34.000120+0000,stats,443,23,0,23,1062,0,0,2,...,65536,65536,0,0,0,0,0,0,0,0
54,2017-04-06T18:21:38.000195+0000,stats,387,20,0,20,936,0,0,2,...,65536,65536,0,0,0,0,0,0,0,0
57,2017-04-06T18:21:59.000112+0000,stats,408,20,0,20,936,0,0,2,...,65536,65536,0,0,0,0,0,0,0,0
88,2017-04-06T18:25:36.000173+0000,stats,625,32,0,32,1440,0,0,2,...,65536,65536,0,0,0,0,0,0,0,0
89,2017-04-06T18:25:43.000208+0000,stats,632,32,0,32,1440,0,0,2,...,65536,65536,0,0,0,0,0,0,0,0


# Exercise 5
In this exercise, you will learn how to convert a PCAP file into JSON and do some basic summarization of the data.  In the `data` directory, you will find a file called `http.pcap`.  Our first step is to convert this to JSON.  To do this we have installed a python module called `pcapview` (docs available here: https://pydigger.com/pypi/pcapview) which can convert the pcap file to JSON.  

Once you've done that, your assignment is to answer the following questions:
1.  What are the most frequent source IP addresses?
2.  How many differnet source ports were accessed?

To do this you will have to load this data into a DataFrame.  Using what we've learned in class, do the following:
1.  Load the data into a DataFrame using the technique of your choice
2.  Extract the requisite columns from the DataFrame, in this case, you want the source IP and source ports
3.  Execute a `value_counts()` on those columns.  

In [29]:
#Load the data
with open(DATA_HOME + 'http-pcap.json') as data_file:    
    pcap_data = json.load(data_file)

#Normalize it and load it into a DataFrame
df = pd.DataFrame( pd.json_normalize(pcap_data) )

#View the results
df.head()

Unnamed: 0,time,timestamp,IP.version,IP.ttl,IP.proto,IP.options,IP.len,IP.dst,IP.frag,IP.flags,...,DNS.opcode,DNS.rcode,DNS.ra,DNS.id,DNS.cd,DNS.an.rrname,DNS.an.rclass,DNS.an.type,DNS.an.ttl,DNS.an.rdata
0,1084443000.0,2004-05-13T10:17:07.311224,4,128,6,[],48,65.208.228.223,0,2,...,,,,,,,,,,
1,1084443000.0,2004-05-13T10:17:08.222534,4,47,6,[],48,145.254.160.237,0,2,...,,,,,,,,,,
2,1084443000.0,2004-05-13T10:17:08.222534,4,128,6,[],40,65.208.228.223,0,2,...,,,,,,,,,,
3,1084443000.0,2004-05-13T10:17:08.222534,4,128,6,[],519,65.208.228.223,0,2,...,,,,,,,,,,
4,1084443000.0,2004-05-13T10:17:08.783340,4,47,6,[],40,145.254.160.237,0,2,...,,,,,,,,,,


In [30]:
df1 = pd.read_json(DATA_HOME + 'http-pcap.json')

In [31]:
df1.sample(5)

Unnamed: 0,time,timestamp,IP,Ethernet,TCP,UDP,DNS
30,1084443000.0,2004-05-13 10:17:11.537300,"{'version': 4, 'ttl': 47, 'proto': 6, 'options...","{'src': 'fe:ff:20:00:01:00', 'type': 2048, 'ds...","{'reserved': 0, 'window': 6432, 'flags': 16, '...",,
29,1084443000.0,2004-05-13 10:17:11.527286,"{'version': 4, 'ttl': 128, 'proto': 6, 'option...","{'src': '00:00:01:00:00:00', 'type': 2048, 'ds...","{'reserved': 0, 'window': 9660, 'sport': 3372,...",,
9,1084443000.0,2004-05-13 10:17:09.754737,"{'version': 4, 'ttl': 47, 'proto': 6, 'options...","{'src': 'fe:ff:20:00:01:00', 'type': 2048, 'ds...","{'reserved': 0, 'window': 6432, 'flags': 16, '...",,
22,1084443000.0,2004-05-13 10:17:10.946451,"{'version': 4, 'ttl': 47, 'proto': 6, 'options...","{'src': 'fe:ff:20:00:01:00', 'type': 2048, 'ds...","{'reserved': 0, 'window': 6432, 'flags': 16, '...",,
23,1084443000.0,2004-05-13 10:17:10.956465,"{'version': 4, 'ttl': 55, 'proto': 6, 'options...","{'src': 'fe:ff:20:00:01:00', 'type': 2048, 'ds...","{'reserved': 0, 'window': 31460, 'sport': 80, ...",,


In [32]:
#Extract the source port and count the unique values
df['TCP.sport'].value_counts(dropna=False)

TCP.sport
80.0      22
3372.0    16
3371.0     3
NaN        2
Name: count, dtype: int64

In [33]:
#Extract the source IP and count the unique values
df['IP.src'].value_counts(dropna=False)

IP.src
145.254.160.237    20
65.208.228.223     18
216.239.59.99       4
145.253.2.203       1
Name: count, dtype: int64