To run these examples, [Python pandas](https://github.com/pandas-dev/pandas) is needed to be present in your Python (venv) installation:  
`pip install pandas`

## The Problem

Unfortunately, the CSV data of CICIDS 2017 has some problems that need to be tackled before being able to reliably use it.  
The main problems:  
- Monday has a different timestamp format as the other days
- The timestamps are neither in 24h format nor in 12h AM/PM format, rendering all dataset parts after noon unusable  
- The CSV headers contain spaces (middle/leading/training) and special chars like forward slashes
- Thursday morning contains empty datasets for the last 288.602 entries

Let's have a look at the data itself

In [1]:
from datetime import datetime
import pandas as pd

# This sets pandas to display *all* colums - double check with your jupyter install that this works!
pd.set_option('display.max_columns', None)

In [3]:
thursday_morn_df = pd.read_csv("CICIDS2017/Thursday-WorkingHours-Morning-WebAttacks.pcap_ISCX.csv",dtype=str,encoding="ISO-8859-1",nrows=3)
thursday_morn_df.head(3)

Unnamed: 0,Flow ID,Source IP,Source Port,Destination IP,Destination Port,Protocol,Timestamp,Flow Duration,Total Fwd Packets,Total Backward Packets,Total Length of Fwd Packets,Total Length of Bwd Packets,Fwd Packet Length Max,Fwd Packet Length Min,Fwd Packet Length Mean,Fwd Packet Length Std,Bwd Packet Length Max,Bwd Packet Length Min,Bwd Packet Length Mean,Bwd Packet Length Std,Flow Bytes/s,Flow Packets/s,Flow IAT Mean,Flow IAT Std,Flow IAT Max,Flow IAT Min,Fwd IAT Total,Fwd IAT Mean,Fwd IAT Std,Fwd IAT Max,Fwd IAT Min,Bwd IAT Total,Bwd IAT Mean,Bwd IAT Std,Bwd IAT Max,Bwd IAT Min,Fwd PSH Flags,Bwd PSH Flags,Fwd URG Flags,Bwd URG Flags,Fwd Header Length,Bwd Header Length,Fwd Packets/s,Bwd Packets/s,Min Packet Length,Max Packet Length,Packet Length Mean,Packet Length Std,Packet Length Variance,FIN Flag Count,SYN Flag Count,RST Flag Count,PSH Flag Count,ACK Flag Count,URG Flag Count,CWE Flag Count,ECE Flag Count,Down/Up Ratio,Average Packet Size,Avg Fwd Segment Size,Avg Bwd Segment Size,Fwd Header Length.1,Fwd Avg Bytes/Bulk,Fwd Avg Packets/Bulk,Fwd Avg Bulk Rate,Bwd Avg Bytes/Bulk,Bwd Avg Packets/Bulk,Bwd Avg Bulk Rate,Subflow Fwd Packets,Subflow Fwd Bytes,Subflow Bwd Packets,Subflow Bwd Bytes,Init_Win_bytes_forward,Init_Win_bytes_backward,act_data_pkt_fwd,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min,Label
0,192.168.10.3-192.168.10.50-389-33898-6,192.168.10.50,33898,192.168.10.3,389,6,6/7/2017 8:59,113095465,48,24,9668,10012,403,0,201.4166667,203.5482935,923,316,417.1666667,231.0809507,174.0122825,0.636630302,1592893.873,4597264.595,16500000.0,3,113000000.0,2406286.489,5491986.114,16500000.0,3,113000000.0,4917177.522,7084368.263,16500000.0,3,1,0,0,0,1536,768,0.424420201,0.212210101,0,923,275.109589,233.8332479,54677.98782,0,1,0,0,1,0,0,0,0,278.9305556,201.4166667,417.1666667,1536,0,0,0,0,0,0,48,9668,24,10012,571,2079,23,32,203985.5,575837.2562,1629110.0,379,13800000.0,4277541.062,16500000.0,6737603,BENIGN
1,192.168.10.3-192.168.10.50-389-33904-6,192.168.10.50,33904,192.168.10.3,389,6,6/7/2017 8:59,113473706,68,40,11364,12718,403,0,167.1176471,171.9194127,1139,126,317.95,208.2612942,212.2253767,0.95176234,1060501.925,3813685.451,16500000.0,2,113000000.0,1693637.403,4719143.265,16500000.0,2,113000000.0,2908399.744,5922355.273,16500000.0,3,1,0,0,0,2176,1280,0.59925777,0.352504571,0,1139,224.6330275,198.999612,39600.84557,0,1,0,0,1,0,0,0,0,226.712963,167.1176471,317.95,2176,0,0,0,0,0,0,68,11364,40,12718,390,2081,39,32,178326.875,503426.946,1424245.0,325,13800000.0,4229413.12,16500000.0,6945512,BENIGN
2,8.0.6.4-8.6.0.1-0-0-0,8.6.0.1,0,8.0.6.4,0,0,6/7/2017 8:59,119945515,150,0,0,0,0,0,0.0,0.0,0,0,0.0,0.0,0.0,1.25056781,805003.4564,5277836.772,60100000.0,0,120000000.0,805003.4564,5277836.772,60100000.0,0,0.0,0.0,0.0,0.0,0,0,0,0,0,0,0,1.25056781,0.0,0,0,0.0,0.0,0.0,0,0,0,0,0,0,0,0,0,0.0,0.0,0.0,0,0,0,0,0,0,0,150,0,0,0,-1,-1,0,0,6909777.333,11700000.0,20400000.0,6,24400000.0,24300000.0,60100000.0,5702188,BENIGN


In [4]:
thursday_aft_df = pd.read_csv("CICIDS2017/Thursday-WorkingHours-Afternoon-Infilteration.pcap_ISCX.csv",dtype=str,encoding="ISO-8859-1",nrows=3)
thursday_aft_df.head(3)

Unnamed: 0,Flow ID,Source IP,Source Port,Destination IP,Destination Port,Protocol,Timestamp,Flow Duration,Total Fwd Packets,Total Backward Packets,Total Length of Fwd Packets,Total Length of Bwd Packets,Fwd Packet Length Max,Fwd Packet Length Min,Fwd Packet Length Mean,Fwd Packet Length Std,Bwd Packet Length Max,Bwd Packet Length Min,Bwd Packet Length Mean,Bwd Packet Length Std,Flow Bytes/s,Flow Packets/s,Flow IAT Mean,Flow IAT Std,Flow IAT Max,Flow IAT Min,Fwd IAT Total,Fwd IAT Mean,Fwd IAT Std,Fwd IAT Max,Fwd IAT Min,Bwd IAT Total,Bwd IAT Mean,Bwd IAT Std,Bwd IAT Max,Bwd IAT Min,Fwd PSH Flags,Bwd PSH Flags,Fwd URG Flags,Bwd URG Flags,Fwd Header Length,Bwd Header Length,Fwd Packets/s,Bwd Packets/s,Min Packet Length,Max Packet Length,Packet Length Mean,Packet Length Std,Packet Length Variance,FIN Flag Count,SYN Flag Count,RST Flag Count,PSH Flag Count,ACK Flag Count,URG Flag Count,CWE Flag Count,ECE Flag Count,Down/Up Ratio,Average Packet Size,Avg Fwd Segment Size,Avg Bwd Segment Size,Fwd Header Length.1,Fwd Avg Bytes/Bulk,Fwd Avg Packets/Bulk,Fwd Avg Bulk Rate,Bwd Avg Bytes/Bulk,Bwd Avg Packets/Bulk,Bwd Avg Bulk Rate,Subflow Fwd Packets,Subflow Fwd Bytes,Subflow Bwd Packets,Subflow Bwd Bytes,Init_Win_bytes_forward,Init_Win_bytes_backward,act_data_pkt_fwd,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min,Label
0,192.168.10.12-192.168.10.50-60148-22-6,192.168.10.12,60148,192.168.10.50,22,6,6/7/2017 1:00,166,1,1,0,0,0,0,0,0,0,0,0,0,0.0,12048.19277,166.0,0.0,166,166,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,32,6024.096386,6024.096386,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,32,0,0,0,0,0,0,1,0,1,0,290,243,0,32,0,0,0,0,0,0,0,0,BENIGN
1,192.168.10.12-192.168.10.50-60148-22-6,192.168.10.50,22,192.168.10.12,60148,6,6/7/2017 1:00,83,1,2,0,0,0,0,0,0,0,0,0,0,0.0,36144.57831,41.5,10.60660172,49,34,0,0,0,0,0,49,49,0,49,49,0,0,0,0,32,64,12048.19277,24096.38554,0,0,0,0,0,0,0,0,0,1,1,0,0,2,0,0,0,32,0,0,0,0,0,0,1,0,2,0,243,290,0,32,0,0,0,0,0,0,0,0,BENIGN
2,192.168.10.12-91.189.89.199-123-123-17,192.168.10.12,123,91.189.89.199,123,17,6/7/2017 1:00,99947,1,1,48,48,48,48,48,0,48,48,48,0,960.5090698,20.01060562,99947.0,0.0,99947,99947,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,40,10.00530281,10.00530281,48,48,48,0,0,0,0,0,0,0,0,0,0,1,72,48,48,40,0,0,0,0,0,0,1,48,1,48,-1,-1,0,40,0,0,0,0,0,0,0,0,BENIGN


As one can observe, the timestamp format that is used on monay isn't used on the other days.  
Instad, an inconsistent format string is applied that leaves afternoon data unusable.  
The need for data sanitization is given.

As we need to treat every file a bit different, there is no easy way of automating the needed transformations.  
As I want to stay as interoperable as possible, I am going to convert all timestamps to ISO8601 format.  
Before transforming the data itself, it would be advisable to build a working CSV header

### Towards a sane CSV header

We are going to transform the header into a more useable format. The following steps will be applied:  
- Remove leading and trailing whitespace
- Convert all colum names to lowercase
- Replace connecting whitespaces with underscores
- Replace forward slashed with `_per_` to avoid dealing with encoding or escaping issues

In [18]:
header="Flow ID, Source IP, Source Port, Destination IP, Destination Port, Protocol, Timestamp, Flow Duration, Total Fwd Packets, Total Backward Packets,Total Length of Fwd Packets, Total Length of Bwd Packets, Fwd Packet Length Max, Fwd Packet Length Min, Fwd Packet Length Mean, Fwd Packet Length Std,Bwd Packet Length Max, Bwd Packet Length Min, Bwd Packet Length Mean, Bwd Packet Length Std,Flow Bytes/s, Flow Packets/s, Flow IAT Mean, Flow IAT Std, Flow IAT Max, Flow IAT Min,Fwd IAT Total, Fwd IAT Mean, Fwd IAT Std, Fwd IAT Max, Fwd IAT Min,Bwd IAT Total, Bwd IAT Mean, Bwd IAT Std, Bwd IAT Max, Bwd IAT Min,Fwd PSH Flags, Bwd PSH Flags, Fwd URG Flags, Bwd URG Flags, Fwd Header Length, Bwd Header Length,Fwd Packets/s, Bwd Packets/s, Min Packet Length, Max Packet Length, Packet Length Mean, Packet Length Std, Packet Length Variance,FIN Flag Count, SYN Flag Count, RST Flag Count, PSH Flag Count, ACK Flag Count, URG Flag Count, CWE Flag Count, ECE Flag Count, Down/Up Ratio, Average Packet Size, Avg Fwd Segment Size, Avg Bwd Segment Size, Fwd Header Length,Fwd Avg Bytes/Bulk, Fwd Avg Packets/Bulk, Fwd Avg Bulk Rate, Bwd Avg Bytes/Bulk, Bwd Avg Packets/Bulk,Bwd Avg Bulk Rate,Subflow Fwd Packets, Subflow Fwd Bytes, Subflow Bwd Packets, Subflow Bwd Bytes,Init_Win_bytes_forward, Init_Win_bytes_backward, act_data_pkt_fwd, min_seg_size_forward,Active Mean, Active Std, Active Max, Active Min,Idle Mean, Idle Std, Idle Max, Idle Min, Label"
header=header.split(',')
header = list(map(str.strip, header))
header = list(map(str.lower, header))
header = list(map(lambda s: s.replace(' ', '_'), header))
header = list(map(lambda s: s.replace('/', '_per_'), header))
ddos_header = header
ddos_header.append('external_ip')
print(",".join(ddos_header))


flow_id,source_ip,source_port,destination_ip,destination_port,protocol,timestamp,flow_duration,total_fwd_packets,total_backward_packets,total_length_of_fwd_packets,total_length_of_bwd_packets,fwd_packet_length_max,fwd_packet_length_min,fwd_packet_length_mean,fwd_packet_length_std,bwd_packet_length_max,bwd_packet_length_min,bwd_packet_length_mean,bwd_packet_length_std,flow_bytes_per_s,flow_packets_per_s,flow_iat_mean,flow_iat_std,flow_iat_max,flow_iat_min,fwd_iat_total,fwd_iat_mean,fwd_iat_std,fwd_iat_max,fwd_iat_min,bwd_iat_total,bwd_iat_mean,bwd_iat_std,bwd_iat_max,bwd_iat_min,fwd_psh_flags,bwd_psh_flags,fwd_urg_flags,bwd_urg_flags,fwd_header_length,bwd_header_length,fwd_packets_per_s,bwd_packets_per_s,min_packet_length,max_packet_length,packet_length_mean,packet_length_std,packet_length_variance,fin_flag_count,syn_flag_count,rst_flag_count,psh_flag_count,ack_flag_count,urg_flag_count,cwe_flag_count,ece_flag_count,down_per_up_ratio,average_packet_size,avg_fwd_segment_size,avg_bwd_segm

### Updating the headers

We are now ready to update the headers in the original CSV files.  
As we don't want to touch originals, we are creating a new file with the extension `_clean` on which we will continue to work

In [17]:
import csv
import os

for filename in os.listdir('CICIDS2017'): # this is where the CIC CSV files live
    if filename.endswith('.csv'):
        inputFileName = os.path.join('CICIDS2017', filename)
        outputFileName = os.path.join('CICIDS2017', os.path.splitext(filename)[0] +"_clean.csv")
        print("Opening", inputFileName)
        
        with open(inputFileName, newline='') as inputFile, open(outputFileName, 'w', newline='') as outfile:

            r = csv.reader(inputFile)
            w = csv.writer(outfile)

            print("Writing new header")
            next(r, None) # skip the header of the original file
            w.writerow(header)

            print("Copying remaining file")
            for row in r:
                w.writerow(row)

Opening CICIDS2017\Friday-WorkingHours-Afternoon-DDos.pcap_ISCX.csv
Writing new header
Copying remaining file
Opening CICIDS2017\Friday-WorkingHours-Afternoon-PortScan.pcap_ISCX.csv
Writing new header
Copying remaining file
Opening CICIDS2017\Friday-WorkingHours-Morning.pcap_ISCX.csv
Writing new header
Copying remaining file
Opening CICIDS2017\Monday-WorkingHours.pcap_ISCX.csv
Writing new header
Copying remaining file
Opening CICIDS2017\Thursday-WorkingHours-Afternoon-Infilteration.pcap_ISCX.csv
Writing new header
Copying remaining file
Opening CICIDS2017\Thursday-WorkingHours-Morning-WebAttacks.pcap_ISCX.csv
Writing new header
Copying remaining file
Opening CICIDS2017\Tuesday-WorkingHours.pcap_ISCX.csv
Writing new header
Copying remaining file
Opening CICIDS2017\Wednesday-workingHours.pcap_ISCX.csv
Writing new header
Copying remaining file


## Transforming the Datasets

### Monday

The monday timestamps are best converted to a datetimesamp and then updated accordingly.

In [2]:
# open the cleaned version with sane headers. This time, open the full csv
monday_df = pd.read_csv('CICIDS2017/Monday-WorkingHours.pcap_ISCX_clean.csv',dtype=str)

# Let's have a look first, shall we?
monday_df.tail(3)

Unnamed: 0,flow_id,source_ip,source_port,destination_ip,destination_port,protocol,timestamp,flow_duration,total_fwd_packets,total_backward_packets,total_length_of_fwd_packets,total_length_of_bwd_packets,fwd_packet_length_max,fwd_packet_length_min,fwd_packet_length_mean,fwd_packet_length_std,bwd_packet_length_max,bwd_packet_length_min,bwd_packet_length_mean,bwd_packet_length_std,flow_bytes_per_s,flow_packets_per_s,flow_iat_mean,flow_iat_std,flow_iat_max,flow_iat_min,fwd_iat_total,fwd_iat_mean,fwd_iat_std,fwd_iat_max,fwd_iat_min,bwd_iat_total,bwd_iat_mean,bwd_iat_std,bwd_iat_max,bwd_iat_min,fwd_psh_flags,bwd_psh_flags,fwd_urg_flags,bwd_urg_flags,fwd_header_length,bwd_header_length,fwd_packets_per_s,bwd_packets_per_s,min_packet_length,max_packet_length,packet_length_mean,packet_length_std,packet_length_variance,fin_flag_count,syn_flag_count,rst_flag_count,psh_flag_count,ack_flag_count,urg_flag_count,cwe_flag_count,ece_flag_count,down_per_up_ratio,average_packet_size,avg_fwd_segment_size,avg_bwd_segment_size,fwd_header_length.1,fwd_avg_bytes_per_bulk,fwd_avg_packets_per_bulk,fwd_avg_bulk_rate,bwd_avg_bytes_per_bulk,bwd_avg_packets_per_bulk,bwd_avg_bulk_rate,subflow_fwd_packets,subflow_fwd_bytes,subflow_bwd_packets,subflow_bwd_bytes,init_win_bytes_forward,init_win_bytes_backward,act_data_pkt_fwd,min_seg_size_forward,active_mean,active_std,active_max,active_min,idle_mean,idle_std,idle_max,idle_min,label
529915,192.168.10.3-192.168.10.9-53-51801-17,192.168.10.9,51801,192.168.10.3,53,17,2017-07-03T15:24:07,154,2,2,64.0,96.0,32.0,32.0,32.0,0.0,48.0,48.0,48.0,0.0,1038961.0389610388,25974.02597402597,51.333333333333336,50.63924696649165,104.0,3.0,3.0,3.0,0.0,3.0,3.0,47.0,47.0,0.0,47.0,47.0,0,0,0,0,64,64,12987.012987012988,12987.012987012988,32.0,48.0,38.4,8.763560920082657,76.8,0,0,0,0,0,0,0,0,1.0,48.0,32.0,48.0,64,0,0,0,0,0,0,2,64,2,96,-1,-1,1,32,0,0,0,0,0,0,0,0,BENIGN
529916,192.168.10.3-192.168.10.14-53-57949-17,192.168.10.14,57949,192.168.10.3,53,17,2017-07-03T13:03:43,155,2,2,80.0,144.0,40.0,40.0,40.0,0.0,72.0,72.0,72.0,0.0,1445161.2903225806,25806.451612903227,51.66666666666667,83.42861219829402,148.0,3.0,3.0,3.0,0.0,3.0,3.0,4.0,4.0,0.0,4.0,4.0,0,0,0,0,40,40,12903.225806451614,12903.225806451614,40.0,72.0,52.8,17.527121840165314,307.2,0,0,0,0,0,0,0,0,1.0,66.0,40.0,72.0,40,0,0,0,0,0,0,2,80,2,144,-1,-1,1,20,0,0,0,0,0,0,0,0,BENIGN
529917,172.217.10.129-192.168.10.25-443-52400-6,172.217.10.129,443,192.168.10.25,52400,6,2017-07-03T10:34:39,18,1,1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,111111.11111111112,18.0,0.0,18.0,18.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,32,32,55555.55555555556,55555.55555555556,0.0,0.0,0.0,0.0,0.0,0,0,0,0,1,1,0,0,1.0,0.0,0.0,0.0,32,0,0,0,0,0,0,1,0,1,0,357,65535,0,32,0,0,0,0,0,0,0,0,BENIGN


In [47]:
# Now convert every single timestamp
def calc_timestamp(timestamp):
    new_time = datetime.strptime(timestamp, '%d/%m/%Y %H:%M:%S')
    
    # convert any hour between 13 and 17 o'clock into their 24h-pendant
    # as the captures run from 08:00 to 17:00 o'clock
    if new_time.hour in range(1,8): 
        hour24 = new_time.hour + 12
        new_time=new_time.replace(hour=hour24)
    return new_time.isoformat()

monday_df['timestamp'] = monday_df.timestamp.apply(calc_timestamp)

In [48]:
# Make sure that the timestamp is converted nicely
monday_df.tail(3)

Unnamed: 0,flow_id,source_ip,source_port,destination_ip,destination_port,protocol,timestamp,flow_duration,total_fwd_packets,total_backward_packets,total_length_of_fwd_packets,total_length_of_bwd_packets,fwd_packet_length_max,fwd_packet_length_min,fwd_packet_length_mean,fwd_packet_length_std,bwd_packet_length_max,bwd_packet_length_min,bwd_packet_length_mean,bwd_packet_length_std,flow_bytes_per_s,flow_packets_per_s,flow_iat_mean,flow_iat_std,flow_iat_max,flow_iat_min,fwd_iat_total,fwd_iat_mean,fwd_iat_std,fwd_iat_max,fwd_iat_min,bwd_iat_total,bwd_iat_mean,bwd_iat_std,bwd_iat_max,bwd_iat_min,fwd_psh_flags,bwd_psh_flags,fwd_urg_flags,bwd_urg_flags,fwd_header_length,bwd_header_length,fwd_packets_per_s,bwd_packets_per_s,min_packet_length,max_packet_length,packet_length_mean,packet_length_std,packet_length_variance,fin_flag_count,syn_flag_count,rst_flag_count,psh_flag_count,ack_flag_count,urg_flag_count,cwe_flag_count,ece_flag_count,down_per_up_ratio,average_packet_size,avg_fwd_segment_size,avg_bwd_segment_size,fwd_header_length.1,fwd_avg_bytes_per_bulk,fwd_avg_packets_per_bulk,fwd_avg_bulk_rate,bwd_avg_bytes_per_bulk,bwd_avg_packets_per_bulk,bwd_avg_bulk_rate,subflow_fwd_packets,subflow_fwd_bytes,subflow_bwd_packets,subflow_bwd_bytes,init_win_bytes_forward,init_win_bytes_backward,act_data_pkt_fwd,min_seg_size_forward,active_mean,active_std,active_max,active_min,idle_mean,idle_std,idle_max,idle_min,label
529915,192.168.10.3-192.168.10.9-53-51801-17,192.168.10.9,51801,192.168.10.3,53,17,2017-07-03T15:24:07,154,2,2,64.0,96.0,32.0,32.0,32.0,0.0,48.0,48.0,48.0,0.0,1038961.0389610388,25974.02597402597,51.333333333333336,50.63924696649165,104.0,3.0,3.0,3.0,0.0,3.0,3.0,47.0,47.0,0.0,47.0,47.0,0,0,0,0,64,64,12987.012987012988,12987.012987012988,32.0,48.0,38.4,8.763560920082657,76.8,0,0,0,0,0,0,0,0,1.0,48.0,32.0,48.0,64,0,0,0,0,0,0,2,64,2,96,-1,-1,1,32,0,0,0,0,0,0,0,0,BENIGN
529916,192.168.10.3-192.168.10.14-53-57949-17,192.168.10.14,57949,192.168.10.3,53,17,2017-07-03T13:03:43,155,2,2,80.0,144.0,40.0,40.0,40.0,0.0,72.0,72.0,72.0,0.0,1445161.2903225806,25806.451612903227,51.66666666666667,83.42861219829402,148.0,3.0,3.0,3.0,0.0,3.0,3.0,4.0,4.0,0.0,4.0,4.0,0,0,0,0,40,40,12903.225806451614,12903.225806451614,40.0,72.0,52.8,17.527121840165314,307.2,0,0,0,0,0,0,0,0,1.0,66.0,40.0,72.0,40,0,0,0,0,0,0,2,80,2,144,-1,-1,1,20,0,0,0,0,0,0,0,0,BENIGN
529917,172.217.10.129-192.168.10.25-443-52400-6,172.217.10.129,443,192.168.10.25,52400,6,2017-07-03T10:34:39,18,1,1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,111111.11111111112,18.0,0.0,18.0,18.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,32,32,55555.55555555556,55555.55555555556,0.0,0.0,0.0,0.0,0.0,0,0,0,0,1,1,0,0,1.0,0.0,0.0,0.0,32,0,0,0,0,0,0,1,0,1,0,357,65535,0,32,0,0,0,0,0,0,0,0,BENIGN


In [49]:
# If everything went well, save changes to disk
monday_df.to_csv('CICIDS2017/Monday-WorkingHours.pcap_ISCX_clean.csv',index=False)

### Tuesday

The tuesday timestamps are different from mondays', so we need to update the date function.

In [26]:
# open the cleaned version with sane headers. This time, open the full csv
tuesday_df = pd.read_csv('CICIDS2017/Tuesday-WorkingHours.pcap_ISCX_clean.csv')

# Let's have a look first, shall we?
tuesday_df.iloc[277224]

  interactivity=interactivity, compiler=compiler, result=result)


flow_id                        192.168.10.25-104.84.148.123-64480-443-6
source_ip                                                104.84.148.123
source_port                                                         443
destination_ip                                            192.168.10.25
destination_port                                                  64480
protocol                                                              6
timestamp                                           2017-07-04T17:00:00
flow_duration                                                       104
total_fwd_packets                                                     1
total_backward_packets                                                1
total_length_of_fwd_packets                                           0
total_length_of_bwd_packets                                           0
fwd_packet_length_max                                                 0
fwd_packet_length_min                                           

As one can observe, the timestamp needs fixing.

In [73]:
# Now convert every single timestamp
def calc_new_timestamp(timestamp):
    new_time = datetime.strptime(timestamp, '%d/%m/%Y %H:%M')
    
    # convert any hour between 13 and 17 o'clock into their 24h-pendant
    # as the captures run from 08:00 to 17:00 o'clock
    if new_time.hour in range(1,8): 
        hour24 = new_time.hour + 12
        new_time=new_time.replace(hour=hour24)
    return new_time.isoformat()

tuesday_df['timestamp'] = tuesday_df.timestamp.apply(calc_new_timestamp)

This should have fixed the different timestamp as well as converted everything to 24h-format:

In [74]:
print(tuesday_df.iloc[277224][6])

2017-07-04T17:00:00


In [27]:
# Besides the timestamp, the attack labels don't look too good either
tuesday_df['label'].unique()

array(['BENIGN', 'FTP-Patator', 'SSH-Patator'], dtype=object)

In [30]:
tuesday_df['label'] = tuesday_df['label'].str.replace('FTP-Patator', 'FTPPatator')
tuesday_df['label'] = tuesday_df['label'].str.replace('SSH-Patator', 'SSHPatator')

In [31]:
tuesday_df['label'].unique()

array(['BENIGN', 'FTPPatator', 'SSHPatator'], dtype=object)

In [32]:
# If everything went well, save changes to disk
tuesday_df.to_csv('CICIDS2017/Tuesday-WorkingHours.pcap_ISCX_clean.csv',index=False)

### Wednesday

The tuesday timestamps are different from mondays', so we need to update the date function.

In [20]:
# open the cleaned version with sane headers. This time, open the full csv
wednesday_df = pd.read_csv('CICIDS2017/Wednesday-workingHours.pcap_ISCX_clean.csv',dtype=str)

# Let's have a look first, shall we?
wednesday_df.iloc[55521]

flow_id                        172.16.0.1-192.168.10.51-443-52244-6
source_ip                                                172.16.0.1
source_port                                                     443
destination_ip                                        192.168.10.51
destination_port                                              52244
protocol                                                          6
timestamp                                       2017-07-05T13:43:00
flow_duration                                                    49
total_fwd_packets                                                 2
total_backward_packets                                            0
total_length_of_fwd_packets                                      12
total_length_of_bwd_packets                                       0
fwd_packet_length_max                                             6
fwd_packet_length_min                                             6
fwd_packet_length_mean                          

As one can observe, the timestamp needs fixing.

In [81]:
wednesday_df['timestamp'] = wednesday_df.timestamp.apply(calc_new_timestamp)

This should have fixed the different timestamp as well as converted everything to 24h-format:

In [83]:
print(wednesday_df.iloc[55521][6])

2017-07-05T13:43:00


In [22]:
# Besides the timestamp, the attack labels don't look too good either
wednesday_df['label'].unique()

array(['BENIGN', 'DoS slowloris', 'DoS Slowhttptest', 'DoS Hulk',
       'DoS GoldenEye', 'Heartbleed'], dtype=object)

In [23]:
wednesday_df['label'] = wednesday_df['label'].str.replace('DoS slowloris', 'DoSSlowloris')
wednesday_df['label'] = wednesday_df['label'].str.replace('DoS Slowhttptest', 'DoSSlowhttptest')
wednesday_df['label'] = wednesday_df['label'].str.replace('DoS Hulk', 'DoSHulk')
wednesday_df['label'] = wednesday_df['label'].str.replace('DoS GoldenEye', 'DoSGoldenEye')

In [24]:
wednesday_df['label'].unique()

array(['BENIGN', 'DoSSlowloris', 'DoSSlowhttptest', 'DoSHulk',
       'DoSGoldenEye', 'Heartbleed'], dtype=object)

In [25]:
# If everything went well, save changes to disk
wednesday_df.to_csv('CICIDS2017/Wednesday-workingHours.pcap_ISCX_clean.csv',index=False)

### Thursday

Thursday is split into two files - with the morning dataset having issues that values are empty.  
These empty lines have been trimmed manually.

#### Morning

In [3]:
# open the cleaned version with sane headers. This time, open the full csv
thursday_morn_df = pd.read_csv('CICIDS2017/Thursday-WorkingHours-Morning-WebAttacks.pcap_ISCX_clean.csv',dtype=str,encoding='latin1')

In [7]:
thursday_morn_df.tail(3)

Unnamed: 0,flow_id,source_ip,source_port,destination_ip,destination_port,protocol,timestamp,flow_duration,total_fwd_packets,total_backward_packets,total_length_of_fwd_packets,total_length_of_bwd_packets,fwd_packet_length_max,fwd_packet_length_min,fwd_packet_length_mean,fwd_packet_length_std,bwd_packet_length_max,bwd_packet_length_min,bwd_packet_length_mean,bwd_packet_length_std,flow_bytes_per_s,flow_packets_per_s,flow_iat_mean,flow_iat_std,flow_iat_max,flow_iat_min,fwd_iat_total,fwd_iat_mean,fwd_iat_std,fwd_iat_max,fwd_iat_min,bwd_iat_total,bwd_iat_mean,bwd_iat_std,bwd_iat_max,bwd_iat_min,fwd_psh_flags,bwd_psh_flags,fwd_urg_flags,bwd_urg_flags,fwd_header_length,bwd_header_length,fwd_packets_per_s,bwd_packets_per_s,min_packet_length,max_packet_length,packet_length_mean,packet_length_std,packet_length_variance,fin_flag_count,syn_flag_count,rst_flag_count,psh_flag_count,ack_flag_count,urg_flag_count,cwe_flag_count,ece_flag_count,down_per_up_ratio,average_packet_size,avg_fwd_segment_size,avg_bwd_segment_size,fwd_header_length.1,fwd_avg_bytes_per_bulk,fwd_avg_packets_per_bulk,fwd_avg_bulk_rate,bwd_avg_bytes_per_bulk,bwd_avg_packets_per_bulk,bwd_avg_bulk_rate,subflow_fwd_packets,subflow_fwd_bytes,subflow_bwd_packets,subflow_bwd_bytes,init_win_bytes_forward,init_win_bytes_backward,act_data_pkt_fwd,min_seg_size_forward,active_mean,active_std,active_max,active_min,idle_mean,idle_std,idle_max,idle_min,label
170363,192.168.10.12-192.168.10.50-60148-22-6,192.168.10.12,60148,192.168.10.50,22,6,2017-07-06T12:59:00,1387547,41,46,2728,6634,456,0,66.53658537,110.1299454,976,0,144.2173913,307.9139788,6747.158835,62.70057879,16134.26744,105060.7081,955521,0,1387547,34688.675,160875.9581,997428,0,431936,9598.577778,31464.52951,199711,1,0,0,0,0,1328,1488,29.54854863,33.15203017,0,976,106.3863636,237.1744802,56251.73406,0,0,0,1,0,0,0,0,1,107.6091954,66.53658537,144.2173913,1328,0,0,0,0,0,0,41,2728,46,6634,29200,243,24,32,0,0,0,0,0,0,0,0,BENIGN
170364,192.168.10.12-192.168.10.50-60146-22-6,192.168.10.12,60146,192.168.10.50,22,6,2017-07-06T12:59:00,207,1,1,0,0,0,0,0.0,0.0,0,0,0.0,0.0,0.0,9661.835749,207.0,0.0,207,207,0,0.0,0.0,0,0,0,0.0,0.0,0,0,0,0,0,0,32,32,4830.917874,4830.917874,0,0,0.0,0.0,0.0,0,0,0,0,1,1,0,0,1,0.0,0.0,0.0,32,0,0,0,0,0,0,1,0,1,0,290,243,0,32,0,0,0,0,0,0,0,0,BENIGN
170365,192.168.10.12-192.168.10.50-60146-22-6,192.168.10.50,22,192.168.10.12,60146,6,2017-07-06T12:59:00,50,1,2,0,0,0,0,0.0,0.0,0,0,0.0,0.0,0.0,60000.0,25.0,33.9411255,49,1,0,0.0,0.0,0,0,1,1.0,0.0,1,1,0,0,0,0,32,64,20000.0,40000.0,0,0,0.0,0.0,0.0,0,0,0,0,1,1,0,0,2,0.0,0.0,0.0,32,0,0,0,0,0,0,1,0,2,0,243,290,0,32,0,0,0,0,0,0,0,0,BENIGN


As one can observe, the timestamp needs fixing.

In [None]:
# I'm using pandas datetime here, as the datetime.datetime function throws an exception
#thursday_morn_df['timestamp'] = pd.to_datetime(thursday_morn_df['timestamp'], format='%d/%m/%Y %H:%M')
thursday_morn_df['timestamp'] = thursday_morn_df.timestamp.apply(calc_new_timestamp)

This should have fixed the different timestamp as well as converted everything to 24h-format:

In [110]:
thursday_morn_df.tail(3)

Unnamed: 0,flow_id,source_ip,source_port,destination_ip,destination_port,protocol,timestamp,flow_duration,total_fwd_packets,total_backward_packets,total_length_of_fwd_packets,total_length_of_bwd_packets,fwd_packet_length_max,fwd_packet_length_min,fwd_packet_length_mean,fwd_packet_length_std,bwd_packet_length_max,bwd_packet_length_min,bwd_packet_length_mean,bwd_packet_length_std,flow_bytes_per_s,flow_packets_per_s,flow_iat_mean,flow_iat_std,flow_iat_max,flow_iat_min,fwd_iat_total,fwd_iat_mean,fwd_iat_std,fwd_iat_max,fwd_iat_min,bwd_iat_total,bwd_iat_mean,bwd_iat_std,bwd_iat_max,bwd_iat_min,fwd_psh_flags,bwd_psh_flags,fwd_urg_flags,bwd_urg_flags,fwd_header_length,bwd_header_length,fwd_packets_per_s,bwd_packets_per_s,min_packet_length,max_packet_length,packet_length_mean,packet_length_std,packet_length_variance,fin_flag_count,syn_flag_count,rst_flag_count,psh_flag_count,ack_flag_count,urg_flag_count,cwe_flag_count,ece_flag_count,down_per_up_ratio,average_packet_size,avg_fwd_segment_size,avg_bwd_segment_size,fwd_header_length.1,fwd_avg_bytes_per_bulk,fwd_avg_packets_per_bulk,fwd_avg_bulk_rate,bwd_avg_bytes_per_bulk,bwd_avg_packets_per_bulk,bwd_avg_bulk_rate,subflow_fwd_packets,subflow_fwd_bytes,subflow_bwd_packets,subflow_bwd_bytes,init_win_bytes_forward,init_win_bytes_backward,act_data_pkt_fwd,min_seg_size_forward,active_mean,active_std,active_max,active_min,idle_mean,idle_std,idle_max,idle_min,label
170363,192.168.10.12-192.168.10.50-60148-22-6,192.168.10.12,60148,192.168.10.50,22,6,2017-07-06T12:59:00,1387547,41,46,2728,6634,456,0,66.53658537,110.1299454,976,0,144.2173913,307.9139788,6747.158835,62.70057879,16134.26744,105060.7081,955521,0,1387547,34688.675,160875.9581,997428,0,431936,9598.577778,31464.52951,199711,1,0,0,0,0,1328,1488,29.54854863,33.15203017,0,976,106.3863636,237.1744802,56251.73406,0,0,0,1,0,0,0,0,1,107.6091954,66.53658537,144.2173913,1328,0,0,0,0,0,0,41,2728,46,6634,29200,243,24,32,0,0,0,0,0,0,0,0,BENIGN
170364,192.168.10.12-192.168.10.50-60146-22-6,192.168.10.12,60146,192.168.10.50,22,6,2017-07-06T12:59:00,207,1,1,0,0,0,0,0.0,0.0,0,0,0.0,0.0,0.0,9661.835749,207.0,0.0,207,207,0,0.0,0.0,0,0,0,0.0,0.0,0,0,0,0,0,0,32,32,4830.917874,4830.917874,0,0,0.0,0.0,0.0,0,0,0,0,1,1,0,0,1,0.0,0.0,0.0,32,0,0,0,0,0,0,1,0,1,0,290,243,0,32,0,0,0,0,0,0,0,0,BENIGN
170365,192.168.10.12-192.168.10.50-60146-22-6,192.168.10.50,22,192.168.10.12,60146,6,2017-07-06T12:59:00,50,1,2,0,0,0,0,0.0,0.0,0,0,0.0,0.0,0.0,60000.0,25.0,33.9411255,49,1,0,0.0,0.0,0,0,1,1.0,0.0,1,1,0,0,0,0,32,64,20000.0,40000.0,0,0,0.0,0.0,0.0,0,0,0,0,1,1,0,0,2,0.0,0.0,0.0,32,0,0,0,0,0,0,1,0,2,0,243,290,0,32,0,0,0,0,0,0,0,0,BENIGN


In [8]:
# Besides the timestamp, the attack labels don't look too good either
thursday_morn_df['label'].unique()

array(['BENIGN', 'Web Attack Â\x96 Brute Force', 'Web Attack Â\x96 XSS',
       'Web Attack Â\x96 Sql Injection'], dtype=object)

In [16]:
thursday_morn_df['label'] = thursday_morn_df['label'].str.replace('Web Attack .* Brute Force', 'BruteForce')
thursday_morn_df['label'] = thursday_morn_df['label'].str.replace('Web Attack .* XSS', 'XSS')
thursday_morn_df['label'] = thursday_morn_df['label'].str.replace('Web Attack .* Sql Injection', 'SQLInjection')

In [17]:
thursday_morn_df['label'].unique()

array(['BENIGN', 'BruteForce', 'XSS', 'SQLInjection'], dtype=object)

In [18]:
# If everything went well, save changes to disk
# As we've used a different datetime func, update the write to reflect the other timestamps
thursday_morn_df.to_csv('CICIDS2017/Thursday-WorkingHours-Morning-WebAttacks.pcap_ISCX_clean.csv',index=False,date_format='%Y-%m-%dT%H:%M:%S')

#### Afternoon

In [112]:
# open the cleaned version with sane headers. This time, open the full csv
thursday_aft_df = pd.read_csv('CICIDS2017/Thursday-WorkingHours-Afternoon-Infilteration.pcap_ISCX_clean.csv',dtype=str)

In [114]:
thursday_aft_df.head(3)

Unnamed: 0,flow_id,source_ip,source_port,destination_ip,destination_port,protocol,timestamp,flow_duration,total_fwd_packets,total_backward_packets,total_length_of_fwd_packets,total_length_of_bwd_packets,fwd_packet_length_max,fwd_packet_length_min,fwd_packet_length_mean,fwd_packet_length_std,bwd_packet_length_max,bwd_packet_length_min,bwd_packet_length_mean,bwd_packet_length_std,flow_bytes_per_s,flow_packets_per_s,flow_iat_mean,flow_iat_std,flow_iat_max,flow_iat_min,fwd_iat_total,fwd_iat_mean,fwd_iat_std,fwd_iat_max,fwd_iat_min,bwd_iat_total,bwd_iat_mean,bwd_iat_std,bwd_iat_max,bwd_iat_min,fwd_psh_flags,bwd_psh_flags,fwd_urg_flags,bwd_urg_flags,fwd_header_length,bwd_header_length,fwd_packets_per_s,bwd_packets_per_s,min_packet_length,max_packet_length,packet_length_mean,packet_length_std,packet_length_variance,fin_flag_count,syn_flag_count,rst_flag_count,psh_flag_count,ack_flag_count,urg_flag_count,cwe_flag_count,ece_flag_count,down_per_up_ratio,average_packet_size,avg_fwd_segment_size,avg_bwd_segment_size,fwd_header_length.1,fwd_avg_bytes_per_bulk,fwd_avg_packets_per_bulk,fwd_avg_bulk_rate,bwd_avg_bytes_per_bulk,bwd_avg_packets_per_bulk,bwd_avg_bulk_rate,subflow_fwd_packets,subflow_fwd_bytes,subflow_bwd_packets,subflow_bwd_bytes,init_win_bytes_forward,init_win_bytes_backward,act_data_pkt_fwd,min_seg_size_forward,active_mean,active_std,active_max,active_min,idle_mean,idle_std,idle_max,idle_min,label
0,192.168.10.12-192.168.10.50-60148-22-6,192.168.10.12,60148,192.168.10.50,22,6,6/7/2017 1:00,166,1,1,0,0,0,0,0,0,0,0,0,0,0.0,12048.19277,166.0,0.0,166,166,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,32,6024.096386,6024.096386,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,32,0,0,0,0,0,0,1,0,1,0,290,243,0,32,0,0,0,0,0,0,0,0,BENIGN
1,192.168.10.12-192.168.10.50-60148-22-6,192.168.10.50,22,192.168.10.12,60148,6,6/7/2017 1:00,83,1,2,0,0,0,0,0,0,0,0,0,0,0.0,36144.57831,41.5,10.60660172,49,34,0,0,0,0,0,49,49,0,49,49,0,0,0,0,32,64,12048.19277,24096.38554,0,0,0,0,0,0,0,0,0,1,1,0,0,2,0,0,0,32,0,0,0,0,0,0,1,0,2,0,243,290,0,32,0,0,0,0,0,0,0,0,BENIGN
2,192.168.10.12-91.189.89.199-123-123-17,192.168.10.12,123,91.189.89.199,123,17,6/7/2017 1:00,99947,1,1,48,48,48,48,48,0,48,48,48,0,960.5090698,20.01060562,99947.0,0.0,99947,99947,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,40,10.00530281,10.00530281,48,48,48,0,0,0,0,0,0,0,0,0,0,1,72,48,48,40,0,0,0,0,0,0,1,48,1,48,-1,-1,0,40,0,0,0,0,0,0,0,0,BENIGN


As one can observe, the timestamp needs fixing.

In [115]:
# convert to 24h-format whilst converting to ISOdate
thursday_aft_df['timestamp'] = thursday_aft_df.timestamp.apply(calc_new_timestamp)

This should have fixed the different timestamp as well as converted everything to 24h-format:

In [117]:
thursday_aft_df.head(3)

Unnamed: 0,flow_id,source_ip,source_port,destination_ip,destination_port,protocol,timestamp,flow_duration,total_fwd_packets,total_backward_packets,total_length_of_fwd_packets,total_length_of_bwd_packets,fwd_packet_length_max,fwd_packet_length_min,fwd_packet_length_mean,fwd_packet_length_std,bwd_packet_length_max,bwd_packet_length_min,bwd_packet_length_mean,bwd_packet_length_std,flow_bytes_per_s,flow_packets_per_s,flow_iat_mean,flow_iat_std,flow_iat_max,flow_iat_min,fwd_iat_total,fwd_iat_mean,fwd_iat_std,fwd_iat_max,fwd_iat_min,bwd_iat_total,bwd_iat_mean,bwd_iat_std,bwd_iat_max,bwd_iat_min,fwd_psh_flags,bwd_psh_flags,fwd_urg_flags,bwd_urg_flags,fwd_header_length,bwd_header_length,fwd_packets_per_s,bwd_packets_per_s,min_packet_length,max_packet_length,packet_length_mean,packet_length_std,packet_length_variance,fin_flag_count,syn_flag_count,rst_flag_count,psh_flag_count,ack_flag_count,urg_flag_count,cwe_flag_count,ece_flag_count,down_per_up_ratio,average_packet_size,avg_fwd_segment_size,avg_bwd_segment_size,fwd_header_length.1,fwd_avg_bytes_per_bulk,fwd_avg_packets_per_bulk,fwd_avg_bulk_rate,bwd_avg_bytes_per_bulk,bwd_avg_packets_per_bulk,bwd_avg_bulk_rate,subflow_fwd_packets,subflow_fwd_bytes,subflow_bwd_packets,subflow_bwd_bytes,init_win_bytes_forward,init_win_bytes_backward,act_data_pkt_fwd,min_seg_size_forward,active_mean,active_std,active_max,active_min,idle_mean,idle_std,idle_max,idle_min,label
0,192.168.10.12-192.168.10.50-60148-22-6,192.168.10.12,60148,192.168.10.50,22,6,2017-07-06T13:00:00,166,1,1,0,0,0,0,0,0,0,0,0,0,0.0,12048.19277,166.0,0.0,166,166,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,32,6024.096386,6024.096386,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,32,0,0,0,0,0,0,1,0,1,0,290,243,0,32,0,0,0,0,0,0,0,0,BENIGN
1,192.168.10.12-192.168.10.50-60148-22-6,192.168.10.50,22,192.168.10.12,60148,6,2017-07-06T13:00:00,83,1,2,0,0,0,0,0,0,0,0,0,0,0.0,36144.57831,41.5,10.60660172,49,34,0,0,0,0,0,49,49,0,49,49,0,0,0,0,32,64,12048.19277,24096.38554,0,0,0,0,0,0,0,0,0,1,1,0,0,2,0,0,0,32,0,0,0,0,0,0,1,0,2,0,243,290,0,32,0,0,0,0,0,0,0,0,BENIGN
2,192.168.10.12-91.189.89.199-123-123-17,192.168.10.12,123,91.189.89.199,123,17,2017-07-06T13:00:00,99947,1,1,48,48,48,48,48,0,48,48,48,0,960.5090698,20.01060562,99947.0,0.0,99947,99947,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,40,10.00530281,10.00530281,48,48,48,0,0,0,0,0,0,0,0,0,0,1,72,48,48,40,0,0,0,0,0,0,1,48,1,48,-1,-1,0,40,0,0,0,0,0,0,0,0,BENIGN


In [118]:
# If everything went well, save changes to disk
# As we've used a different datetime func, update the write to reflect the other timestamps
thursday_aft_df.to_csv('CICIDS2017/Thursday-WorkingHours-Afternoon-Infilteration.pcap_ISCX_clean.csv',index=False,date_format='%Y-%m-%dT%H:%M:%S')

### Friday

#### Morning

In [119]:
# open the cleaned version with sane headers. This time, open the full csv
friday_morn_df = pd.read_csv('CICIDS2017/Friday-WorkingHours-Morning.pcap_ISCX_clean.csv',dtype=str)

In [120]:
friday_morn_df.head(3)

Unnamed: 0,flow_id,source_ip,source_port,destination_ip,destination_port,protocol,timestamp,flow_duration,total_fwd_packets,total_backward_packets,total_length_of_fwd_packets,total_length_of_bwd_packets,fwd_packet_length_max,fwd_packet_length_min,fwd_packet_length_mean,fwd_packet_length_std,bwd_packet_length_max,bwd_packet_length_min,bwd_packet_length_mean,bwd_packet_length_std,flow_bytes_per_s,flow_packets_per_s,flow_iat_mean,flow_iat_std,flow_iat_max,flow_iat_min,fwd_iat_total,fwd_iat_mean,fwd_iat_std,fwd_iat_max,fwd_iat_min,bwd_iat_total,bwd_iat_mean,bwd_iat_std,bwd_iat_max,bwd_iat_min,fwd_psh_flags,bwd_psh_flags,fwd_urg_flags,bwd_urg_flags,fwd_header_length,bwd_header_length,fwd_packets_per_s,bwd_packets_per_s,min_packet_length,max_packet_length,packet_length_mean,packet_length_std,packet_length_variance,fin_flag_count,syn_flag_count,rst_flag_count,psh_flag_count,ack_flag_count,urg_flag_count,cwe_flag_count,ece_flag_count,down_per_up_ratio,average_packet_size,avg_fwd_segment_size,avg_bwd_segment_size,fwd_header_length.1,fwd_avg_bytes_per_bulk,fwd_avg_packets_per_bulk,fwd_avg_bulk_rate,bwd_avg_bytes_per_bulk,bwd_avg_packets_per_bulk,bwd_avg_bulk_rate,subflow_fwd_packets,subflow_fwd_bytes,subflow_bwd_packets,subflow_bwd_bytes,init_win_bytes_forward,init_win_bytes_backward,act_data_pkt_fwd,min_seg_size_forward,active_mean,active_std,active_max,active_min,idle_mean,idle_std,idle_max,idle_min,label
0,192.168.10.3-192.168.10.50-3268-56108-6,192.168.10.50,56108,192.168.10.3,3268,6,7/7/2017 8:59,112740690,32,16,6448,1152,403,0,201.5,204.7242047,72,72,72,0,67.41133126,0.425755776,2398738.085,5798697.94,16400000.0,3,113000000.0,3636796.452,6848760.823,16400000.0,3,113000000.0,7516023.2,8323384.915,16400000.0,3,1,0,0,0,1024,512,0.283837184,0.141918592,0,403,163.3265306,178.9317127,32016.55782,0,1,0,0,1,0,0,0,0,166.7291667,201.5,72,1024,0,0,0,0,0,0,32,6448,16,1152,377,2079,15,32,359.4285714,11.99801571,380.0,343,16100000.0,498804.8203,16400000.0,15400000.0,BENIGN
1,192.168.10.3-192.168.10.50-389-42144-6,192.168.10.50,42144,192.168.10.3,389,6,7/7/2017 8:59,112740560,32,16,6448,5056,403,0,201.5,204.7242047,316,316,316,0,102.0395854,0.425756267,2398735.319,5798709.67,16400000.0,2,113000000.0,3636792.258,6848776.836,16400000.0,2,113000000.0,7516016.133,8323376.147,16400000.0,4,1,0,0,0,1024,512,0.283837512,0.141918756,0,403,243.0,174.7169139,30526.0,0,1,0,0,1,0,0,0,0,248.0625,201.5,316,1024,0,0,0,0,0,0,32,6448,16,5056,955,2079,15,32,320.2857143,15.74499165,330.0,285,16100000.0,498793.6656,16400000.0,15400000.0,BENIGN
2,8.0.6.4-8.6.0.1-0-0-0,8.6.0.1,0,8.0.6.4,0,0,7/7/2017 9:00,113757377,545,0,0,0,0,0,0.0,0.0,0,0,0,0,0.0,4.790898088,209112.8254,1395543.434,20800000.0,0,114000000.0,209112.8254,1395543.434,20800000.0,0,0.0,0.0,0.0,0.0,0,0,0,0,0,0,0,4.790898088,0.0,0,0,0.0,0.0,0.0,0,0,0,0,0,0,0,0,0,0.0,0.0,0,0,0,0,0,0,0,0,545,0,0,0,-1,-1,0,0,9361828.6,7324645.883,18900000.0,19,12200000.0,6935824.002,20800000.0,5504997.0,BENIGN


As one can observe, the timestamp needs fixing.

In [121]:
# convert to 24h-format whilst converting to ISOdate
friday_morn_df['timestamp'] = friday_morn_df.timestamp.apply(calc_new_timestamp)

This should have fixed the different timestamp as well as converted everything to 24h-format:

In [122]:
friday_morn_df.head(3)

Unnamed: 0,flow_id,source_ip,source_port,destination_ip,destination_port,protocol,timestamp,flow_duration,total_fwd_packets,total_backward_packets,total_length_of_fwd_packets,total_length_of_bwd_packets,fwd_packet_length_max,fwd_packet_length_min,fwd_packet_length_mean,fwd_packet_length_std,bwd_packet_length_max,bwd_packet_length_min,bwd_packet_length_mean,bwd_packet_length_std,flow_bytes_per_s,flow_packets_per_s,flow_iat_mean,flow_iat_std,flow_iat_max,flow_iat_min,fwd_iat_total,fwd_iat_mean,fwd_iat_std,fwd_iat_max,fwd_iat_min,bwd_iat_total,bwd_iat_mean,bwd_iat_std,bwd_iat_max,bwd_iat_min,fwd_psh_flags,bwd_psh_flags,fwd_urg_flags,bwd_urg_flags,fwd_header_length,bwd_header_length,fwd_packets_per_s,bwd_packets_per_s,min_packet_length,max_packet_length,packet_length_mean,packet_length_std,packet_length_variance,fin_flag_count,syn_flag_count,rst_flag_count,psh_flag_count,ack_flag_count,urg_flag_count,cwe_flag_count,ece_flag_count,down_per_up_ratio,average_packet_size,avg_fwd_segment_size,avg_bwd_segment_size,fwd_header_length.1,fwd_avg_bytes_per_bulk,fwd_avg_packets_per_bulk,fwd_avg_bulk_rate,bwd_avg_bytes_per_bulk,bwd_avg_packets_per_bulk,bwd_avg_bulk_rate,subflow_fwd_packets,subflow_fwd_bytes,subflow_bwd_packets,subflow_bwd_bytes,init_win_bytes_forward,init_win_bytes_backward,act_data_pkt_fwd,min_seg_size_forward,active_mean,active_std,active_max,active_min,idle_mean,idle_std,idle_max,idle_min,label
0,192.168.10.3-192.168.10.50-3268-56108-6,192.168.10.50,56108,192.168.10.3,3268,6,2017-07-07T08:59:00,112740690,32,16,6448,1152,403,0,201.5,204.7242047,72,72,72,0,67.41133126,0.425755776,2398738.085,5798697.94,16400000.0,3,113000000.0,3636796.452,6848760.823,16400000.0,3,113000000.0,7516023.2,8323384.915,16400000.0,3,1,0,0,0,1024,512,0.283837184,0.141918592,0,403,163.3265306,178.9317127,32016.55782,0,1,0,0,1,0,0,0,0,166.7291667,201.5,72,1024,0,0,0,0,0,0,32,6448,16,1152,377,2079,15,32,359.4285714,11.99801571,380.0,343,16100000.0,498804.8203,16400000.0,15400000.0,BENIGN
1,192.168.10.3-192.168.10.50-389-42144-6,192.168.10.50,42144,192.168.10.3,389,6,2017-07-07T08:59:00,112740560,32,16,6448,5056,403,0,201.5,204.7242047,316,316,316,0,102.0395854,0.425756267,2398735.319,5798709.67,16400000.0,2,113000000.0,3636792.258,6848776.836,16400000.0,2,113000000.0,7516016.133,8323376.147,16400000.0,4,1,0,0,0,1024,512,0.283837512,0.141918756,0,403,243.0,174.7169139,30526.0,0,1,0,0,1,0,0,0,0,248.0625,201.5,316,1024,0,0,0,0,0,0,32,6448,16,5056,955,2079,15,32,320.2857143,15.74499165,330.0,285,16100000.0,498793.6656,16400000.0,15400000.0,BENIGN
2,8.0.6.4-8.6.0.1-0-0-0,8.6.0.1,0,8.0.6.4,0,0,2017-07-07T09:00:00,113757377,545,0,0,0,0,0,0.0,0.0,0,0,0,0,0.0,4.790898088,209112.8254,1395543.434,20800000.0,0,114000000.0,209112.8254,1395543.434,20800000.0,0,0.0,0.0,0.0,0.0,0,0,0,0,0,0,0,4.790898088,0.0,0,0,0.0,0.0,0.0,0,0,0,0,0,0,0,0,0,0.0,0.0,0,0,0,0,0,0,0,0,545,0,0,0,-1,-1,0,0,9361828.6,7324645.883,18900000.0,19,12200000.0,6935824.002,20800000.0,5504997.0,BENIGN


In [123]:
# If everything went well, save changes to disk
# As we've used a different datetime func, update the write to reflect the other timestamps
friday_morn_df.to_csv('CICIDS2017/Friday-WorkingHours-Morning.pcap_ISCX_clean.csv',index=False,date_format='%Y-%m-%dT%H:%M:%S')

#### Afternoon Portscan

In [124]:
# open the cleaned version with sane headers. This time, open the full csv
friday_aft_pscan_df = pd.read_csv('CICIDS2017/Friday-WorkingHours-Afternoon-PortScan.pcap_ISCX_clean.csv',dtype=str)

In [125]:
friday_aft_pscan_df.head(3)

Unnamed: 0,flow_id,source_ip,source_port,destination_ip,destination_port,protocol,timestamp,flow_duration,total_fwd_packets,total_backward_packets,total_length_of_fwd_packets,total_length_of_bwd_packets,fwd_packet_length_max,fwd_packet_length_min,fwd_packet_length_mean,fwd_packet_length_std,bwd_packet_length_max,bwd_packet_length_min,bwd_packet_length_mean,bwd_packet_length_std,flow_bytes_per_s,flow_packets_per_s,flow_iat_mean,flow_iat_std,flow_iat_max,flow_iat_min,fwd_iat_total,fwd_iat_mean,fwd_iat_std,fwd_iat_max,fwd_iat_min,bwd_iat_total,bwd_iat_mean,bwd_iat_std,bwd_iat_max,bwd_iat_min,fwd_psh_flags,bwd_psh_flags,fwd_urg_flags,bwd_urg_flags,fwd_header_length,bwd_header_length,fwd_packets_per_s,bwd_packets_per_s,min_packet_length,max_packet_length,packet_length_mean,packet_length_std,packet_length_variance,fin_flag_count,syn_flag_count,rst_flag_count,psh_flag_count,ack_flag_count,urg_flag_count,cwe_flag_count,ece_flag_count,down_per_up_ratio,average_packet_size,avg_fwd_segment_size,avg_bwd_segment_size,fwd_header_length.1,fwd_avg_bytes_per_bulk,fwd_avg_packets_per_bulk,fwd_avg_bulk_rate,bwd_avg_bytes_per_bulk,bwd_avg_packets_per_bulk,bwd_avg_bulk_rate,subflow_fwd_packets,subflow_fwd_bytes,subflow_bwd_packets,subflow_bwd_bytes,init_win_bytes_forward,init_win_bytes_backward,act_data_pkt_fwd,min_seg_size_forward,active_mean,active_std,active_max,active_min,idle_mean,idle_std,idle_max,idle_min,label
0,192.168.10.12-192.168.10.50-35396-22-6,192.168.10.12,35396,192.168.10.50,22,6,7/7/2017 1:00,1266342,41,44,2664,6954,456,0,64.97560976,109.864573,976,0,158.0454545,312.6752498,7595.10464,67.12246771,15075.5,104051.3997,948537,0,1266342,31658.55,159355.2595,996324,2,317671,7387.697674,19636.44809,104616,1,0,0,0,0,1328,1424,32.37671972,34.74574799,0,976,111.8372093,239.6868477,57449.78495,0,0,0,1,0,0,0,0,1,113.1529412,64.97560976,158.0454545,1328,0,0,0,0,0,0,41,2664,44,6954,29200,243,24,32,0,0,0,0,0,0,0,0,BENIGN
1,192.168.10.16-192.168.10.50-60058-22-6,192.168.10.16,60058,192.168.10.50,22,6,7/7/2017 1:00,1319353,41,44,2664,6954,456,0,64.97560976,109.864573,976,0,158.0454545,312.6752498,7289.93681,64.42551766,15706.58333,104861.8701,955790,1,1319353,32983.825,159247.9008,996423,1,363429,8451.837209,21337.26261,104815,1,0,0,0,0,1328,1424,31.07583793,33.34967973,0,976,111.8372093,239.6868477,57449.78495,0,0,0,1,0,0,0,0,1,113.1529412,64.97560976,158.0454545,1328,0,0,0,0,0,0,41,2664,44,6954,29200,243,24,32,0,0,0,0,0,0,0,0,BENIGN
2,192.168.10.12-192.168.10.50-35396-22-6,192.168.10.12,35396,192.168.10.50,22,6,7/7/2017 1:00,160,1,1,0,0,0,0,0.0,0.0,0,0,0.0,0.0,0.0,12500.0,160.0,0.0,160,160,0,0.0,0.0,0,0,0,0.0,0.0,0,0,0,0,0,0,32,32,6250.0,6250.0,0,0,0.0,0.0,0.0,0,0,0,0,1,1,0,0,1,0.0,0.0,0.0,32,0,0,0,0,0,0,1,0,1,0,290,243,0,32,0,0,0,0,0,0,0,0,BENIGN


As one can observe, the timestamp needs fixing.

In [126]:
# convert to 24h-format whilst converting to ISOdate
friday_aft_pscan_df['timestamp'] = friday_aft_pscan_df.timestamp.apply(calc_new_timestamp)

This should have fixed the different timestamp as well as converted everything to 24h-format:

In [129]:
friday_aft_pscan_df.head(3)

Unnamed: 0,flow_id,source_ip,source_port,destination_ip,destination_port,protocol,timestamp,flow_duration,total_fwd_packets,total_backward_packets,total_length_of_fwd_packets,total_length_of_bwd_packets,fwd_packet_length_max,fwd_packet_length_min,fwd_packet_length_mean,fwd_packet_length_std,bwd_packet_length_max,bwd_packet_length_min,bwd_packet_length_mean,bwd_packet_length_std,flow_bytes_per_s,flow_packets_per_s,flow_iat_mean,flow_iat_std,flow_iat_max,flow_iat_min,fwd_iat_total,fwd_iat_mean,fwd_iat_std,fwd_iat_max,fwd_iat_min,bwd_iat_total,bwd_iat_mean,bwd_iat_std,bwd_iat_max,bwd_iat_min,fwd_psh_flags,bwd_psh_flags,fwd_urg_flags,bwd_urg_flags,fwd_header_length,bwd_header_length,fwd_packets_per_s,bwd_packets_per_s,min_packet_length,max_packet_length,packet_length_mean,packet_length_std,packet_length_variance,fin_flag_count,syn_flag_count,rst_flag_count,psh_flag_count,ack_flag_count,urg_flag_count,cwe_flag_count,ece_flag_count,down_per_up_ratio,average_packet_size,avg_fwd_segment_size,avg_bwd_segment_size,fwd_header_length.1,fwd_avg_bytes_per_bulk,fwd_avg_packets_per_bulk,fwd_avg_bulk_rate,bwd_avg_bytes_per_bulk,bwd_avg_packets_per_bulk,bwd_avg_bulk_rate,subflow_fwd_packets,subflow_fwd_bytes,subflow_bwd_packets,subflow_bwd_bytes,init_win_bytes_forward,init_win_bytes_backward,act_data_pkt_fwd,min_seg_size_forward,active_mean,active_std,active_max,active_min,idle_mean,idle_std,idle_max,idle_min,label
0,192.168.10.12-192.168.10.50-35396-22-6,192.168.10.12,35396,192.168.10.50,22,6,2017-07-07T13:00:00,1266342,41,44,2664,6954,456,0,64.97560976,109.864573,976,0,158.0454545,312.6752498,7595.10464,67.12246771,15075.5,104051.3997,948537,0,1266342,31658.55,159355.2595,996324,2,317671,7387.697674,19636.44809,104616,1,0,0,0,0,1328,1424,32.37671972,34.74574799,0,976,111.8372093,239.6868477,57449.78495,0,0,0,1,0,0,0,0,1,113.1529412,64.97560976,158.0454545,1328,0,0,0,0,0,0,41,2664,44,6954,29200,243,24,32,0,0,0,0,0,0,0,0,BENIGN
1,192.168.10.16-192.168.10.50-60058-22-6,192.168.10.16,60058,192.168.10.50,22,6,2017-07-07T13:00:00,1319353,41,44,2664,6954,456,0,64.97560976,109.864573,976,0,158.0454545,312.6752498,7289.93681,64.42551766,15706.58333,104861.8701,955790,1,1319353,32983.825,159247.9008,996423,1,363429,8451.837209,21337.26261,104815,1,0,0,0,0,1328,1424,31.07583793,33.34967973,0,976,111.8372093,239.6868477,57449.78495,0,0,0,1,0,0,0,0,1,113.1529412,64.97560976,158.0454545,1328,0,0,0,0,0,0,41,2664,44,6954,29200,243,24,32,0,0,0,0,0,0,0,0,BENIGN
2,192.168.10.12-192.168.10.50-35396-22-6,192.168.10.12,35396,192.168.10.50,22,6,2017-07-07T13:00:00,160,1,1,0,0,0,0,0.0,0.0,0,0,0.0,0.0,0.0,12500.0,160.0,0.0,160,160,0,0.0,0.0,0,0,0,0.0,0.0,0,0,0,0,0,0,32,32,6250.0,6250.0,0,0,0.0,0.0,0.0,0,0,0,0,1,1,0,0,1,0.0,0.0,0.0,32,0,0,0,0,0,0,1,0,1,0,290,243,0,32,0,0,0,0,0,0,0,0,BENIGN


In [130]:
# If everything went well, save changes to disk
# As we've used a different datetime func, update the write to reflect the other timestamps
friday_aft_pscan_df.to_csv('CICIDS2017/Friday-WorkingHours-Afternoon-PortScan.pcap_ISCX_clean.csv',index=False,date_format='%Y-%m-%dT%H:%M:%S')

#### Afternoon DDoS

In [4]:
# I don't know why, but pandas keep swallowing the flow_id column if I import the cleaned version. 
# So let's import the original, convert time and *then* fix the column headers
friday_aft_ddos_df = pd.read_csv('CICIDS2017/Friday-WorkingHours-Afternoon-DDos.pcap_ISCX.csv',dtype=str)

In [5]:
friday_aft_ddos_df.head(3)

Unnamed: 0,Flow ID,Source IP,Source Port,Destination IP,Destination Port,Protocol,Timestamp,Flow Duration,Total Fwd Packets,Total Backward Packets,Total Length of Fwd Packets,Total Length of Bwd Packets,Fwd Packet Length Max,Fwd Packet Length Min,Fwd Packet Length Mean,Fwd Packet Length Std,Bwd Packet Length Max,Bwd Packet Length Min,Bwd Packet Length Mean,Bwd Packet Length Std,Flow Bytes/s,Flow Packets/s,Flow IAT Mean,Flow IAT Std,Flow IAT Max,Flow IAT Min,Fwd IAT Total,Fwd IAT Mean,Fwd IAT Std,Fwd IAT Max,Fwd IAT Min,Bwd IAT Total,Bwd IAT Mean,Bwd IAT Std,Bwd IAT Max,Bwd IAT Min,Fwd PSH Flags,Bwd PSH Flags,Fwd URG Flags,Bwd URG Flags,Fwd Header Length,Bwd Header Length,Fwd Packets/s,Bwd Packets/s,Min Packet Length,Max Packet Length,Packet Length Mean,Packet Length Std,Packet Length Variance,FIN Flag Count,SYN Flag Count,RST Flag Count,PSH Flag Count,ACK Flag Count,URG Flag Count,CWE Flag Count,ECE Flag Count,Down/Up Ratio,Average Packet Size,Avg Fwd Segment Size,Avg Bwd Segment Size,Fwd Header Length.1,Fwd Avg Bytes/Bulk,Fwd Avg Packets/Bulk,Fwd Avg Bulk Rate,Bwd Avg Bytes/Bulk,Bwd Avg Packets/Bulk,Bwd Avg Bulk Rate,Subflow Fwd Packets,Subflow Fwd Bytes,Subflow Bwd Packets,Subflow Bwd Bytes,Init_Win_bytes_forward,Init_Win_bytes_backward,act_data_pkt_fwd,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min,Label,External IP
0,192.168.10.16-199.244.48.55-41936-443-6,192.168.10.16,41936,199.244.48.55,443,6,7/7/2017 3:30,143347,47,60,1325,108751,570,0,28.19148936,110.2697559,2896,0,1812.516667,822.0897409,767898.8748,746.4404557,1352.330189,5067.810221,23061,1,143347,3116.23913,7502.019684,23823,1,120283,2038.694915,6167.670541,24538,1,0,0,0,0,1200,1928,327.8757142,418.5647415,0,2896,1019.222222,1082.537011,1171886.38,0,0,0,1,0,0,0,0,1,1028.747664,28.19148936,1812.516667,1200,0,0,0,0,0,0,47,1325,60,108751,29200,61,30,20,0,0,0,0,0,0,0,0,BENIGN,
1,192.168.10.16-54.210.195.63-42970-80-6,192.168.10.16,42970,54.210.195.63,80,6,7/7/2017 3:30,50905,1,1,0,0,0,0,0.0,0.0,0,0,0.0,0.0,0.0,39.28887143,50905.0,0.0,50905,50905,0,0.0,0.0,0,0,0,0.0,0.0,0,0,0,0,0,0,32,32,19.64443571,19.64443571,0,0,0.0,0.0,0.0,0,0,0,0,1,1,0,0,1,0.0,0.0,0.0,32,0,0,0,0,0,0,1,0,1,0,251,110,0,32,0,0,0,0,0,0,0,0,BENIGN,
2,192.168.10.16-199.244.48.55-41944-443-6,192.168.10.16,41944,199.244.48.55,443,6,7/7/2017 3:30,143899,46,58,1325,110185,570,0,28.80434783,111.4072847,4344,0,1899.741379,942.9987732,774918.5192,722.7291364,1397.07767,5193.055313,23360,1,143899,3197.755556,7655.879725,23883,2,120525,2114.473684,6287.286944,23836,2,0,0,0,0,1168,1864,319.6686565,403.0604799,0,4344,1062.0,1169.249973,1367145.5,0,0,0,1,0,0,0,0,1,1072.211538,28.80434783,1899.741379,1168,0,0,0,0,0,0,46,1325,58,110185,29200,61,30,20,0,0,0,0,0,0,0,0,BENIGN,


As one can observe, the timestamp needs fixing.

In [12]:
# convert to 24h-format whilst converting to ISOdate
def calc_fri_timestamp(timestamp):
    new_time = datetime.strptime(timestamp, '%d/%m/%Y %H:%M')
    
    # convert any hour between 13 and 17 o'clock into their 24h-pendant
    # as the captures run from 08:00 to 17:00 o'clock
    if new_time.hour in range(1,8): 
        hour24 = new_time.hour + 12
        new_time=new_time.replace(hour=hour24)
    return new_time.isoformat()

friday_aft_ddos_df[' Timestamp'] = friday_aft_ddos_df[' Timestamp'].apply(calc_fri_timestamp)

This should have fixed the different timestamp as well as converted everything to 24h-format:

In [13]:
friday_aft_ddos_df.head(3)

Unnamed: 0,Flow ID,Source IP,Source Port,Destination IP,Destination Port,Protocol,Timestamp,Flow Duration,Total Fwd Packets,Total Backward Packets,Total Length of Fwd Packets,Total Length of Bwd Packets,Fwd Packet Length Max,Fwd Packet Length Min,Fwd Packet Length Mean,Fwd Packet Length Std,Bwd Packet Length Max,Bwd Packet Length Min,Bwd Packet Length Mean,Bwd Packet Length Std,Flow Bytes/s,Flow Packets/s,Flow IAT Mean,Flow IAT Std,Flow IAT Max,Flow IAT Min,Fwd IAT Total,Fwd IAT Mean,Fwd IAT Std,Fwd IAT Max,Fwd IAT Min,Bwd IAT Total,Bwd IAT Mean,Bwd IAT Std,Bwd IAT Max,Bwd IAT Min,Fwd PSH Flags,Bwd PSH Flags,Fwd URG Flags,Bwd URG Flags,Fwd Header Length,Bwd Header Length,Fwd Packets/s,Bwd Packets/s,Min Packet Length,Max Packet Length,Packet Length Mean,Packet Length Std,Packet Length Variance,FIN Flag Count,SYN Flag Count,RST Flag Count,PSH Flag Count,ACK Flag Count,URG Flag Count,CWE Flag Count,ECE Flag Count,Down/Up Ratio,Average Packet Size,Avg Fwd Segment Size,Avg Bwd Segment Size,Fwd Header Length.1,Fwd Avg Bytes/Bulk,Fwd Avg Packets/Bulk,Fwd Avg Bulk Rate,Bwd Avg Bytes/Bulk,Bwd Avg Packets/Bulk,Bwd Avg Bulk Rate,Subflow Fwd Packets,Subflow Fwd Bytes,Subflow Bwd Packets,Subflow Bwd Bytes,Init_Win_bytes_forward,Init_Win_bytes_backward,act_data_pkt_fwd,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min,Label,External IP
0,192.168.10.16-199.244.48.55-41936-443-6,192.168.10.16,41936,199.244.48.55,443,6,2017-07-07T15:30:00,143347,47,60,1325,108751,570,0,28.19148936,110.2697559,2896,0,1812.516667,822.0897409,767898.8748,746.4404557,1352.330189,5067.810221,23061,1,143347,3116.23913,7502.019684,23823,1,120283,2038.694915,6167.670541,24538,1,0,0,0,0,1200,1928,327.8757142,418.5647415,0,2896,1019.222222,1082.537011,1171886.38,0,0,0,1,0,0,0,0,1,1028.747664,28.19148936,1812.516667,1200,0,0,0,0,0,0,47,1325,60,108751,29200,61,30,20,0,0,0,0,0,0,0,0,BENIGN,
1,192.168.10.16-54.210.195.63-42970-80-6,192.168.10.16,42970,54.210.195.63,80,6,2017-07-07T15:30:00,50905,1,1,0,0,0,0,0.0,0.0,0,0,0.0,0.0,0.0,39.28887143,50905.0,0.0,50905,50905,0,0.0,0.0,0,0,0,0.0,0.0,0,0,0,0,0,0,32,32,19.64443571,19.64443571,0,0,0.0,0.0,0.0,0,0,0,0,1,1,0,0,1,0.0,0.0,0.0,32,0,0,0,0,0,0,1,0,1,0,251,110,0,32,0,0,0,0,0,0,0,0,BENIGN,
2,192.168.10.16-199.244.48.55-41944-443-6,192.168.10.16,41944,199.244.48.55,443,6,2017-07-07T15:30:00,143899,46,58,1325,110185,570,0,28.80434783,111.4072847,4344,0,1899.741379,942.9987732,774918.5192,722.7291364,1397.07767,5193.055313,23360,1,143899,3197.755556,7655.879725,23883,2,120525,2114.473684,6287.286944,23836,2,0,0,0,0,1168,1864,319.6686565,403.0604799,0,4344,1062.0,1169.249973,1367145.5,0,0,0,1,0,0,0,0,1,1072.211538,28.80434783,1899.741379,1168,0,0,0,0,0,0,46,1325,58,110185,29200,61,30,20,0,0,0,0,0,0,0,0,BENIGN,


In [19]:
# If everything went well, save changes to disk
# As the friday afternoon stuff has an additional CSV row, use the ddos_header (which includes the missing field "external_ip")
friday_aft_ddos_df.to_csv('CICIDS2017/Friday-WorkingHours-Afternoon-DDos.pcap_ISCX_clean.csv',index=False,date_format='%Y-%m-%dT%H:%M:%S', header=ddos_header)