# Importing , Exploring and IDE


## Mounting Google Drive

We will save the downloaded dataset to Google Drive.

In [3]:
from google.colab import drive
drive.mount("/content/drive")
%cd /content/drive/MyDrive/colab_notebooks/CICIDS2017

Drive already mounted at /content/drive; to attempt to forcibly remount, call drive.mount("/content/drive", force_remount=True).
/content/drive/MyDrive/colab_notebooks/CICIDS2017


## Downloading MachineLearningCSV from the CICIDS2017 dataset.
We will download the MachineLearningCSV.zip version of this dataset (updated 2024-02-01)

When downloading this dataset, we rename the MachineLearningCSV.zip file to MachineLearningCVE.zip because in the MachineLearningCSV.md5 the target filename is MachineLearningCVE.zip.


In [None]:
!wget -nc -O MachineLearningCVE.zip http://205.174.165.80/CICDataset/CIC-IDS-2017/Dataset/CIC-IDS-2017/CSVs/MachineLearningCSV.zip

## Integrity check



In [None]:
!wget -nc http://205.174.165.80/CICDataset/CIC-IDS-2017/Dataset/CIC-IDS-2017/CSVs/MachineLearningCSV.md5

Checking the file integrity

In [None]:
!md5sum -c MachineLearningCSV.md5

Save the zip file to Google Drive.

In [None]:
!mkdir -p "/content/drive/MyDrive/colab_notebooks/CICIDS2017/CICIDS2017/"
!mv MachineLearningCVE.zip "/content/drive/MyDrive/colab_notebooks/CICIDS2017/CICIDS2017/"

## Unzip the dataset

Unzip the `MachineLearningCVE.zip`.

In [None]:
!unzip -n "/content/drive/MyDrive/colab_notebooks/CICIDS2017/CICIDS2017/MachineLearningCVE.zip"

Archive:  /content/drive/MyDrive/colab_notebooks/CICIDS2017/CICIDS2017/MachineLearningCVE.zip


There are eight files extracted from this zip file.

1. `Monday-WorkingHours.pcap_ISCX.csv`
2. `Tuesday-WorkingHours.pcap_ISCX.csv`
3. `Wednesday-workingHours.pcap_ISCX.csv`
4. `Thursday-WorkingHours-Morning-WebAttacks.pcap_ISCX.csv`
5. `Thursday-WorkingHours-Afternoon-Infilteration.pcap_ISCX.csv`
6. `Friday-WorkingHours-Morning.pcap_ISCX.csv`
7. `Friday-WorkingHours-Afternoon-PortScan.pcap_ISCX.csv`
8. `Friday-WorkingHours-Afternoon-DDos.pcap_ISCX.csv`

## Combine All Dataset

In [None]:
import os
import pandas as pd

DIR_PATH = "MachineLearningCVE"

FILE_NAMES = ["Monday-WorkingHours.pcap_ISCX.csv",
              "Tuesday-WorkingHours.pcap_ISCX.csv",
              "Wednesday-workingHours.pcap_ISCX.csv",
              "Thursday-WorkingHours-Morning-WebAttacks.pcap_ISCX.csv",
              "Thursday-WorkingHours-Afternoon-Infilteration.pcap_ISCX.csv",
              "Friday-WorkingHours-Morning.pcap_ISCX.csv",
              "Friday-WorkingHours-Afternoon-PortScan.pcap_ISCX.csv",
              "Friday-WorkingHours-Afternoon-DDos.pcap_ISCX.csv"]

In [None]:
df = [pd.read_csv(os.path.join(DIR_PATH, f), skipinitialspace=True) for f in FILE_NAMES]
df = pd.concat(df, ignore_index=True)

In [None]:
df.head()

Unnamed: 0,Destination Port,Flow Duration,Total Fwd Packets,Total Backward Packets,Total Length of Fwd Packets,Total Length of Bwd Packets,Fwd Packet Length Max,Fwd Packet Length Min,Fwd Packet Length Mean,Fwd Packet Length Std,...,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min,Label
0,49188,4,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
1,49188,1,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
2,49188,1,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
3,49188,1,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN
4,49486,3,2,0,12,0,6,6,6.0,0.0,...,20,0.0,0.0,0,0,0.0,0.0,0,0,BENIGN


## Change the unrecognized character in the clolumn BENIGN

File `Thursday-WorkingHours-Morning-WebAttacks.pcap_ISCX.csv` contained unrecognized character.

Change this unrecognized character to `-`.

In [None]:
print(df.Label.value_counts())
df['Label'].replace(['Web Attack � Brute Force', 'Web Attack � XSS', 'Web Attack � Sql Injection'],
                  ['Web Attack-Brute Force', 'Web Attack-XSS', 'Web Attack-Sql Injection'], inplace=True)
print(df.Label.value_counts())

Label
BENIGN                        2273097
DoS Hulk                       231073
PortScan                       158930
DDoS                           128027
DoS GoldenEye                   10293
FTP-Patator                      7938
SSH-Patator                      5897
DoS slowloris                    5796
DoS Slowhttptest                 5499
Bot                              1966
Web Attack � Brute Force         1507
Web Attack � XSS                  652
Infiltration                       36
Web Attack � Sql Injection         21
Heartbleed                         11
Name: count, dtype: int64
Label
BENIGN                      2273097
DoS Hulk                     231073
PortScan                     158930
DDoS                         128027
DoS GoldenEye                 10293
FTP-Patator                    7938
SSH-Patator                    5897
DoS slowloris                  5796
DoS Slowhttptest               5499
Bot                            1966
Web Attack-Brute Force         1

## Saving the dataset

In [None]:
df.to_csv(os.path.join(DIR_PATH, "MachineLearningCVE.csv"), index=False)

Now the dataset is saved to my Google Drive at `CICIDS2017` folder.

## Explore data types and missing values

In [None]:
import os
import pandas as pd
import numpy as np

DIR_PATH = "MachineLearningCVE"

pd.set_option('display.max_rows', 100)
pd.set_option('display.max_columns', 12)
pd.set_option('display.width', 1000)
pd.options.display.float_format = '{:.2f}'.format

df = pd.read_csv(os.path.join(DIR_PATH, "MachineLearningCVE.csv"))

# Explore data types and missing values
print(df.info())

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 2830743 entries, 0 to 2830742
Data columns (total 79 columns):
 #   Column                       Dtype  
---  ------                       -----  
 0   Destination Port             int64  
 1   Flow Duration                int64  
 2   Total Fwd Packets            int64  
 3   Total Backward Packets       int64  
 4   Total Length of Fwd Packets  int64  
 5   Total Length of Bwd Packets  int64  
 6   Fwd Packet Length Max        int64  
 7   Fwd Packet Length Min        int64  
 8   Fwd Packet Length Mean       float64
 9   Fwd Packet Length Std        float64
 10  Bwd Packet Length Max        int64  
 11  Bwd Packet Length Min        int64  
 12  Bwd Packet Length Mean       float64
 13  Bwd Packet Length Std        float64
 14  Flow Bytes/s                 float64
 15  Flow Packets/s               float64
 16  Flow IAT Mean                float64
 17  Flow IAT Std                 float64
 18  Flow IAT Max                 int64  
 19  

## Check for descriptive statistics of numerical columns


In [None]:
# Check for descriptive statistics of numerical columns
dsc = df.describe()
# transform the dataframe
dsc = dsc.transpose()
# print the dataframe
print(dsc)


                                 count        mean         std             min    25%      50%        75%          max
Destination Port            2830743.00     8071.48    18283.63            0.00  53.00    80.00     443.00     65535.00
Flow Duration               2830743.00 14785663.93 33653744.09          -13.00 155.00 31316.00 3204828.50 119999998.00
Total Fwd Packets           2830743.00        9.36      749.67            1.00   2.00     2.00       5.00    219759.00
Total Backward Packets      2830743.00       10.39      997.39            0.00   1.00     2.00       4.00    291922.00
Total Length of Fwd Packets 2830743.00      549.30     9993.59            0.00  12.00    62.00     187.00  12900000.00
Total Length of Bwd Packets 2830743.00    16162.64  2263088.05            0.00   0.00   123.00     482.00 655453030.00
Fwd Packet Length Max       2830743.00      207.60      717.18            0.00   6.00    37.00      81.00     24820.00
Fwd Packet Length Min       2830743.00       18.

Flow Bytes/s and Flow Packets/s have infinite values

Let's look at those samples:

In [None]:
df1 = df[df['Flow Bytes/s'] == np.inf]
print(f'Number of inf values in "Flow Bytes/s" is {len(df1)}')
print(df1["Label"].value_counts())
print('------------------------------')
df2 = df[df['Flow Packets/s'] == np.inf]
print(f'Number of inf values in "Flow Packets/s" is {len(df2)}')
print(df2["Label"].value_counts())
print(df2['Flow Bytes/s'].value_counts())
print('------------------------------')
# Let's look at those samples where 'Flow Bytes/s' is null:
df3 = df2[df2['Flow Bytes/s'].isnull()]
print(f'Number of NULL values in "Flow Bytes/s" is {len(df3)}')
print(df3["Label"].value_counts())
# We can see that if 'Flow Bytes/s' is null this is a good sign for a DoS Hulk intrusion.

Number of inf values in "Flow Bytes/s" is 1509
Label
BENIGN         1368
PortScan        126
Bot              10
FTP-Patator       3
DDoS              2
Name: count, dtype: int64
------------------------------
Number of inf values in "Flow Packets/s" is 2867
Label
BENIGN         1777
DoS Hulk        949
PortScan        126
Bot              10
FTP-Patator       3
DDoS              2
Name: count, dtype: int64
Flow Bytes/s
inf    1509
Name: count, dtype: int64
------------------------------
Number of NULL values in "Flow Bytes/s" is 1358
Label
DoS Hulk    949
BENIGN      409
Name: count, dtype: int64


## insights:
### 1. If 'Flow Bytes/s' is inf then 'Flow Packets/s' is inf
### 2. If 'Flow Packets/s' is inf then 'Flow Bytes/s' is either inf or null
### 3. if 'Flow Bytes/s' is null this is a good sign for a DoS Hulk intrusion

## Explore the distribution of the target variable ('Label')


In [None]:
# Explore the distribution of the target variable ('Label')
df['Label'].value_counts()

Label
BENIGN                      2273097
DoS Hulk                     231073
PortScan                     158930
DDoS                         128027
DoS GoldenEye                 10293
FTP-Patator                    7938
SSH-Patator                    5897
DoS slowloris                  5796
DoS Slowhttptest               5499
Bot                            1966
Web Attack-Brute Force         1507
Web Attack-XSS                  652
Infiltration                     36
Web Attack-Sql Injection         21
Heartbleed                       11
Name: count, dtype: int64

# Process data and analyze correlations between numerical features


In [None]:
from itertools import combinations
import seaborn as sns
import matplotlib.pyplot as plt

# Delete nan and inf rows
df.replace([np.inf,-np.inf],np.nan,inplace=True)
print(df.isna().any(axis=1).sum(), "rows dropped")
df.dropna(inplace=True)
print("Shape after Removing NaN: ",df.shape)

# Remove columns which have identical values
zero_variance_cols=[]
for col in df.columns:
    if len(df[col].unique()) == 1:
        zero_variance_cols.append(col)
df.drop(columns=zero_variance_cols,axis=1,inplace=True)
print("Zero Variance Columns: ",zero_variance_cols, " are dropped!!")
print("Shape after removing the zero variance columns: ",df.shape)

# check if there are duplicated rows and drop duplications
print("Shape before dropping duplicates: ",df.shape)
df.drop_duplicates(inplace=True)
print("Shape after dropping duplicates: ",df.shape)

# Look for identical pairs of columns and drop column x if there is idenical column y in df
column_pairs = [(i,j) for i,j in combinations(df,2) if df[i].equals(df[j])]
ide_cols=[]
for col_pair in column_pairs:
    ide_cols.append(col_pair[1])
df.drop(columns=ide_cols,axis=1,inplace=True)
print("Columns which have identical values: ",column_pairs," dropped!")
print("Shape after removing identical value columns: ",df.shape)

# Replace negative value with 0 as there is no logical interpretation for
# negative values on all of the features that contains negative values
numerical_features = list(df.columns[df.dtypes != object])
for col in numerical_features:
    df.loc[df[col] < 0, col] = 0

# Analyze correlations between numerical features
correlation_matrix = df[numerical_features].corr()
print(correlation_matrix)  # View the full matrix or use specific methods like corrwith

2867 rows dropped
Shape after Removing NaN:  (2827876, 79)
Zero Variance Columns:  ['Bwd PSH Flags', 'Bwd URG Flags', 'Fwd Avg Bytes/Bulk', 'Fwd Avg Packets/Bulk', 'Fwd Avg Bulk Rate', 'Bwd Avg Bytes/Bulk', 'Bwd Avg Packets/Bulk', 'Bwd Avg Bulk Rate']  are dropped!!
Shape after removing the zero variance columns:  (2827876, 71)
Shape before dropping duplicates:  (2827876, 71)
Shape after dropping duplicates:  (2520798, 71)
Columns which have identical values:  [('Total Fwd Packets', 'Subflow Fwd Packets'), ('Total Backward Packets', 'Subflow Bwd Packets'), ('Fwd PSH Flags', 'SYN Flag Count'), ('Fwd URG Flags', 'CWE Flag Count'), ('Fwd Header Length', 'Fwd Header Length.1')]  dropped!
Shape after removing identical value columns:  (2520798, 66)
                             Destination Port  Flow Duration  Total Fwd Packets  Total Backward Packets  Total Length of Fwd Packets  Total Length of Bwd Packets  ...  Active Max  Active Min  Idle Mean  Idle Std  Idle Max  Idle Min
Destination Po

In [None]:
print(correlation_matrix[correlation_matrix > 0.9].count())

Destination Port               1
Flow Duration                  2
Total Fwd Packets              6
Total Backward Packets         6
Total Length of Fwd Packets    2
Total Length of Bwd Packets    6
Fwd Packet Length Max          2
Fwd Packet Length Min          1
Fwd Packet Length Mean         2
Fwd Packet Length Std          2
Bwd Packet Length Max          6
Bwd Packet Length Min          1
Bwd Packet Length Mean         8
Bwd Packet Length Std          6
Flow Bytes/s                   1
Flow Packets/s                 2
Flow IAT Mean                  2
Flow IAT Std                   6
Flow IAT Max                   7
Flow IAT Min                   1
Fwd IAT Total                  2
Fwd IAT Mean                   2
Fwd IAT Std                    5
Fwd IAT Max                    7
Fwd IAT Min                    1
Bwd IAT Total                  1
Bwd IAT Mean                   2
Bwd IAT Std                    1
Bwd IAT Max                    1
Bwd IAT Min                    2
Fwd PSH Fl

We can see that there are features that have high correlation with other features.

We should consider deleting correlated features from several reasons:
- Reduced Multicollinearity: features that provide redundant information can cause problems for ML models, potentially leading to poorer performance.
- Improved Interpretability: removing correlated features can simplify the model and make it easier to interpret the impact of each remaining feature on the target variable.
- Computational Efficiency: Fewer features can lead to faster training times and lower memory requirements.

# Add a column for Binary Classification tasks

In [None]:
# Create a binary target where BENIGN = 0 and ATTACK = 1
df['Binary_target'] = df['Label'].apply(lambda x: 1 if x == 'BENIGN' else 0)

# Investigate relationships between features and target variable


In [None]:
# Calculate correlation coefficient (Pearson's)
print( "Correlation between feature and Target")
for feature in numerical_features:
    correlation = df[feature].corr(df['Binary_target'])
    print(f"{feature} : {correlation:.2f}")

Correlation between feature and Target
Destination Port : 0.16
Flow Duration : -0.28
Total Fwd Packets : 0.00
Total Backward Packets : 0.00
Total Length of Fwd Packets : 0.02
Total Length of Bwd Packets : 0.00
Fwd Packet Length Max : 0.05
Fwd Packet Length Min : 0.13
Fwd Packet Length Mean : 0.07
Fwd Packet Length Std : 0.03
Bwd Packet Length Max : -0.60
Bwd Packet Length Min : 0.27
Bwd Packet Length Mean : -0.59
Bwd Packet Length Std : -0.61
Flow Bytes/s : 0.02
Flow Packets/s : 0.07
Flow IAT Mean : -0.22
Flow IAT Std : -0.41
Flow IAT Max : -0.47
Flow IAT Min : -0.02
Fwd IAT Total : -0.28
Fwd IAT Mean : -0.19
Fwd IAT Std : -0.51
Fwd IAT Max : -0.47
Fwd IAT Min : 0.02
Bwd IAT Total : -0.01
Bwd IAT Mean : -0.02
Bwd IAT Std : -0.20
Bwd IAT Max : -0.15
Bwd IAT Min : 0.03
Fwd PSH Flags : 0.08
Fwd URG Flags : 0.00
Fwd Header Length : 0.00
Bwd Header Length : 0.00
Fwd Packets/s : 0.08
Bwd Packets/s : -0.02
Min Packet Length : 0.28
Max Packet Length : -0.56
Packet Length Mean : -0.52
Packet Le

Looking at the correlation between the features and the target, we can see that the packet length/size features show ~0.6 correlation with the target and those
correlated features should be important for a model that classifies intrusions.

In [None]:
# Save the processed data to a csv
df.to_csv(os.path.join(DIR_PATH, "processed_data.csv"), index=False)
df.shape

(2520798, 67)