In [1]:
import pandas as pd
import pickle
import numpy  as np
from time import time
#train_test_split
from sklearn.model_selection import train_test_split
#Feature scaling
from sklearn import preprocessing
from collections import Counter
import math

In [2]:
def load_obj(name):
    with open('../DistributionDictionary/' + name + '.pkl', 'rb') as f:
        return pickle.load(f)

distributions = {}
distributions['Benign'] = load_obj("Benign_Distribution_set")
distributions['DoS'] = load_obj("DoS_Distribution_set")
distributions['PortScan'] = load_obj("PortScan_Distribution_set")
distributions['DDoS'] = load_obj("DDoS_Distribution_set")
distributions['SSH'] = load_obj("SSH_Distribution_set")
distributions['FTP'] = load_obj("FTP_Distribution_set")
distributions['Web'] = load_obj("Web_Distribution_set")
distributions['Bot'] = load_obj("Bot_Distribution_set")

attack_types = 7  #总已知攻击种类

#定义difference weight,取值0~1
def calculate_dw(distribution_1, distribution_2, feature_index):
    count1 = calculate_count(distribution_1, feature_index)
    count2 = calculate_count(distribution_2, feature_index)
    h = 20
    dw = 0
    for i in range(h):
        start = i*5
        end = start + 5
        T1 = distribution_1[str(feature_index)][str(start) + '-' + str(end)]/count1
        T2 = distribution_2[str(feature_index)][str(start) + '-' + str(end)]/count2
        dw += abs(T1 - T2)
    return dw/2
#用于计算分布字典里的实例数
def calculate_count(distribution, feature_index):
    h = 20
    count = 0
    for i in range(h):
        start = i*5
        end = start + 5
        count += distribution[str(feature_index)][str(start) + '-' + str(end)]
    return count
#定义hdw，hybird difference weight
def calculate_hdw(feature_index):
    base = 0
    for key in distributions:
        if(key == "Benign"):
            continue
        dw = calculate_dw(distributions['Benign'], distributions[key], feature_index)
        if(dw > base):
            base = dw
    return base


#计算例子在某种标签上的得分，需要提供对应标签的分布统计字典和字典的统计量
def get_score(example, distributeObj):    
    score = 0
    count = calculate_count(distributeObj, 0)  #取哪个特征都一样
    for i in range(feature_numbers):

        start = int(example[i]/0.05//1)*5   #取200个分组里的分组起始位置
        if(start == 100):     #特殊处理当该属性为1.0时溢出的情况
            start = 95      
        end = start + 5
        dataRange = '{0}-{1}'.format(start, end )
        base = distributeObj[str(i)][dataRange]/count
        if(base == 0):
            return -4.0
            #return "attack"
        score += math.log(base) * calculate_hdw(i)  / feature_numbers
    return score

def get_max(array):
    base = 0
    for value in array:
        if(base < value):
            base = value
    return base
def get_min(array):
    base = array[0]
    for value in array:
        if(base > value):
            base = value
    return base
def get_average(array):
    return float(sum(array))/len(array)
def get_medium(array):
    array.sort()
    mid = int(len(array) / 2)
    if len(array) % 2 == 0:
        median = (array[mid - 1] + array[mid]) / 2.0
    else:
        median = array[mid]
    return median
def get_analysis(label_num):
    count = 0.0
    judge_attack_count = 0.0
    Indexs = []
    for index, item in enumerate(test_y3):  
        if(item == label_num):
            Indexs.append(index)
            count+=1
    Scores = []
    for index, item in enumerate(Indexs):
        t = get_score(test_x3[item], distributions['Benign'])
        if(t == "attack"):
            judge_attack_count+=1
            t = -4.0
        Scores.append(t)

    print(get_max(Scores))
    print(get_min(Scores))
    print(get_medium(Scores))
    print(get_average(Scores))  
    print(judge_attack_count / count) 
    return Scores

In [None]:
def read_csv(dataroot):
    df=pd.read_csv(dataroot,header=0,low_memory=False)   
    pd.set_option('mode.use_inf_as_na', True) # convert inf to nan
    df['Flow Bytes/s']=df['Flow Bytes/s'].astype('float64')
    df[' Flow Packets/s']=df[' Flow Packets/s'].astype('float64')
    df['Flow Bytes/s'].fillna(df['Flow Bytes/s'].mean(),inplace=True)
    df[' Flow Packets/s'].fillna(df[' Flow Packets/s'].mean(),inplace=True)
    return df

def split_valid_from_train(train_dataset, valid_size):
    # Method 1
    train_dataset, valid_dataset, _, _ = train_test_split(train_dataset, train_dataset[' Label'], test_size=valid_size, random_state=None)
    # pandas中先重置index再打乱train. 否则只会调整各个行的顺序，而不会改变pandas的index
    # 重置
    train_dataset = train_dataset.reset_index(drop=True)
    # 打乱
    indexMask = np.arange(len(train_dataset))
    for i in range(10):
        np.random.shuffle(indexMask)
    train_dataset = train_dataset.iloc[indexMask]

    return train_dataset, valid_dataset

def shuffle(dataset):  
    # 打乱
    indexMask = np.arange(len(dataset))
    for i in range(10):
        np.random.shuffle(indexMask)
    dataset = dataset.iloc[indexMask]
    dataset = dataset.reset_index(drop=True)

    return dataset 

#独热编码。选取distination port统计大于等于10以上的port作为新增维度
def create_columns_for_destination_port(train_dataset):
    countDictionary = Counter(train_dataset[' Destination Port'])
    columns = []
    columns.append('DestinationPort_Others')
    for key in countDictionary:
        if(countDictionary[key] >= 10):
            columns.append('DestinationPort_' + str(key))
    return columns

def one_hot_process_for_destination_port(dataset, columns):
    #重置索引
    dataset = dataset.reset_index(drop=True)
    #创建空表
    DestinationPort_revert = pd.DataFrame(data=np.zeros(shape=(dataset.shape[0],len(columns))), columns = columns)
    #填充空表
    for i,value in enumerate(dataset[' Destination Port'].values):
        name = "DestinationPort_" + str(value)
        if name in columns:
            DestinationPort_revert.loc[i, name] = 1
        else:
            DestinationPort_revert.loc[i, "DestinationPort_Others"] = 1
    #与原表连接
    dataset = pd.concat([dataset, DestinationPort_revert], axis=1)
    #删除原表的destination port列
    dataset = dataset.drop([' Destination Port'], axis=1)
    return dataset  



def labels_separate(dataset):
    y_ = dataset[' Label']
    temp = dataset
    temp.drop([' Label'], axis=1, inplace=True)
    x_ = temp.values
    return x_, y_

def labels_map(label):
    if(type(label) == int):      #已是数字，无需处理
        return label
    if label == 'BENIGN':
        return 0
    if label == 'DoS':
        return 1
    if label == 'PortScan':
        return 2
    if label == 'DDoS':
        return 3
    if label == 'SSH-Patator':
        return 4
    if label == 'FTP-Patator':
        return 5
    if label == 'Web Attack':
        return 6
    if label == 'Bot':
        return 7
    if label == 'Infiltration':
        return 8
    return -1   #-1表示出错
def filter_labels(dataset):
    dataset[' Label'] = dataset[' Label'].apply(labels_map)
    return dataset
#特征选取
def feature_selection(dataset):
    return dataset[[
        ' Destination Port', 'Bwd Packet Length Max',' Bwd Packet Length Min', ' Bwd Packet Length Std',
        ' Flow IAT Mean', ' Flow IAT Std', ' Flow IAT Min', ' Fwd IAT Min', ' Bwd Packets/s', ' Min Packet Length',
        ' Max Packet Length', ' Init_Win_bytes_backward', ' act_data_pkt_fwd', ' Label'
    ]]
def feature_selection2(dataset):
    return dataset[[' Destination Port', ' Flow Duration', ' Total Fwd Packets', 'Total Length of Fwd Packets', 
                    ' Total Length of Bwd Packets', ' Fwd Packet Length Std', 'Bwd Packet Length Max', 
                    ' Bwd Packet Length Mean', ' Bwd Packet Length Std', 'Flow Bytes/s', ' Flow IAT Mean', 
                    ' Flow IAT Max', ' Flow IAT Min', ' Fwd IAT Mean', ' Fwd IAT Max', ' Fwd IAT Min', 
                    ' Bwd IAT Min', ' Fwd Header Length', ' Bwd Header Length', 'Fwd Packets/s', 
                    ' Bwd Packets/s', ' Max Packet Length', ' Packet Length Variance', ' ACK Flag Count', 
                    ' URG Flag Count', ' Average Packet Size', ' Avg Bwd Segment Size', ' Fwd Header Length.1', 
                    ' Subflow Fwd Bytes', 'Init_Win_bytes_forward', ' Init_Win_bytes_backward', 
                    ' act_data_pkt_fwd', ' Label'
                   ]]


labelList = ["BENIGN", "DoS", "PortScan", "DDoS", "SSH-Patator", "FTP-Patator", "Web Attack", "Bot"]

In [None]:
#DDoS
df_1 = read_csv("../MachineLearningCVE/Friday-WorkingHours-Afternoon-DDos.pcap_ISCX.csv")
df_1 = df_1.drop(df_1[df_1[' Label'] == 'BENIGN'].index)
df_1 = df_1.sample(n=5000,random_state=1, replace=False)
df_1_train, df_1_test = split_valid_from_train(df_1, 0.2)
#PortScan
df_2 = read_csv("../MachineLearningCVE/Friday-WorkingHours-Afternoon-PortScan.pcap_ISCX.csv")
df_2 = df_2.drop(df_2[df_2[' Label'] == 'BENIGN'].index)
df_2 = df_2.sample(n=5000,random_state=1, replace=False)
df_2_train, df_2_test = split_valid_from_train(df_2, 0.2)
#Bot
df_3 = read_csv("../MachineLearningCVE/Friday-WorkingHours-Morning.pcap_ISCX.csv")
df_3 = df_3.drop(df_3[df_3[' Label'] == 'BENIGN'].index)
df_3 = df_3.sample(n=5000,random_state=1, replace=True)
df_3_train, df_3_test = split_valid_from_train(df_3, 0.2)
#Benign
df_4 = read_csv("../MachineLearningCVE/Monday-WorkingHours.pcap_ISCX.csv")
df_4 = df_4.sample(n=50000,random_state=1, replace=False)
df_4_train, df_4_test = split_valid_from_train(df_4, 0.2)
#Web attack
df_6 = read_csv("../MachineLearningCVE/Thursday-WorkingHours-Morning-WebAttacks.pcap_ISCX.csv")
df_6 = df_6.drop(df_6[df_6[' Label'] == 'BENIGN'].index)
df_6 = df_6.sample(n=5000,random_state=1, replace=True)
df_6[' Label'] = df_6[' Label'].apply(lambda x: 'Web Attack')
df_6_train, df_6_test = split_valid_from_train(df_6, 0.2)
#FTP-Patator and SSH-Patator
df_7 = read_csv("../MachineLearningCVE/Tuesday-WorkingHours.pcap_ISCX.csv")
df_7 = df_7.drop(df_7[df_7[' Label'] == 'BENIGN'].index)
df_7_1 = df_7.drop(df_7[df_7[' Label'] == 'FTP-Patator'].index)
df_7_2 = df_7.drop(df_7[df_7[' Label'] == 'SSH-Patator'].index)
df_7_1 = df_7_1.sample(n=5000,random_state=1, replace=False)
df_7_2 = df_7_2.sample(n=5000,random_state=1, replace=False)
df_7_1_train, df_7_1_test = split_valid_from_train(df_7_1, 0.2)
df_7_2_train, df_7_2_test = split_valid_from_train(df_7_2, 0.2)
#DoS
df_8 = read_csv("../MachineLearningCVE/Wednesday-workingHours.pcap_ISCX.csv")
df_8 = df_8.drop(df_8[df_8[' Label'] == 'BENIGN'].index)
df_8 = df_8.sample(n=5000,random_state=1, replace=False)
df_8[' Label'] = df_8[' Label'].apply(lambda x: 'DoS')
df_8_train, df_8_test = split_valid_from_train(df_8, 0.2)

#整合
df_train = df_1_train.append([df_2_train, df_3_train, df_4_train, df_6_train, df_7_1_train,df_7_2_train,df_8_train])
df_test = df_1_test.append([df_2_test, df_3_test, df_4_test, df_6_test, df_7_1_test,df_7_2_test,df_8_test])

In [None]:
print(df_train.shape)
print(df_train.loc[:,' Label'].value_counts())
print(df_test.shape)
print(df_test.loc[:,' Label'].value_counts())

In [None]:
import pickle
#数理统计方法，按5%区间进行数理统计
def statistics(dataset, feature_index):
    intervals = {'{0}-{1}'.format(5 * x, 5 * (x+1) ): 0 for x in range(20)}
    for _ in dataset[:,feature_index]:
        for interval in intervals:
            start, end = tuple(interval.split('-'))
            if int(start) <= _*100 <= int(end):
                intervals[interval] += 1
    return intervals

def save_obj(obj, name ):
    with open('../DistributionDictionary/'+ name + '.pkl', 'wb') as f:
        pickle.dump(obj, f, pickle.HIGHEST_PROTOCOL)
        

In [None]:
#整合后再乱序一下
df_train = shuffle(df_train)
#标签的字符转化成数字
df_train = filter_labels(df_train)
df_test = filter_labels(df_test)
#特征选择
df_train = feature_selection(df_train)
df_test = feature_selection(df_test)
#对destination port进行独热编码
columns = create_columns_for_destination_port(df_train)
df_train = one_hot_process_for_destination_port(df_train, columns)
df_test = one_hot_process_for_destination_port(df_test, columns)
#分离标签
df_train_X, df_train_y = labels_separate(df_train)
df_test_X, df_test_y = labels_separate(df_test)
#Normalization
scaler = preprocessing.MinMaxScaler()
df_train_X = scaler.fit_transform(df_train_X)
df_test_X = scaler.fit_transform(df_test_X)


In [None]:
df_train_X = create_distribution_score(df_train_X)
df_test_X = create_distribution_score(df_test_X)

In [None]:
print(columns)
print(len(columns))

In [None]:
print(df_train_X.shape)
print(df_train_y.shape)
print(df_test_X.shape)
print(df_test_y.shape)
print(df_train_X[0])
print(df_train_y)

In [None]:
feature_numbers = 12   #选前12个特征
distribution_feature = [    #产生的新特征
    'Benign_Score', 'DoS_Score',
    'PortScan_Score', 'DDoS_Score', 'SSH_Score',
    'FTP_Score', ' Web_Score', 'Bot_Score'
]
def create_distribution_score(dataset):
    #创建空表
    Score_revert = pd.DataFrame(
        data=np.zeros(
            shape=(
                dataset.shape[0],
                len(distribution_feature)
            )
        ),columns = distribution_feature
    )
    #填充空表
    for i,item in enumerate(dataset):
        score = []
        minIndex = 0
        Score_revert.loc[i, 'Benign_Score'] = get_score(item, distributions['Benign'])
        Score_revert.loc[i, 'DoS_Score'] = get_score(item, distributions['DoS'])
        Score_revert.loc[i, 'PortScan_Score'] = get_score(item, distributions['PortScan'])
        Score_revert.loc[i, 'DDoS_Score'] = get_score(item, distributions['DDoS'])
        Score_revert.loc[i, 'SSH_Score'] = get_score(item, distributions['SSH'])
        Score_revert.loc[i, 'FTP_Score'] = get_score(item, distributions['FTP'])
        Score_revert.loc[i, 'Web_Score'] = get_score(item, distributions['Web'])
        Score_revert.loc[i, 'Bot_Score'] = get_score(item, distributions['Bot'])

#     #与原表连接
#     dataset = pd.concat([dataset, DestinationPort_revert], axis=1)
    dataset = np.hstack((dataset,Score_revert.values))
    return dataset  



In [None]:
import tensorflow as tf
from tensorflow import keras
from sklearn.metrics import f1_score, precision_score, recall_score
from sklearn.metrics import classification_report
from tensorflow.keras.layers import BatchNormalization
#超参数设置
learning_rate = 0.001
epochs = 20
batch_size = 64
activation = tf.nn.relu         #非输出层下的激活函数

In [None]:
#用于记录训练中每个batch的loss
class LossHistory(keras.callbacks.Callback):
    def on_train_begin(self, logs={}):
        self.train_losses_per_batch = []
        self.train_losses_per_epoch = []
        self.valid_losses_per_epoch = []
        
    def on_batch_end(self, batch, logs={}):
        self.train_losses_per_batch.append(logs.get('loss'))
        
    def on_epoch_end(self, epoch, logs={}):
        self.train_losses_per_epoch.append(logs.get('loss'))
        self.valid_losses_per_epoch.append(logs.get('val_loss')*4)   #验证集由于只有1/4的训练集大小所以损失要乘以4
#用于记录训练中每个epoch的召回率，精确度以及f1 score
class Metrics(keras.callbacks.Callback):
    def on_train_begin(self, logs={}):
        self.val_f1s = []
        self.val_recalls = []
        self.val_precisions = []
        return

    def on_epoch_end(self, epoch, logs={}):
        predictions = self.model.predict(df_test_X)
        val_predict = np.argmax(predictions, axis=1)     #把独热编码转化成数字
        val_targ = df_test_y
        _val_recall = recall_score(val_targ, val_predict, average='macro')
        _val_precision = precision_score(val_targ, val_predict, average='macro')
        _val_f1 = f1_score(val_targ, val_predict, average='macro')
        self.val_f1s.append(_val_f1)
        self.val_recalls.append(_val_recall)
        self.val_precisions.append(_val_precision)
        return       
#回调：模型跑完epoch后选取最好的epoch模型保存，选取标准为验证集损失最小的那一个
checkpoint = keras.callbacks.ModelCheckpoint(      
    "./Test7_model.h5",
    monitor='val_loss',
    verbose=1,
    save_best_only=True,
    mode='min',
    period=1
)
def simple_model():
    model = keras.Sequential([
        keras.layers.Dense(df_train_X.shape[1], activation=activation, input_shape=(df_train_X.shape[1],)),
        keras.layers.Dense(64, activation=activation),
        BatchNormalization(),
        keras.layers.Dense(8,activation=tf.nn.softmax)
    ])
    model.compile(optimizer =tf.train.AdamOptimizer(learning_rate=learning_rate),
        loss="sparse_categorical_crossentropy",
        metrics=['accuracy']
    )
    model.summary()
    history = LossHistory()
    metrics = Metrics()
    model.fit(
        df_train_X,df_train_y,
        validation_data=[df_test_X, df_test_y],
        batch_size=batch_size,epochs=epochs,
        callbacks=[history, metrics, checkpoint]
    )   
    return model,history,metrics
model,history,metrics = simple_model()

In [None]:
import matplotlib.pyplot as plt
import matplotlib

%matplotlib inline
matplotlib.rcParams['font.sans-serif'] = ['SimHei']

In [None]:
#绘制训练集在batch下的损失变化
plt.title('The Cost with batchs runs',fontsize=30)
plt.xlabel('batchs',fontsize=20)
plt.ylabel('Cost',fontsize=20)
plt.xticks(fontsize=20)
plt.yticks(fontsize=20)
plt.plot(history.train_losses_per_batch)
plt.gcf().set_size_inches(15,4)
plt.show()
#绘制训练集与验证集在epoch下的损失比较
plt.title('The Cost with epoches runs',fontsize=30)
plt.xlabel('epoch',fontsize=20)
plt.ylabel('Cost',fontsize=20)
plt.xticks(fontsize=20)
plt.yticks(fontsize=20)
plt.plot(history.train_losses_per_epoch, '-o', label='train')
plt.plot(history.valid_losses_per_epoch, '-o', label='valid')
plt.legend(fontsize=30,loc='upper right')
plt.gcf().set_size_inches(15,4)
plt.show()

In [None]:
#选取验证集准确率最高的模型
model = keras.models.load_model('./Test7_model.h5') 
model.compile(optimizer =tf.train.AdamOptimizer(learning_rate=learning_rate),
    loss="sparse_categorical_crossentropy",
    metrics=['accuracy']
)
#测试集的正确率
def use_evaluate_test():
    test_loss,test_acc = model.evaluate(df_test_X,df_test_y)
    print('Test accuracy:', test_acc)
    return 
use_evaluate_test()

In [None]:
predictions = model.predict(df_test_X)
print(classification_report(df_test_y, np.argmax(predictions, axis=1) , target_names=labelList))