# Introduction to Python and Useful Data Science Libraries

There a couple of well established data science libraries that you will find useful when exploring security data.

Pandas library stands for Python Data Analysis Library. Pandas is a game changer when it comes to analysising data with Pytn and it is on eof the most preferred and widely used tools in data science.

Pandas takes data (CSV, TSV, SQL database) and creates a python objection with rows and columns called data frame what looks similar to tables in statistical software (Excel, SPSS, R). This makes it easier to work with in comparison to working with lists and/or dictionaries through for loops or list comprehension.

In order to use Pandas in your Jupyter Notebook you need to import the Pandas library first. Importing the library means loading it into the memory and then it's there for you to work with. In order to import Pandas all you have to do is the run the following code:

In [1]:
import pandas as pd

The second part `pd` allows you to access Pandas with `pd.command` instead of needing to write `pandas.command` every time you need to use it. I also imported numpy because it is very useful library for scientific computing with Python. Now Pandas is ready for use! You would need to do this everytime you start a new Jupyter Notebook.

### Loading and Saving Data with Pandas

When you want to use Pandas for data analysis, you'll usually use it in one of three different ways:
* Convert a Python's list, dictionary or Numpy array to a Pandas data frame
* Open a local file using Pandas, usally a CSV file, but could also be delimited text file (like TSV), Excel, etc
* Open a remote file or database like a CSV or a JSON on a website through a URL or read from a SQL table/database

Below we will demonstrate reading a local file (JSON file) into a Pandas data frame.

In [2]:
df = pd.read_json('data/ISP_abuse_email_feed.json')

#### ISP Abuse Email Feed

Feed showing indicators of compromise from various Abuse reports locaed here: http://www.webiron.com/abuse_feed/

In [3]:
print(df)

        attacker_ip                days_unresolved emails_deliverable  \
0           0.0.0.0                            NaN                Yes   
1     178.137.19.79    <font color="red">20</font>                Yes   
2    178.137.80.158    <font color="red">20</font>                Yes   
3   178.137.167.214    <font color="red">20</font>                Yes   
4   178.137.167.214    <font color="red">20</font>                Yes   
5    178.137.80.158    <font color="red">20</font>                Yes   
6    77.154.194.148     <font color="red">5</font>                Yes   
7     45.227.253.98  <font color="green"><3</font>                Yes   
8    46.229.168.142   <font color="red">109</font>                Yes   
9    46.229.168.142   <font color="red">109</font>                Yes   
10    93.144.60.145  <font color="green"><3</font>                Yes   
11   132.148.26.213  <font color="green"><3</font>                Yes   
12   132.148.26.213  <font color="green"><3</font> 

When the Dataframe is large, like above, you can still print it to the screen, or you can simply print the first 5 lines of the DataFrame with the `.head()` function.

In [4]:
df.head()

Unnamed: 0,attacker_ip,days_unresolved,emails_deliverable,entry_type,event_emails,event_msg,event_time,incidents_reported
0,0.0.0.0,,Yes,,[sales@webiron.com],List provided by Webiron.com,0000-00-00 00:00:00.0-07,0
1,178.137.19.79,"<font color=""red"">20</font>",Yes,opened,[hostmaster@kyivstar.net],Host has opened and viewed report,2019-04-15 18:08:16.927385-07,0
2,178.137.80.158,"<font color=""red"">20</font>",Yes,opened,[hostmaster@kyivstar.net],Host has opened and viewed report,2019-04-15 18:08:15.108328-07,0
3,178.137.167.214,"<font color=""red"">20</font>",Yes,opened,[noc@kyivstar.net],Host has opened and viewed report,2019-04-15 18:08:14.009988-07,0
4,178.137.167.214,"<font color=""red"">20</font>",Yes,opened,[hostmaster@kyivstar.net],Host has opened and viewed report,2019-04-15 18:08:13.009396-07,0


To view the last n entries, we can use the `.tail()` function.

In [5]:
df.tail(5)

Unnamed: 0,attacker_ip,days_unresolved,emails_deliverable,entry_type,event_emails,event_msg,event_time,incidents_reported
46,61.228.115.175,"<font color=""green""><3</font>",Yes,report,"[spam@ms1.hinet.net, abuse@hinet.net, network-...",Unidentified Intelligence Crawler,2019-04-15 16:00:52.459012-07,1
47,91.211.142.242,"<font color=""green""><3</font>",Yes,report,[abuse@telplus.ru],Orphan Malware Scanner,2019-04-15 16:00:41.792437-07,1
48,104.148.64.26,"<font color=""red"">5</font>",Yes,report,[abuse@globalfrag.com],"Vulnerability Scan Bot,<br />Orphan Malware Sc...",2019-04-15 16:00:36.313361-07,2
49,125.27.10.69,"<font color=""red"">88</font>",Yes,report,"[root@tot.co.th, postmaster@tot.co.th, abuse@i...","DB GUI Exploit Scanner Bot,<br />Client softwa...",2019-04-15 16:00:34.480716-07,71
50,198.108.66.240,"<font color=""red"">85</font>",Yes,report,"[phil.carolan@lisd.us, abuse@censys.io]",Exploit Scanner,2019-04-15 16:00:31.584055-07,1


By calling the `.info()` function, we can see information regarding the column names, total number of entries, and the types for each column.

In [6]:
df.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 51 entries, 0 to 50
Data columns (total 8 columns):
attacker_ip           51 non-null object
days_unresolved       50 non-null object
emails_deliverable    51 non-null object
entry_type            51 non-null object
event_emails          51 non-null object
event_msg             51 non-null object
event_time            51 non-null object
incidents_reported    51 non-null int64
dtypes: int64(1), object(7)
memory usage: 3.3+ KB


From this data, we can see we have 51 entries (rows) in our DataFrame. We can also see that days_unresolved appears to be missing an entry.

    The `.describe()` function can be incredibly useful when analyzing a dataset. By calling this function, Pandas will tell us the count, mean, standard devication, interquartile range, maximu, and minumum values for each column in our dataset which has a numerical type.

In [7]:
df.describe()

Unnamed: 0,incidents_reported
count,51.0
mean,6.862745
std,18.918794
min,0.0
25%,0.0
50%,0.0
75%,2.0
max,71.0


Pandas provides many tools to manipulate, filter, combine and transform your data. To grab the first 10 rows from the event_time column, we can enter the key and indicies in square brackets []. You can access a column by typing its name right after the DataFrame .

In [8]:
# Without indicies, we can grab the entire column
print(df['event_time'][0:10])
print('')
# This is equivalent
print(df.event_time[0:10])

0         0000-00-00 00:00:00.0-07
1    2019-04-15 18:08:16.927385-07
2    2019-04-15 18:08:15.108328-07
3    2019-04-15 18:08:14.009988-07
4    2019-04-15 18:08:13.009396-07
5    2019-04-15 18:08:09.676759-07
6    2019-04-15 18:06:36.826063-07
7     2019-04-15 18:05:16.72206-07
8    2019-04-15 18:05:07.808498-07
9    2019-04-15 18:04:47.982869-07
Name: event_time, dtype: object

0         0000-00-00 00:00:00.0-07
1    2019-04-15 18:08:16.927385-07
2    2019-04-15 18:08:15.108328-07
3    2019-04-15 18:08:14.009988-07
4    2019-04-15 18:08:13.009396-07
5    2019-04-15 18:08:09.676759-07
6    2019-04-15 18:06:36.826063-07
7     2019-04-15 18:05:16.72206-07
8    2019-04-15 18:05:07.808498-07
9    2019-04-15 18:04:47.982869-07
Name: event_time, dtype: object


If we look at the type of each column, we can see that DataFrames are actually mad eup of Pandas Series.

In [9]:
type(df.event_time)

pandas.core.series.Series

By grabbing an individual column as a series, we can calculate the mean, median or a number of statistical values by using methods  of the same name.

In [10]:
print('MEAN: ' + str(df.incidents_reported.mean()))
print('MEDIAN: ' + str(df.incidents_reported.median()))
print('MAX: ' + str(df.incidents_reported.max()))
print('MIN: ' + str(df.incidents_reported.min()))
print('SUM: ' + str(df.incidents_reported.sum()))

MEAN: 6.862745098039215
MEDIAN: 0.0
MAX: 71
MIN: 0
SUM: 350


We can also grab a number of columns at once by passing in a list of columns.

In [11]:
df[['attacker_ip', 'emails_deliverable', 'entry_type']]

Unnamed: 0,attacker_ip,emails_deliverable,entry_type
0,0.0.0.0,Yes,
1,178.137.19.79,Yes,opened
2,178.137.80.158,Yes,opened
3,178.137.167.214,Yes,opened
4,178.137.167.214,Yes,opened
5,178.137.80.158,Yes,opened
6,77.154.194.148,Yes,report
7,45.227.253.98,Yes,report
8,46.229.168.142,Yes,resolved
9,46.229.168.142,Yes,report


## Exercise 1

We have already provided you with a dataset from the National Vulnerability Database. The file is located in `data/nvdcve.json`. You are taksed with the following:
* Create a dataframe
* List the first 10 entries of the dataframe
* Show the CVE_data_version of the first 5 people
* Calculate the mean of the number of CVEs
* Calculate the median of the number of CVEs

Reference: 
* https://towardsdatascience.com/a-quick-introduction-to-the-pandas-python-library-f1b678f34673
* https://www.secrepo.com/
* https://github.com/ADSA-UIUC/intro-to-pandas-and-matplotlib/blob/master/intro-to-pandas-and-matplotlib-completed.ipynb
* https://nvd.nist.gov/vuln/data-feeds