# EDA in Postgres for the full dataset


In [1]:
import pandas as pd

In [2]:
%load_ext sql

In [3]:
%load_ext watermark
%watermark -iv

pandas 0.24.0



In [4]:
%sql postgres://localhost/nb15

'Connected: @nb15'

In [5]:
%sql select count(*) from full_data;

 * postgres://localhost/nb15
1 rows affected.


count
2540044


In [6]:
%sql select * from full_data limit 5

 * postgres://localhost/nb15
5 rows affected.


index,srcip,sport,dstip,dsport,proto,state,dur,sbytes,dbytes,sttl,dttl,sloss,dloss,service,sload,dload,spkts,dpkts,swin,dwin,stcpb,dtcpb,smeansz,dmeansz,trans_depth,res_bdy_len,sjit,djit,stime,ltime,sintpkt,dintpkt,tcprtt,synack,ackdat,is_sm_ips_ports,ct_state_ttl,ct_flw_http_mthd,is_ftp_login,ct_ftp_cmd,ct_srv_src,ct_srv_dst,ct_dst_ltm,ct_src_ltm,ct_src_dport_ltm,ct_dst_sport_ltm,ct_dst_src_ltm,attack_cat,label
2089728,59.166.0.1,54503,149.171.126.7,53,udp,CON,0.001209,146,178,31,29,0,0,dns,483043.8438,588916.4375,2,2,0,0,0,0,73,89,0,0,0.0,0.0,1424249606,1424249606,0.006,0.004,0.0,0.0,0.0,0,0,0,0,0,2,1,2,4,2,1,3,normal,0
2089729,59.166.0.6,56357,149.171.126.9,53,udp,CON,0.001098,146,178,31,29,0,0,dns,531876.125,648451.75,2,2,0,0,0,0,73,89,0,0,0.0,0.0,1424249606,1424249606,0.008,0.007,0.0,0.0,0.0,0,0,0,0,0,2,5,4,6,2,2,2,normal,0
2089730,59.166.0.9,4572,149.171.126.5,25,tcp,FIN,0.49782,37190,3276,31,29,18,8,smtp,586155.625,51343.85938,52,40,255,255,2469890966,321316428,715,82,0,0,881.560196,30.008322,1424249606,1424249606,9.754451,12.750257,0.000682,0.000556,0.000126,0,0,0,0,0,3,1,6,7,1,1,2,normal,0
2089731,59.166.0.1,61282,149.171.126.2,20900,tcp,FIN,0.111575,5174,86068,31,29,7,39,-,366892.2188,6104091.5,90,92,255,255,2289882900,2286017288,57,936,0,0,74.580048,73.447296,1424249606,1424249606,1.249933,1.2323,0.0008,0.00066,0.00014,0,0,0,0,0,6,5,4,4,1,1,1,normal,0
2089732,59.166.0.9,16165,149.171.126.2,80,tcp,FIN,1.137988,1580,10168,31,29,3,5,http,10186.39941,67515.64844,12,18,255,255,4073175194,1928768568,132,565,1,3924,10055.79971,8096.767839,1424249605,1424249606,103.420543,66.911938,0.000599,0.000482,0.000117,0,0,1,0,0,1,1,4,7,1,1,3,normal,0


In [7]:
%sql select attack_cat, count(*) from full_data group by attack_cat;

 * postgres://localhost/nb15
10 rows affected.


attack_cat,count
analysis,2677
backdoors,2329
dos,16353
exploits,44525
fuzzers,24246
generic,215481
normal,2218761
reconnaissance,13987
shellcode,1511
worms,174


So I switched from the training dataset to the full dataset because I noticed 
in the training set that there are a number of protocols that are either entirely
attack or entirely normal (i.e. only need to look at one column to classify 
correctly). Looks like the full dataset has the same problem. 

In [8]:
%%sql 
SELECT proto, label, count(*) 
FROM full_data 
GROUP BY proto, label 
ORDER BY proto, label;

 * postgres://localhost/nb15
138 rows affected.


proto,label,count
3pc,1,137
a/n,1,137
aes-sp3-d,1,137
any,1,411
argus,1,137
aris,1,137
arp,0,10064
ax.25,1,137
bbn-rcc,1,137
bna,1,137


In [9]:
%%sql
WITH only_bad_proto AS (
SELECT proto, COUNT(proto) as proto_cnt
FROM full_data 
WHERE LABEL = 1 
AND proto NOT IN (SELECT DISTINCT(proto) FROM full_data WHERE LABEL = 0)
GROUP BY proto
)
SELECT SUM(proto_cnt)
FROM only_bad_proto
;

 * postgres://localhost/nb15
1 rows affected.


sum
36071


In [10]:
%%sql 
SELECT COUNT(label)
FROM full_data
WHERE LABEL = 1

 * postgres://localhost/nb15
1 rows affected.


count
321283


In [11]:
36071/321283

0.11227173551043784

So about 11 percent of attacks are identifiable as attacks by protocol only

In [12]:
%%sql
WITH only_good_proto AS (
     SELECT 
           proto, COUNT(proto) as proto_cnt
     FROM 
           full_data 
     WHERE 
             LABEL = 0 
         AND proto NOT IN (SELECT DISTINCT(proto) FROM full_data WHERE LABEL = 1)
     GROUP BY 
         proto
)
SELECT SUM(proto_cnt) 
FROM only_good_proto

 * postgres://localhost/nb15
1 rows affected.


sum
10669


In [13]:
%%sql
WITH only_good_proto AS (
      SELECT 
             proto, COUNT(proto) as proto_cnt
      FROM 
             full_data 
      WHERE 
             LABEL = 0 
         AND proto NOT IN 
             (SELECT DISTINCT(proto) FROM full_data WHERE LABEL = 1)
      GROUP BY proto
)
SELECT DISTINCT(proto) 
FROM only_good_proto
ORDER BY proto
;

 * postgres://localhost/nb15
6 rows affected.


proto
arp
esp
icmp
igmp
rtp
udt


Also applies to some normal traffic, but the number of rows is trivial compared
to the 2 million non-attack traffic.

In [14]:
%%sql
WITH
attack_tbl AS (
    SELECT * 
    FROM full_data
    WHERE LABEL = 1
),
only_bad_proto AS (
    SELECT attack_cat, COUNT(attack_cat) AS proto_leak_cnt
    FROM attack_tbl
    WHERE proto NOT IN (SELECT DISTINCT(proto) FROM full_data WHERE LABEL = 0)
    GROUP BY attack_cat
),
attack_sums AS (
    SELECT attack_cat, COUNT(attack_cat) as attack_cnt
    FROM attack_tbl
    GROUP BY attack_cat
)
SELECT attack_sums.attack_cat, attack_cnt, proto_leak_cnt 
FROM only_bad_proto 
INNER JOIN attack_sums 
        ON only_bad_proto.attack_cat = attack_sums.attack_cat


 * postgres://localhost/nb15
7 rows affected.


attack_cat,attack_cnt,proto_leak_cnt
dos,16353,11546
analysis,2677,1980
backdoors,2329,1810
generic,215481,1609
exploits,44525,14704
reconnaissance,13987,1903
fuzzers,24246,2519


OK -- there are attacks of at least some types that cannot be detected by protocol alone. 


In [15]:
%sql select distinct(attack_cat) from full_data;

 * postgres://localhost/nb15
10 rows affected.


attack_cat
shellcode
worms
normal
dos
backdoors
generic
exploits
fuzzers
analysis
reconnaissance


In [18]:
%%sql
WITH attack_proto AS (
    SELECT DISTINCT(proto)
    FROM full_data
    WHERE proto NOT IN (SELECT DISTINCT(proto) FROM full_data WHERE label = 0)
)
SELECT 
     attack_cat, proto, count(label)
FROM  
     full_data 
WHERE  
        proto in (SELECT proto FROM attack_proto)
    AND label = 1
GROUP BY 
     attack_cat, proto
ORDER BY 
    proto, attack_cat
;

 * postgres://localhost/nb15
882 rows affected.


attack_cat,proto,count
analysis,3pc,8
backdoors,3pc,7
dos,3pc,44
exploits,3pc,55
fuzzers,3pc,10
generic,3pc,6
reconnaissance,3pc,7
analysis,a/n,8
backdoors,a/n,7
dos,a/n,44


OK, so the protocol tells the algorithm that it's an attack, but that's not
necessarily enough to figure out the type of attack that was launched. So, there
is still an interesting problem to solve.

The exploit-times-protocol counts are really low given the fact that there are two million rows in the training set. 

Need to think about how to stratify my training set for the most representative
sample.

In [19]:
%%sql 
SELECT service, label, count(*) 
FROM full_data 
GROUP BY service, label;

 * postgres://localhost/nb15
24 rows affected.


service,label,count
-,0,1166518
-,1,79877
dhcp,1,172
dns,0,571037
dns,1,210631
ftp,0,46075
ftp,1,3015
ftp-data,0,123893
ftp-data,1,1890
http,0,187426


No normal dhcp or ssl traffic, but the attacks seem to use the same services as the normal traffic otherwise. 