# clean data 

## importing library

In [2]:
import pandas as pd


In [3]:
# load the csv file 

df = pd.read_csv("cybersecurity_attacks.csv")

## display information 

In [6]:
df.head(5)



In [7]:
df.describe()



In [8]:
df.info()



## information about the table 

- It has 40,000 rows and 25 columns.
- TimeStamps is a data type column 
- Several columns have missing values (e.g., Malware Indicators, Alerts/Warnings, Proxy Information,Firewall logs, IDS/IPS Alerts).
- numerical column ( Packet Length, Anamaly Scores) numerical analyses can be made on it 
- string column (Source IP Address, Destination IP Address, Source Port, Destination Port, Payload Data, User information, Device Information, Geo-location Data )
- Some categorical features (e.g., Protocol, Packet Type, Traffic Type,Attack Type,Attack Signature,Action Taken,  Severity Level, Network Segment, Log Source) will require encoding for ML.
- columns we will transform to categorial (Malware Indicators, Alerts/warnings, Firewall logs, IDS/IPS Alerts) 
- Proxy Information is a string column , but will be removed not relevant for our prediction and has many NaN value more than half of our set  

## missing column values

### Malware Indicator


In [11]:
## ading a value "not ioc detected" to the Malware Indicators column where the value is NaN

df['Malware Indicators'] = df['Malware Indicators'].fillna('No IoC Detected')

### Alerts/Warnings

In [12]:
# adding a value "No Alert triggered" to the Alerts/Warnings column where the value is NaN

df['Alerts/Warnings'] = df['Alerts/Warnings'].fillna('No Alert Triggered')

### Proxy Information 
     This column is not really relevant for our model and has many nan 

In [13]:
# Delete Proxy Information column

df = df.drop('Proxy Information', axis=1)

### FireWall Logs


In [14]:
# adding a value "No Log Data" to the Firewall logs column where the value is NaN

df['Firewall Logs'] = df['Firewall Logs'].fillna('No Log Data')

### IDS/IPS Alerts 

In [15]:
# adding a value "No Alert Data" to the IDS/IPS Alerts column where the value is NaN

df['IDS/IPS Alerts'] = df['IDS/IPS Alerts'].fillna('No Alert Data')

In [16]:
## we verify that the changes have been made

df.info()



## Data conversion 

### timestamps column 


In [17]:
## timestamp column is not in the right format, we will convert it to datetime format, done separately for pandas 

df['Timestamp'] = pd.to_datetime(df['Timestamp'])

In [18]:
df.info()



In [24]:
# Dictionary defining column names and their data types
column_dtypes = {   
    "Source IP Address":'string',
    "Destination IP Address": 'string',
    "Source Port": 'string',
    "Destination Port": 'string',
    "Protocol": "category",
    "Packet Length": int,
    "Packet Type": "category",
    "Traffic Type": "category",
    "Payload Data": 'string',
    "Malware Indicators": "category",
    "Anomaly Scores": float,
    "Alerts/Warnings": "category",
    "Attack Type": "category",
    "Attack Signature": "category",
    "Action Taken": "category",
    "Severity Level": "category",
    "User Information": 'string',
    "Device Information": 'string',
    "Network Segment": "category",
    "Geo-location Data": 'string',  
    "Firewall Logs": "category",
    "IDS/IPS Alerts": "category",
    "Log Source": "category"
}

# Convert all other columns based on dictionary
for col, dtype in column_dtypes.items():
    if dtype == str:
        df[col] = df[col].astype("string")  # Explicitly enforce str type
    else:
        df[col] = df[col].astype(dtype)

In [25]:
df.info()



## storing the cleaned data frame in csv 

In [27]:
## we will now store the cleaned data in a new csv file

df.to_csv("cleaned_cybersecurity_attacks.csv", index=False)

# Outliers 

## graphs to detect some outliers 

# Feature Eng

## import the cleaned csv 

In [46]:
df_cleaned = pd.read_csv("cleaned_cybersecurity_attacks.csv")
df_cleaned.head(5)

Unnamed: 0,Timestamp,Source IP Address,Destination IP Address,Source Port,Destination Port,Protocol,Packet Length,Packet Type,Traffic Type,Payload Data,...,Attack Signature,Action Taken,Severity Level,User Information,Device Information,Network Segment,Geo-location Data,Firewall Logs,IDS/IPS Alerts,Log Source
0,2023-05-30 06:33:58,103.216.15.12,84.9.164.252,31225,17616,ICMP,503,Data,HTTP,Qui natus odio asperiores nam. Optio nobis ius...,...,Known Pattern B,Logged,Low,Reyansh Dugal,Mozilla/5.0 (compatible; MSIE 8.0; Windows NT ...,Segment A,"Jamshedpur, Sikkim",Log Data,No Alert Data,Server
1,2020-08-26 07:08:30,78.199.217.198,66.191.137.154,17245,48166,ICMP,1174,Data,HTTP,Aperiam quos modi officiis veritatis rem. Omni...,...,Known Pattern A,Blocked,Low,Sumer Rana,Mozilla/5.0 (compatible; MSIE 8.0; Windows NT ...,Segment B,"Bilaspur, Nagaland",Log Data,No Alert Data,Firewall
2,2022-11-13 08:23:25,63.79.210.48,198.219.82.17,16811,53600,UDP,306,Control,HTTP,Perferendis sapiente vitae soluta. Hic delectu...,...,Known Pattern B,Ignored,Low,Himmat Karpe,Mozilla/5.0 (compatible; MSIE 9.0; Windows NT ...,Segment C,"Bokaro, Rajasthan",Log Data,Alert Data,Firewall
3,2023-07-02 10:38:46,163.42.196.10,101.228.192.255,20018,32534,UDP,385,Data,HTTP,Totam maxime beatae expedita explicabo porro l...,...,Known Pattern B,Blocked,Medium,Fateh Kibe,Mozilla/5.0 (Macintosh; PPC Mac OS X 10_11_5; ...,Segment B,"Jaunpur, Rajasthan",No Log Data,Alert Data,Firewall
4,2023-07-16 13:11:07,71.166.185.76,189.243.174.238,6131,26646,TCP,1462,Data,DNS,Odit nesciunt dolorem nisi iste iusto. Animi v...,...,Known Pattern B,Blocked,Low,Dhanush Chad,Mozilla/5.0 (compatible; MSIE 5.0; Windows NT ...,Segment C,"Anantapur, Tripura",No Log Data,Alert Data,Firewall


In [21]:
df_cleaned_copy = df_cleaned.copy()
df_cleaned_copy.head(5)

add a column attack_id

In [47]:
df_cleaned_copy['attack_Index'] = df_cleaned_copy.index
df_cleaned_copy.head(5)

Unnamed: 0,Protocol,Packet Length,Packet Type,Traffic Type,Malware Indicators,Anomaly Scores,Alerts/Warnings,Attack Type,Attack Signature,Action Taken,Severity Level,Network Segment,Firewall Logs,IDS/IPS Alerts,Log Source,attack_Index
0,ICMP,503,Data,HTTP,IoC Detected,28.67,No Alert Triggered,Malware,Known Pattern B,Logged,Low,Segment A,Log Data,No Alert Data,Server,0
1,ICMP,1174,Data,HTTP,IoC Detected,51.5,No Alert Triggered,Malware,Known Pattern A,Blocked,Low,Segment B,Log Data,No Alert Data,Firewall,1
2,UDP,306,Control,HTTP,IoC Detected,87.42,Alert Triggered,DDoS,Known Pattern B,Ignored,Low,Segment C,Log Data,Alert Data,Firewall,2
3,UDP,385,Data,HTTP,No IoC Detected,15.79,Alert Triggered,Malware,Known Pattern B,Blocked,Medium,Segment B,No Log Data,Alert Data,Firewall,3
4,TCP,1462,Data,DNS,No IoC Detected,0.52,Alert Triggered,DDoS,Known Pattern B,Blocked,Low,Segment C,No Log Data,Alert Data,Firewall,4


for our FE, to feed in numerical data to our model we will need to drop some non numerical columns like :
- Timestamp
- Source IP Address
- Destination Address
- Source Port 
- Destination Port
- Pay Load 
- User Information
- Device Information
- Geo-location Data


In [23]:
def drop_columns(df):
    columns_to_drop = ["Timestamp", "Source IP Address", "Destination IP Address", "Source Port", "Destination Port", "Payload Data", "User Information", "Device Information", "Geo-location Data"]
    df = df.drop(columns=columns_to_drop)
    return df

df_cleaned_copy = drop_columns(df_cleaned_copy)
df_cleaned_copy.head(5)

In [None]:
df_cleaned_copy = df_cleaned_copy.drop(columns=["Index"])

In [14]:
df_cleaned_copy.to_csv("cybersecurity_attacks_index.csv", index=False)

In [48]:
new_df = pd.read_csv("cybersecurity_attacks_index.csv", index_col="attack_Index")
new_df.head(5)

Unnamed: 0_level_0,Protocol,Packet Length,Packet Type,Traffic Type,Malware Indicators,Anomaly Scores,Alerts/Warnings,Attack Type,Attack Signature,Action Taken,Severity Level,Network Segment,Firewall Logs,IDS/IPS Alerts,Log Source
attack_Index,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1,Unnamed: 9_level_1,Unnamed: 10_level_1,Unnamed: 11_level_1,Unnamed: 12_level_1,Unnamed: 13_level_1,Unnamed: 14_level_1,Unnamed: 15_level_1
0,ICMP,503,Data,HTTP,IoC Detected,28.67,No Alert Triggered,Malware,Known Pattern B,Logged,Low,Segment A,Log Data,No Alert Data,Server
1,ICMP,1174,Data,HTTP,IoC Detected,51.5,No Alert Triggered,Malware,Known Pattern A,Blocked,Low,Segment B,Log Data,No Alert Data,Firewall
2,UDP,306,Control,HTTP,IoC Detected,87.42,Alert Triggered,DDoS,Known Pattern B,Ignored,Low,Segment C,Log Data,Alert Data,Firewall
3,UDP,385,Data,HTTP,No IoC Detected,15.79,Alert Triggered,Malware,Known Pattern B,Blocked,Medium,Segment B,No Log Data,Alert Data,Firewall
4,TCP,1462,Data,DNS,No IoC Detected,0.52,Alert Triggered,DDoS,Known Pattern B,Blocked,Low,Segment C,No Log Data,Alert Data,Firewall



implicite Int data type for Packet Length  , no extreme outliers for this column
implicite Int casting for Anomaly Score


In [49]:
def cast_int_columns(df):
    df['Packet Length'] = df['Packet Length'].astype(int)
    df['Anomaly Scores'] = df['Anomaly Scores'].astype(float)
    return df

# Apply the function to the dataframe
new_df = cast_int_columns(df_cleaned_copy)
new_df.head(5)

Unnamed: 0,Protocol,Packet Length,Packet Type,Traffic Type,Malware Indicators,Anomaly Scores,Alerts/Warnings,Attack Type,Attack Signature,Action Taken,Severity Level,Network Segment,Firewall Logs,IDS/IPS Alerts,Log Source,attack_Index
0,ICMP,503,Data,HTTP,IoC Detected,28.67,No Alert Triggered,Malware,Known Pattern B,Logged,Low,Segment A,Log Data,No Alert Data,Server,0
1,ICMP,1174,Data,HTTP,IoC Detected,51.5,No Alert Triggered,Malware,Known Pattern A,Blocked,Low,Segment B,Log Data,No Alert Data,Firewall,1
2,UDP,306,Control,HTTP,IoC Detected,87.42,Alert Triggered,DDoS,Known Pattern B,Ignored,Low,Segment C,Log Data,Alert Data,Firewall,2
3,UDP,385,Data,HTTP,No IoC Detected,15.79,Alert Triggered,Malware,Known Pattern B,Blocked,Medium,Segment B,No Log Data,Alert Data,Firewall,3
4,TCP,1462,Data,DNS,No IoC Detected,0.52,Alert Triggered,DDoS,Known Pattern B,Blocked,Low,Segment C,No Log Data,Alert Data,Firewall,4


these following columns will be encoded:
- Protocol : vector encoding 
- Packet type : vector encoding 
- Traffic Type : vector encoding
- Malware Indicator : vector encoding
- Alerts/Warnings : vector encoding 
- Attack Type : vector encoding 
- Attack Signature : vector encoding 
- Action Taken : vector encoding 
- Severity Level : ordinal 
- Network Segment : vector encoding
- Firewall Logs : vector encoding
- IDS/IPS Alerts : vector encoding 
- Log Source : vector encoding



In [50]:
column_dtypes_for_new = {   
    "Protocol": "category",
    "Packet Length": int,
    "Packet Type": "category",
    "Traffic Type": "category",
    "Malware Indicators": "category",
    "Anomaly Scores": float,
    "Alerts/Warnings": "category",
    "Attack Type": "category",
    "Attack Signature": "category",
    "Action Taken": "category",
    "Severity Level": "category",
    "Network Segment": "category",
    "Firewall Logs": "category",
    "IDS/IPS Alerts": "category",
    "Log Source": "category",
    "attack_Index": int
    }

# Convert all other columns based on dictionary
for col, dtype in column_dtypes_for_new.items():
    if dtype == str:
        new_df[col] = new_df[col].astype("string")  # Explicitly enforce str type
    else:
        new_df[col] = new_df[col].astype(dtype)

In [51]:
new_df.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 40000 entries, 0 to 39999
Data columns (total 16 columns):
 #   Column              Non-Null Count  Dtype   
---  ------              --------------  -----   
 0   Protocol            40000 non-null  category
 1   Packet Length       40000 non-null  int64   
 2   Packet Type         40000 non-null  category
 3   Traffic Type        40000 non-null  category
 4   Malware Indicators  40000 non-null  category
 5   Anomaly Scores      40000 non-null  float64 
 7   Attack Type         40000 non-null  category
 8   Attack Signature    40000 non-null  category
 9   Action Taken        40000 non-null  category
 10  Severity Level      40000 non-null  category
 11  Network Segment     40000 non-null  category
 12  Firewall Logs       40000 non-null  category
 13  IDS/IPS Alerts      40000 non-null  category
 14  Log Source          40000 non-null  category
 15  attack_Index        40000 non-null  int64   
dtypes: category(13), float64(1), int64(2

In [52]:
# Encoding categorical columns using get_dummies
categorical_columns = ['Protocol', 'Packet Type', 'Traffic Type', 'Malware Indicators', 'Alerts/Warnings', 'Attack Type', 'Attack Signature', 'Action Taken', 'Network Segment', 'Firewall Logs', 'IDS/IPS Alerts', 'Log Source']

#df_encoded = new_df.copy()

for col in categorical_columns:
    dummies = pd.get_dummies(new_df[col], prefix=col)
    new_df = pd.concat([new_df, dummies], axis=1)
    #df_encoded = df_encoded.drop(columns=[col])



In [31]:
new_df.head(5)


Unnamed: 0,Protocol,Packet Length,Packet Type,Traffic Type,Malware Indicators,Anomaly Scores,Alerts/Warnings,Attack Type,Attack Signature,Action Taken,...,Action Taken_Logged,Network Segment_Segment A,Network Segment_Segment B,Network Segment_Segment C,Firewall Logs_Log Data,Firewall Logs_No Log Data,IDS/IPS Alerts_Alert Data,IDS/IPS Alerts_No Alert Data,Log Source_Firewall,Log Source_Server
0,ICMP,503,Data,HTTP,IoC Detected,28.67,No Alert Triggered,Malware,Known Pattern B,Logged,...,True,True,False,False,True,False,False,True,False,True
1,ICMP,1174,Data,HTTP,IoC Detected,51.5,No Alert Triggered,Malware,Known Pattern A,Blocked,...,False,False,True,False,True,False,False,True,True,False
2,UDP,306,Control,HTTP,IoC Detected,87.42,Alert Triggered,DDoS,Known Pattern B,Ignored,...,False,False,False,True,True,False,True,False,True,False
3,UDP,385,Data,HTTP,No IoC Detected,15.79,Alert Triggered,Malware,Known Pattern B,Blocked,...,False,False,True,False,False,True,True,False,True,False
4,TCP,1462,Data,DNS,No IoC Detected,0.52,Alert Triggered,DDoS,Known Pattern B,Blocked,...,False,False,False,True,False,True,True,False,True,False


### ordinal encoding

In [None]:
def ordinal_encode(df, col, ordered_categories):
    from pandas.api.types import CategoricalDtype
    cat_type = CategoricalDtype(categories=ordered_categories, ordered=True)
    df[col] = df[col].astype(cat_type)
    df[col] = df[col].cat.codes
    return df

In [53]:
from sklearn.preprocessing import LabelEncoder

# Initialize the LabelEncoder
label_encoder = LabelEncoder()

# Fit and transform the "Severity Level" column
new_df['Severity Level'] = label_encoder.fit_transform(new_df['Severity Level'])



In [54]:
# Display the first few rows to verify the encoding
new_df.head(20)

Unnamed: 0,Protocol,Packet Length,Packet Type,Traffic Type,Malware Indicators,Anomaly Scores,Alerts/Warnings,Attack Type,Attack Signature,Action Taken,...,Action Taken_Logged,Network Segment_Segment A,Network Segment_Segment B,Network Segment_Segment C,Firewall Logs_Log Data,Firewall Logs_No Log Data,IDS/IPS Alerts_Alert Data,IDS/IPS Alerts_No Alert Data,Log Source_Firewall,Log Source_Server
0,ICMP,503,Data,HTTP,IoC Detected,28.67,No Alert Triggered,Malware,Known Pattern B,Logged,...,True,True,False,False,True,False,False,True,False,True
1,ICMP,1174,Data,HTTP,IoC Detected,51.5,No Alert Triggered,Malware,Known Pattern A,Blocked,...,False,False,True,False,True,False,False,True,True,False
2,UDP,306,Control,HTTP,IoC Detected,87.42,Alert Triggered,DDoS,Known Pattern B,Ignored,...,False,False,False,True,True,False,True,False,True,False
3,UDP,385,Data,HTTP,No IoC Detected,15.79,Alert Triggered,Malware,Known Pattern B,Blocked,...,False,False,True,False,False,True,True,False,True,False
4,TCP,1462,Data,DNS,No IoC Detected,0.52,Alert Triggered,DDoS,Known Pattern B,Blocked,...,False,False,False,True,False,True,True,False,True,False
5,UDP,1423,Data,HTTP,No IoC Detected,5.76,No Alert Triggered,Malware,Known Pattern A,Logged,...,True,False,False,True,False,True,False,True,False,True
6,TCP,379,Data,DNS,No IoC Detected,31.55,No Alert Triggered,DDoS,Known Pattern B,Ignored,...,False,True,False,False,True,False,False,True,False,True
7,ICMP,1022,Data,DNS,IoC Detected,54.05,Alert Triggered,Intrusion,Known Pattern A,Logged,...,True,True,False,False,True,False,True,False,True,False
8,TCP,1281,Control,FTP,IoC Detected,56.34,Alert Triggered,Intrusion,Known Pattern A,Blocked,...,False,False,True,False,True,False,True,False,False,True
9,UDP,224,Data,HTTP,No IoC Detected,16.51,Alert Triggered,Malware,Known Pattern B,Blocked,...,False,True,False,False,False,True,False,True,False,True


In [55]:
columns_to_drop = ['Protocol', 'Packet Type', 'Traffic Type', 'Malware Indicators', 'Alerts/Warnings', 'Attack Type', 'Attack Signature', 'Action Taken', 'Network Segment', 'Firewall Logs', 'IDS/IPS Alerts', 'Log Source']
new_df = new_df.drop(columns=columns_to_drop)
new_df.head(5)

Unnamed: 0,Packet Length,Anomaly Scores,Severity Level,attack_Index,Protocol_ICMP,Protocol_TCP,Protocol_UDP,Packet Type_Control,Packet Type_Data,Traffic Type_DNS,...,Action Taken_Logged,Network Segment_Segment A,Network Segment_Segment B,Network Segment_Segment C,Firewall Logs_Log Data,Firewall Logs_No Log Data,IDS/IPS Alerts_Alert Data,IDS/IPS Alerts_No Alert Data,Log Source_Firewall,Log Source_Server
0,503,28.67,1,0,True,False,False,False,True,False,...,True,True,False,False,True,False,False,True,False,True
1,1174,51.5,1,1,True,False,False,False,True,False,...,False,False,True,False,True,False,False,True,True,False
2,306,87.42,1,2,False,False,True,True,False,False,...,False,False,False,True,True,False,True,False,True,False
3,385,15.79,2,3,False,False,True,False,True,False,...,False,False,True,False,False,True,True,False,True,False
4,1462,0.52,1,4,False,True,False,False,True,True,...,False,False,False,True,False,True,True,False,True,False


In [56]:
new_df = new_df.drop(columns=['attack_Index'])
new_df.head(5)

Unnamed: 0,Packet Length,Anomaly Scores,Severity Level,Protocol_ICMP,Protocol_TCP,Protocol_UDP,Packet Type_Control,Packet Type_Data,Traffic Type_DNS,Traffic Type_FTP,...,Action Taken_Logged,Network Segment_Segment A,Network Segment_Segment B,Network Segment_Segment C,Firewall Logs_Log Data,Firewall Logs_No Log Data,IDS/IPS Alerts_Alert Data,IDS/IPS Alerts_No Alert Data,Log Source_Firewall,Log Source_Server
0,503,28.67,1,True,False,False,False,True,False,False,...,True,True,False,False,True,False,False,True,False,True
1,1174,51.5,1,True,False,False,False,True,False,False,...,False,False,True,False,True,False,False,True,True,False
2,306,87.42,1,False,False,True,True,False,False,False,...,False,False,False,True,True,False,True,False,True,False
3,385,15.79,2,False,False,True,False,True,False,False,...,False,False,True,False,False,True,True,False,True,False
4,1462,0.52,1,False,True,False,False,True,True,False,...,False,False,False,True,False,True,True,False,True,False


In [57]:
new_df.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 40000 entries, 0 to 39999
Data columns (total 32 columns):
 #   Column                              Non-Null Count  Dtype  
---  ------                              --------------  -----  
 0   Packet Length                       40000 non-null  int64  
 1   Anomaly Scores                      40000 non-null  float64
 2   Severity Level                      40000 non-null  int64  
 3   Protocol_ICMP                       40000 non-null  bool   
 4   Protocol_TCP                        40000 non-null  bool   
 5   Protocol_UDP                        40000 non-null  bool   
 6   Packet Type_Control                 40000 non-null  bool   
 7   Packet Type_Data                    40000 non-null  bool   
 8   Traffic Type_DNS                    40000 non-null  bool   
 9   Traffic Type_FTP                    40000 non-null  bool   
 10  Traffic Type_HTTP                   40000 non-null  bool   
 11  Malware Indicators_IoC Detected     40000

## dataset splitting 
