# BoT-IoT Dataset

In our work we use the BoT-IoT dataset as basis for the analysis of ensemble learning over data streams.
As seen below, this dataset was created by UNSW Canberra and presents realistic IoT traffic containing normal and attack instances.

> The BoT-IoT dataset was created by designing a realistic network environment in the Cyber Range Lab of UNSW Canberra. The network environment incorporated a combination of normal and botnet traffic. The dataset’s source files are provided in different formats, including the original pcap files, the generated argus files and csv files.

* Koroniotis, Nickolaos, Nour Moustafa, Elena Sitnikova, and Benjamin Turnbull. "Towards the development of realistic botnet dataset in the internet of things for network forensic analytics: Bot-iot dataset." Future Generation Computer Systems 100 (2019): 779-796. [Public Access Here](https://arxiv.org/abs/1811.00701).

* Koroniotis, Nickolaos, Nour Moustafa, Elena Sitnikova, and Jill Slay. [Towards developing network forensic mechanism for botnet activities in the iot based on machine learning techniques"](https://link.springer.com/chapter/10.1007/978-3-319-90775-8_3). In International Conference on Mobile Networks and Management, pp. 30-44. Springer, Cham, 2017.

* Koroniotis, Nickolaos, Nour Moustafa, and Elena Sitnikova. ["A new network forensic framework based on deep learning for Internet of Things networks: A particle deep framework"](https://www.sciencedirect.com/science/article/abs/pii/S0167739X19325105). Future Generation Computer Systems 110 (2020): 91-106.
    
* Koroniotis, Nickolaos, and Nour Moustafa. ["Enhancing network forensics with particle swarm and deep learning: The particle deep framework"](https://arxiv.org/abs/2005.00722). arXiv preprint arXiv:2005.00722 (2020).

* Koroniotis, Nickolaos, Nour Moustafa, Francesco Schiliro, Praveen Gauravaram, and Helge Janicke. ["A Holistic Review of Cybersecurity and Reliability Perspectives in Smart Airports"](https://ieeexplore.ieee.org/abstract/document/9252856). IEEE Access (2020). 

* Koroniotis, Nickolaos. ["Designing an effective network forensic framework for the investigation of botnets in the Internet of Things"](https://unsworks.unsw.edu.au/fapi/datastream/unsworks:69386/SOURCE02?view=true). PhD diss., The University of New South Wales Australia, 2020. 


https://research.unsw.edu.au/projects/bot-iot-dataset

The BoT-IoT dataset contains more than 70 million instances and a total of 35 features as presented in the following table:

| Feature | Description |
|---|---|
| pkSeqID | Row Identifier |
| stime | Record start time |
| flgs | Flow state flags seen in transactions |
| proto | Textual representation of transaction protocols present in network flow |
| saddr | Source IP address |
| sport | Source port number |
| daddr | Destination IP address |
| dport | Destination port number |
| pkts | Total count of packets in transaction |
| bytes | Total number of bytes in transaction |
| state | Transaction state |
| ltime | Record last time |
| seq | Argus sequence number |
| dur | Record total duration |
| mean | Average duration of aggregated records |
| stddev | Standard deviation of aggregated records |
| smac | - |
| dmac | - |
| sum | Total duration of aggregated records |
| min | Minimum duration of aggregated records |
| max | Maximum duration of aggregated records |
| soui | - |
| doui | - |
| sco | - |
| dco | - |
| spkts | Source-to-destination packet count |
| dpkts | Destination-to-source packet count |
| sbytes | Source-to-destination byte count |
| dbytes | Destination-to-source byte count |
| rate | Total packets per second in transaction |
| srate | Source-to-destination packets per second |
| drate | Destination-to-source packets per second |
| attack | Class label: 0 for Normal traffic, 1 for Attack Traffic |
| category | Traffic category |
| subcategory | Traffic subcategory |

In our work, we are interested only on the normal instances and the DDoS instances, minus the HTTP ones.

Following, we present our Exploratory Data Analysis (EDA) of BoT-IoT dataset.

Since the volume of data is huge, we have divided the dataset in 4 subsets of data and called each subset a different "scenario". All scenarios contain all the normal traffic in BoT-IoT dataset and 25% of the attack instances.

Our goal with this EDA is to analyse the data and perform feature selection so we can preprocess and aquire a more appropriate dataset for our experiments.

To do so, we use well-know python libraries and functions that help us to better understand and deal with all information that BoT-IoT dataset contains.

## BoT-IoT Exploratory Data Analysis

In [1]:
import numpy as np # linear algebra
import pandas as pd # data processing
import seaborn as sns # statist graph package
import matplotlib.pyplot as plt # plot package
import pandasql as ps # sql package
from skmultiflow.trees import HoeffdingTreeClassifier

In [2]:
pd.set_option("display.max_columns", 50)
pd.set_option("display.max_rows", 1000)

In [5]:
csv_file = "../processed-data/botiot-sc1.csv"
df = pd.read_csv(csv_file)

In [7]:
df.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 9637721 entries, 0 to 9637720
Data columns (total 35 columns):
 #   Column        Dtype  
---  ------        -----  
 0   pkSeqID       int64  
 1   stime         float64
 2   flgs          object 
 3   proto         object 
 4   saddr         object 
 5   sport         object 
 6   daddr         object 
 7   dport         object 
 8   pkts          int64  
 9   bytes         int64  
 10  state         object 
 11  ltime         float64
 12  seq           int64  
 13  dur           float64
 14  mean          float64
 15  stddev        float64
 16  smac          float64
 17  dmac          float64
 18  sum           float64
 19  min           float64
 20  max           float64
 21  soui          float64
 22  doui          float64
 23  sco           float64
 24  dco           float64
 25  spkts         int64  
 26  dpkts         int64  
 27  sbytes        int64  
 28  dbytes        int64  
 29  rate          float64
 30  srate         floa

In [9]:
df.shape

(9637721, 35)

In [23]:
# Checking for missing values
df.isnull().sum()

pkSeqID    0
stime      0
flgs       0
proto      0
saddr      0
sport      0
daddr      0
dport      0
pkts       0
bytes      0
state      0
ltime      0
seq        0
dur        0
mean       0
stddev     0
sum        0
min        0
max        0
spkts      0
dpkts      0
sbytes     0
dbytes     0
rate       0
srate      0
drate      0
attack     0
dtype: int64

Since **smac**, **dmac**, **soui**, **doui**, **sco**, **dco** are null for all instances, we can drop those features.

In [12]:
df = df.drop(["smac", "dmac", "soui", "doui", "sco", "dco"], axis=1)

We can also drop the rows where sport and dport are null.

In [13]:
df = df.dropna(axis=0)

In [16]:
df.isnull().sum()

pkSeqID         0
stime           0
flgs            0
proto           0
saddr           0
sport           0
daddr           0
dport           0
pkts            0
bytes           0
state           0
ltime           0
seq             0
dur             0
mean            0
stddev          0
sum             0
min             0
max             0
spkts           0
dpkts           0
sbytes          0
dbytes          0
rate            0
srate           0
drate           0
attack          0
category        0
subcategory     0
dtype: int64

Besides that, as we are interested only on classify an instance as attack or normal, we can also drop the features **category** and **subcategory**.

In [18]:
df = df.drop(["category", "subcategory "], axis=1)

In [29]:
df.info()

<class 'pandas.core.frame.DataFrame'>
Int64Index: 9637032 entries, 1 to 9637720
Data columns (total 27 columns):
 #   Column   Dtype  
---  ------   -----  
 0   pkSeqID  int64  
 1   stime    float64
 2   flgs     object 
 3   proto    object 
 4   saddr    object 
 5   sport    float64
 6   daddr    object 
 7   dport    float64
 8   pkts     int64  
 9   bytes    int64  
 10  state    object 
 11  ltime    float64
 12  seq      int64  
 13  dur      float64
 14  mean     float64
 15  stddev   float64
 16  sum      float64
 17  min      float64
 18  max      float64
 19  spkts    int64  
 20  dpkts    int64  
 21  sbytes   int64  
 22  dbytes   int64  
 23  rate     float64
 24  srate    float64
 25  drate    float64
 26  attack   int64  
dtypes: float64(13), int64(9), object(5)
memory usage: 2.0+ GB


In [21]:
df.shape

(9637032, 27)

In [28]:
# Adjusts data type of features sport and dport
df["sport"] = pd.to_numeric(df["sport"], errors="coerce")
df["dport"] = pd.to_numeric(df["dport"], errors="coerce")

In [30]:
df.nunique()

pkSeqID    9637032
stime      9636922
flgs             9
proto            4
saddr           25
sport        65536
daddr          290
dport         8616
pkts          1669
bytes         2720
state            8
ltime      9632483
seq         478292
dur        3605515
mean       2237477
stddev     1475462
sum        3664549
min        1159582
max        1862205
spkts         1409
dpkts          501
sbytes        2586
dbytes         924
rate        448642
srate       385857
drate        43248
attack           2
dtype: int64

Since features **flgs**, **proto**, **saddr** and **state**, which are of type "object", have few unique values, we can convert those into dummies.

In [32]:
df = pd.concat([df, pd.get_dummies(df["flgs"])], axis=1)
df = pd.concat([df, pd.get_dummies(df["proto"])], axis=1)
df = pd.concat([df, pd.get_dummies(df["saddr"])], axis=1)
df = pd.concat([df, pd.get_dummies(df["state"])], axis=1)

In [33]:
# Drops flgs, proto, saddr and state after the conversion
df = df.drop(["flgs", "proto", "saddr", "state"], axis=1)

In [34]:
df.info()

<class 'pandas.core.frame.DataFrame'>
Int64Index: 9637032 entries, 1 to 9637720
Data columns (total 69 columns):
 #   Column                     Dtype  
---  ------                     -----  
 0   pkSeqID                    int64  
 1   stime                      float64
 2   sport                      float64
 3   daddr                      object 
 4   dport                      float64
 5   pkts                       int64  
 6   bytes                      int64  
 7   ltime                      float64
 8   seq                        int64  
 9   dur                        float64
 10  mean                       float64
 11  stddev                     float64
 12  sum                        float64
 13  min                        float64
 14  max                        float64
 15  spkts                      int64  
 16  dpkts                      int64  
 17  sbytes                     int64  
 18  dbytes                     int64  
 19  rate                       float64
 20  sr

In [37]:
df.daddr.unique()

array(['192.168.100.4', '27.124.125.250', '192.168.100.1',
       '192.168.217.2', '192.168.100.255', '8.8.8.8', 'ff02::1',
       '255.255.255.255', '192.168.100.5', '192.168.100.3',
       '13.55.154.73', '192.168.100.55', '184.85.248.65',
       '205.251.194.167', '192.5.5.241', '192.35.51.30', '205.251.195.97',
       '205.251.196.236', '199.7.91.13', '192.12.94.30', '52.35.35.13',
       '216.239.38.10', '199.7.83.42', '192.42.93.30', '172.217.25.170',
       'ff02::fb', '224.0.0.251', 'ff02::2', '129.250.35.250',
       '91.189.91.157', '216.239.34.10', '192.52.178.30', '224.0.0.252',
       '96.7.49.66', '205.251.193.2', '192.33.4.12', '192.41.162.30',
       '192.36.148.17', '35.165.2.252', '52.11.124.117', '52.201.147.106',
       '216.239.36.10', '192.112.36.4', '192.31.80.30', '91.189.92.40',
       '128.63.2.53', '202.12.27.33', '192.203.230.10', '192.55.83.30',
       '205.251.198.119', '192.33.14.30', '192.58.128.30',
       '205.251.196.160', '205.251.199.148', '192.54.1

In [None]:
query = """ SELECT * FROM df WHERE daddr IN ("ff02::1") """
ps.sqldf(query, locals())

In [24]:
df.attack.value_counts()

1    9627960
0       9072
Name: attack, dtype: int64

In [8]:
df.head(n=10)

Unnamed: 0,sport,dport,pkts,bytes,ltime,mean,sum,min,max,spkts,dpkts,sbytes,dbytes,rate,srate,drate,icmp,ipv6icmp,tcp,udp,ACC,CON,FIN,INT,NRS,REQ,RST,URP,attack
0,139.0,36390.0,10,680,1526346000.0,2.8e-05,0.000138,2.2e-05,4.2e-05,5,5,350,330,0.00619,0.002751,0.002751,0,0,1,0,0,1,0,0,0,0,0,0,0
1,51838.0,123.0,2,180,1526344000.0,0.048565,0.048565,0.048565,0.048565,1,1,90,90,20.59096,0.0,0.0,0,0,0,1,0,1,0,0,0,0,0,0,0
2,58999.0,53.0,4,630,1526345000.0,0.098505,0.197011,0.018356,0.178655,2,2,174,456,0.005264,0.001755,0.001755,0,0,0,1,0,1,0,0,0,0,0,0,0
3,58360.0,53.0,2,172,1526344000.0,0.0,0.0,0.0,0.0,2,0,172,0,0.399984,0.399984,0.0,0,0,0,1,0,0,0,1,0,0,0,0,0
4,37214.0,53.0,2,172,1526344000.0,0.0,0.0,0.0,0.0,2,0,172,0,0.399824,0.399824,0.0,0,0,0,1,0,0,0,1,0,0,0,0,0
5,138.0,138.0,4,1086,1526345000.0,7.7e-05,0.000154,6.1e-05,9.3e-05,4,0,1086,0,0.004119,0.004119,0.0,0,0,0,1,0,0,0,1,0,0,0,0,0
6,57950.0,53.0,2,172,1526344000.0,0.007523,0.007523,0.007523,0.007523,1,1,86,86,132.925705,0.0,0.0,0,0,0,1,0,1,0,0,0,0,0,0,0
7,36138.0,53.0,2,172,1526344000.0,0.0,0.0,0.0,0.0,2,0,172,0,0.399805,0.399805,0.0,0,0,0,1,0,0,0,1,0,0,0,0,0
8,34295.0,53.0,2,172,1526344000.0,0.007698,0.007698,0.007698,0.007698,1,1,86,86,129.90387,0.0,0.0,0,0,0,1,0,1,0,0,0,0,0,0,0
9,43735.0,53.0,2,172,1526344000.0,0.0,0.0,0.0,0.0,2,0,172,0,0.399839,0.399839,0.0,0,0,0,1,0,0,0,1,0,0,0,0,0


In [9]:
df.tail(n=10)

Unnamed: 0,sport,dport,pkts,bytes,ltime,mean,sum,min,max,spkts,dpkts,sbytes,dbytes,rate,srate,drate,icmp,ipv6icmp,tcp,udp,ACC,CON,FIN,INT,NRS,REQ,RST,URP,attack
9639387,138.0,138.0,2,543,1528102000.0,0.000209,0.000209,0.000209,0.000209,2,0,543,0,4784.688965,4784.688965,0.0,0,0,0,1,0,0,0,1,0,0,0,0,0
9639388,50458.0,123.0,2,180,1528102000.0,0.007083,0.007083,0.007083,0.007083,1,1,90,90,141.183105,0.0,0.0,0,0,0,1,0,1,0,0,0,0,0,0,0
9639389,80.0,80.0,9904,9267118,1528102000.0,4.940684,123.517105,3.766563,4.998064,9904,0,9267118,0,79.974998,79.974998,0.0,0,0,1,0,0,1,0,0,0,0,0,0,0
9639390,3456.0,80.0,19806,19267852,1528102000.0,4.940639,123.515961,3.754065,4.997637,9903,9903,9410581,9857271,159.957977,79.974945,79.974945,0,0,0,1,0,1,0,0,0,0,0,0,0
9639391,8080.0,80.0,19806,19301382,1528102000.0,4.940453,123.51133,3.778993,4.991025,9903,9903,9961841,9339541,159.957977,79.974953,79.974953,0,0,1,0,0,1,0,0,0,0,0,0,0
9639392,80.0,80.0,9903,9501175,1528102000.0,4.93996,123.499001,3.701398,4.998852,9903,0,9501175,0,79.977333,79.977333,0.0,0,0,0,1,0,0,0,1,0,0,0,0,0
9639393,0.0,0.0,5942,4223674,1528102000.0,4.929386,123.23465,3.691942,4.999439,5942,0,4223674,0,47.984787,47.984787,0.0,0,0,1,0,0,1,0,0,0,0,0,0,0
9639394,365.0,565.0,5323,319380,1528102000.0,4.928208,123.2052,3.641112,4.999921,5323,0,319380,0,42.989494,42.989494,0.0,0,0,0,1,0,0,0,1,0,0,0,0,0
9639395,80.0,80.0,3342,989232,1528102000.0,4.915251,122.881271,3.555233,4.999967,3342,0,989232,0,26.992807,26.992807,0.0,0,0,1,0,0,1,0,0,0,0,0,0,0
9639396,41307.0,8883.0,96,40916,1528102000.0,2.712452,65.098846,0.006126,4.999908,48,48,37748,3168,0.821691,0.4085,0.406521,0,0,1,0,0,1,0,0,0,0,0,0,0


In [10]:
df.describe()

Unnamed: 0,sport,dport,pkts,bytes,ltime,mean,sum,min,max,spkts,dpkts,sbytes,dbytes,rate,srate,drate,icmp,ipv6icmp,tcp,udp,ACC,CON,FIN,INT,NRS,REQ,RST,URP,attack
count,9639315.0,9639315.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0,9639397.0
mean,32731.54,111.5997,8.018178,2342.449,1528098000.0,2.010042,5.951869,1.059225,2.953331,7.290935,0.7272436,1780.371,562.0782,0.4836517,1.098909,0.00877463,8.506756e-06,9.129202e-06,0.5073191,0.4926633,0.0004304211,0.0005007575,1.400503e-05,0.4923285,9.129202e-06,0.3941934,0.1125152,8.506756e-06,0.9990589
std,18929.36,1166.514,390.4737,367161.8,33405.55,1.584799,11.05643,1.637311,1.952601,279.2644,157.5743,250278.3,155008.1,120.3655,629.2718,1.168055,0.002916622,0.003021443,0.4999465,0.4999462,0.02074213,0.02237201,0.003742303,0.4999412,0.003021443,0.4886768,0.3159993,0.002916622,0.03066353
min,0.0,0.0,1.0,60.0,1526344000.0,0.0,0.0,0.0,0.0,1.0,0.0,60.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
25%,16352.0,80.0,3.0,308.0,1528097000.0,0.019337,0.056746,0.0,0.047647,3.0,0.0,308.0,0.0,0.156481,0.150158,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0
50%,32713.0,80.0,5.0,582.0,1528098000.0,2.207738,4.853511,0.0,3.933735,5.0,0.0,540.0,0.0,0.230108,0.217676,0.0,0.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0
75%,49128.0,80.0,8.0,676.0,1528100000.0,3.350504,10.21427,2.539142,4.493843,8.0,0.0,660.0,0.0,0.399317,0.380848,0.0,0.0,0.0,1.0,1.0,0.0,0.0,0.0,1.0,0.0,1.0,0.0,0.0,1.0
max,65535.0,65489.0,322677.0,314459600.0,1529382000.0,4.999999,3502.99,4.999999,5.027652,234761.0,161338.0,225239200.0,152179500.0,333333.3,1000000.0,2178.649,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0


In [11]:
df.sample(frac=0.0001, random_state=1)

Unnamed: 0,sport,dport,pkts,bytes,ltime,mean,sum,min,max,spkts,dpkts,sbytes,dbytes,rate,srate,drate,icmp,ipv6icmp,tcp,udp,ACC,CON,FIN,INT,NRS,REQ,RST,URP,attack
51821,43569.0,80.0,1,154,1528096000.0,0.0,0.0,0.0,0.0,1,0,154,0,0.0,0.0,0.0,0,0,1,0,0,0,0,0,0,1,0,0,1
1743582,20587.0,80.0,5,676,1528096000.0,1.445994,4.337983,0.0,4.337983,4,1,616,60,0.249839,0.187379,0.0,0,0,1,0,0,0,0,0,0,0,1,0,1
1694159,59314.0,80.0,4,616,1528096000.0,3.424843,6.849686,3.143486,3.7062,4,0,616,0,0.291946,0.291946,0.0,0,0,1,0,0,0,0,0,0,1,0,0,1
8635718,20894.0,80.0,7,420,1528101000.0,0.0,0.0,0.0,0.0,7,0,420,0,0.062562,0.062562,0.0,0,0,0,1,0,0,0,1,0,0,0,0,1
634590,36686.0,80.0,5,770,1528096000.0,0.0,0.0,0.0,0.0,5,0,770,0,0.172951,0.172951,0.0,0,0,1,0,0,0,0,0,0,1,0,0,1
2076120,7536.0,80.0,5,770,1528097000.0,2.108761,6.326283,0.0,3.660232,5,0,770,0,0.194594,0.194594,0.0,0,0,1,0,0,0,0,0,0,1,0,0,1
7905984,43176.0,80.0,1,60,1528100000.0,0.0,0.0,0.0,0.0,1,0,60,0,0.0,0.0,0.0,0,0,0,1,0,0,0,1,0,0,0,0,1
1085514,38802.0,80.0,9,1010,1528096000.0,1.196215,4.784859,0.0,4.24764,7,2,890,120,0.331895,0.248921,0.041487,0,0,1,0,0,0,0,0,0,0,1,0,1
7057293,31035.0,80.0,7,420,1528100000.0,3.718233,11.154697,2.680125,4.7594,7,0,420,0,0.361038,0.361038,0.0,0,0,0,1,0,0,0,1,0,0,0,0,1
1465897,37858.0,80.0,8,1044,1528096000.0,3.986108,11.958323,3.774672,4.10726,7,1,984,60,0.351303,0.301117,0.0,0,0,1,0,0,0,0,0,0,0,1,0,1


In [12]:
df.isnull().sum()

sport       82
dport       82
pkts         0
bytes        0
ltime        0
mean         0
sum          0
min          0
max          0
spkts        0
dpkts        0
sbytes       0
dbytes       0
rate         0
srate        0
drate        0
icmp         0
ipv6icmp     0
tcp          0
udp          0
ACC          0
CON          0
FIN          0
INT          0
NRS          0
REQ          0
RST          0
URP          0
attack       0
dtype: int64

In [13]:
df.nunique()

sport         65536
dport          8690
pkts           1668
bytes          2720
ltime       8990451
mean        2070759
sum         3396149
min         1066449
max         1766138
spkts          1408
dpkts           501
sbytes         2587
dbytes          923
rate         438020
srate        378255
drate         41238
icmp              2
ipv6icmp          2
tcp               2
udp               2
ACC               2
CON               2
FIN               2
INT               2
NRS               2
REQ               2
RST               2
URP               2
attack            2
dtype: int64

In [14]:
df.icmp.value_counts()

0    9639315
1         82
Name: icmp, dtype: int64

In [15]:
df.ipv6icmp.value_counts()

0    9639309
1         88
Name: ipv6icmp, dtype: int64

In [16]:
df.tcp.value_counts()

1    4890250
0    4749147
Name: tcp, dtype: int64

In [17]:
df.udp.value_counts()

0    4890420
1    4748977
Name: udp, dtype: int64

In [18]:
df.ACC.value_counts()

0    9635248
1       4149
Name: ACC, dtype: int64

In [19]:
df.CON.value_counts()

0    9634570
1       4827
Name: CON, dtype: int64

In [20]:
df.FIN.value_counts()

0    9639262
1        135
Name: FIN, dtype: int64

In [21]:
df.INT.value_counts()

0    4893647
1    4745750
Name: INT, dtype: int64

In [22]:
df.NRS.value_counts()

0    9639309
1         88
Name: NRS, dtype: int64

In [23]:
df.REQ.value_counts()

0    5839610
1    3799787
Name: REQ, dtype: int64

In [24]:
df.RST.value_counts()

0    8554818
1    1084579
Name: RST, dtype: int64

In [25]:
df.URP.value_counts()

0    9639315
1         82
Name: URP, dtype: int64

In [35]:
df.corr()

Unnamed: 0,pkSeqID,stime,sport,dport,pkts,bytes,ltime,seq,dur,mean,stddev,sum,min,max,spkts,dpkts,sbytes,dbytes,rate,srate,drate,attack,e,e F,e &,...,192.168.100.4,192.168.100.46,192.168.100.5,192.168.100.55,192.168.100.6,192.168.100.7,35.162.156.78,52.35.21.241,52.64.239.193,fe80::250:56ff:febe:254,fe80::250:56ff:febe:26db,fe80::250:56ff:febe:89ee,fe80::250:56ff:febe:bf1a,fe80::250:56ff:febe:c038,fe80::250:56ff:febe:e9d9,fe80::2c6a:ff9b:7e14:166a,fe80::c0c0:aa20:45b9:bdd9,ACC,CON,FIN,INT,NRS,REQ,RST,URP
pkSeqID,1.0,0.169236,0.000551,-0.038007,-0.017009,-0.018211,0.169363,0.026498,0.174275,0.274229,0.024182,0.136007,0.199152,0.221993,-0.015803,-0.01414372,-0.01864534,-0.01303136,-0.002588046,-0.005992502,-0.013466,0.118935,0.760426,-0.004756903,-0.009182965,...,-0.01215651,-0.018623,-0.012831,-0.007597,-0.01416,-0.073132,-0.0002909243,-0.0009172233,-1.984028e-05,-0.006995245,-0.006307566,-0.006262056,-0.006365751,-0.006127564,-0.006307528,-0.006118276,-0.007877071,-0.03024,-0.079456,-0.01694,0.858268,-0.01250947,-0.616377,-0.396932,0.0003691232
stime,0.169236,1.0,-0.010089,-0.010294,-0.082636,-0.077118,1.0,0.032025,-0.074463,0.043459,0.024652,-0.136422,0.024698,0.046598,-0.0846,-0.05484156,-0.0789929,-0.05512288,-0.005861538,-0.05233024,-0.033751,0.789522,0.024148,-0.02266725,-0.06662392,...,-0.07997817,-0.048175,-0.034005,-0.007838,-0.022939,-0.554161,-9.979414e-06,-0.0001141844,6.523701e-05,-0.05324909,-0.05212647,-0.04378585,-0.04499199,-0.04919976,-0.05212523,-0.04831245,-0.05077892,-0.001047,-0.469539,-0.093933,0.049287,-0.09042869,-0.018799,-0.013525,-0.01116785
sport,0.000551,-0.010089,1.0,-0.045825,-0.008842,-0.007995,-0.010099,0.064917,-0.014085,0.00372,-0.002797,-0.007834,0.004987,0.001317,-0.009247,-0.005521534,-0.008285699,-0.005559531,0.0002405204,0.0009448533,-0.004396,0.001028,0.009941,0.0002154191,-0.003703876,...,-0.0002336186,-0.01609,-0.012685,-0.006195,-0.013149,0.006141,-0.0005495442,-0.0005495442,-0.0005740717,-0.002771864,-0.001921353,-0.002660822,-0.002718051,-0.0023539,-0.001921353,-0.001863986,-0.002636076,-0.004459,-0.004758,0.002956,8.8e-05,-0.005204689,0.004375,-0.006264,
dport,-0.038007,-0.010294,-0.045825,1.0,0.006566,0.006619,-0.01029,-0.035614,0.006773,-0.010171,0.002575,0.004244,-0.008867,-0.004694,0.004528,0.008246156,0.004771431,0.007973843,0.0002351736,-3.770567e-05,0.006434,-0.017241,-0.025208,-5.127085e-05,0.009148772,...,0.005281812,-0.00026,0.066504,-0.000129,0.05281,0.012981,0.009729441,0.01413143,0.01619767,0.001682155,0.006008714,-0.0001484247,-0.000151617,-0.0001313041,0.006008714,0.005829308,0.008243893,-0.0004,0.015151,0.004262,-0.026261,-0.0002903254,-0.020902,0.072821,
pkts,-0.017009,-0.082636,-0.008842,0.006566,1.0,0.978447,-0.082409,-0.010285,0.340718,0.012941,-0.000192,0.6392,0.005351,0.009532,0.942858,0.8070447,0.9357845,0.80668,0.002979723,0.0003546963,0.110821,-0.175626,0.005143,-1.309022e-05,0.2763777,...,-2.082996e-05,0.268349,0.09591,0.13246,0.027857,0.022703,-3.314608e-06,-3.314608e-06,0.0002519554,-2.944689e-05,-2.386972e-05,-2.776431e-05,-2.836146e-05,-2.456174e-05,-2.386972e-05,-2.315703e-05,-3.274901e-05,-0.000133,0.191346,0.000309,0.001204,-5.430825e-05,-0.00881,-0.00185,0.002985529
bytes,-0.018211,-0.077118,-0.007995,0.006619,0.978447,1.0,-0.076913,-0.007994,0.307402,0.009009,-0.002702,0.572562,0.004364,0.00535,0.891188,0.8452071,0.9435986,0.8451146,0.002948263,0.000344223,0.115512,-0.160593,0.001183,-1.806542e-06,0.2931289,...,1.177016e-05,0.275219,0.088793,0.138189,0.008547,0.001365,-1.796518e-06,-1.796518e-06,0.0001029441,-1.030253e-05,-8.087224e-06,-9.562401e-06,-9.768068e-06,-8.459393e-06,-8.087224e-06,-7.5089e-06,-1.071798e-05,-9.2e-05,0.186821,0.000197,-0.003565,-1.870449e-05,-0.003894,-0.001564,0.0002096374
ltime,0.169363,1.0,-0.010099,-0.01029,-0.082409,-0.076913,1.0,0.031964,-0.073787,0.043273,0.024672,-0.136154,0.024508,0.046476,-0.084363,-0.05469963,-0.07877997,-0.05498136,-0.005862648,-0.05233367,-0.033741,0.789499,0.024149,-0.02266904,-0.06654958,...,-0.07998385,-0.048108,-0.033971,-0.007823,-0.022899,-0.554169,-1.018363e-05,-0.0001143939,6.822638e-05,-0.05325283,-0.05212994,-0.04378904,-0.04499526,-0.04920311,-0.0521287,-0.0483157,-0.05078264,-0.001048,-0.469505,-0.093933,0.049363,-0.09043517,-0.018904,-0.013486,-0.01116848
seq,0.026498,0.032025,0.064917,-0.035614,-0.010285,-0.007994,0.031964,1.0,-0.092864,-0.115357,-0.071833,-0.076432,-0.071655,-0.136617,-0.011092,-0.005829387,-0.008225465,-0.005653316,0.0008293409,-0.0005121745,-0.007593,0.038299,0.094994,-0.0008903938,-0.003767195,...,-0.003011842,-0.015168,-0.011064,-0.007478,-0.01057,-0.022137,0.0001626545,-7.385796e-05,-0.0007216033,-0.001490391,-0.0009529921,-0.00182442,-0.001341798,-0.00197857,-0.0009480583,-0.001882291,-0.00201283,-0.00219,-0.028289,-0.003804,-0.002209,-0.00314958,0.028258,-0.038001,-0.0007673629
dur,0.174275,-0.074463,-0.014085,0.006773,0.340718,0.307402,-0.073787,-0.092864,1.0,-0.276841,0.026969,0.404538,-0.281046,-0.183665,0.356195,0.2130406,0.3193743,0.2124644,-0.001201319,-0.001182733,0.017053,-0.091475,-0.000516,-0.0009508354,0.1144035,...,-0.002439709,0.10188,0.051796,0.022594,0.060438,0.028256,-0.0002999813,-0.0002999783,0.004396608,-0.001570173,-0.001246006,-0.001449305,-0.001480476,-0.00128213,-0.001246006,-0.001208803,-0.001709507,-0.00019,0.084601,0.007028,0.108949,-0.002834905,-0.153642,0.059244,-9.134915e-05
mean,0.274229,0.043459,0.00372,-0.010171,0.012941,0.009009,0.043273,-0.115357,-0.276841,1.0,0.172316,0.34046,0.784097,0.831588,0.014821,0.005799842,0.009234851,0.006427926,-0.0004824029,-0.001186553,0.004841,0.014235,0.287239,-0.00122348,0.004257524,...,-0.003315906,0.016358,0.007214,0.007979,-0.000284,-0.015342,-0.0003768885,-0.0003768454,0.000712225,-0.002121915,-0.001684966,-0.001959886,-0.002002039,-0.001733816,-0.001684966,-0.001634657,-0.002311756,-0.009603,-0.003549,-0.003818,0.417713,-0.003833626,-0.289802,-0.211856,0.00174664
