In [1]:
%matplotlib inline

import pandas as pd
import matplotlib.pyplot as plt
import numpy as np

# Make the graphs a bit prettier, and bigger
pd.set_option('display.mpl_style', 'default')
plt.rcParams['figure.figsize'] = (15, 5)
plt.rcParams['font.family'] = 'sans-serif'

# This is necessary to show lots of columns in pandas 0.12. 
# Not necessary in pandas 0.13.
pd.set_option('display.width', 5000) 
pd.set_option('display.max_columns', 60)

In [2]:
df=pd.read_csv('sample2v.csv', header=None)

In [3]:
df

Unnamed: 0,0,1,2,3,4,5,6,7,8
0,964,C2374$@DOM1,C2374$@DOM1,C2375,C586,?,?,TGS,Success
1,2011,C1652$@DOM1,C1652$@DOM1,C1652,C612,Kerberos,Network,LogOn,Success
2,3081,C538$@DOM1,C538$@DOM1,C539,C523,Kerberos,Network,LogOn,Success
3,4104,C1008$@DOM1,C1008$@DOM1,C1008,C625,Kerberos,Network,LogOn,Success
4,5118,U292@DOM1,U292@DOM1,C1737,C1737,?,?,TGT,Success
5,6134,C287$@DOM1,C287$@DOM1,C529,C529,?,Network,LogOff,Success
6,7198,C2491$@DOM1,C2491$@DOM1,C457,C457,?,Network,LogOff,Success
7,8145,C1367$@DOM1,C1367$@DOM1,C612,C612,?,Network,LogOff,Success
8,9170,C1656$@DOM1,C1656$@DOM1,C1656,C1656,?,?,TGS,Success
9,10208,U22@DOM1,U22@DOM1,C506,C586,Kerberos,Network,LogOn,Success


In [5]:
df[8].value_counts()

Success    10400
Fail         114
Name: 8, dtype: int64

In [6]:
114./10400

0.010961538461538462

# Conclusion

In this dataset, Fails take roughly 1%. 
If it is a representative sample of the real data, then running machine learning on the whole set will just not make sense. Any classifier that just predict "Success" for every line will attain 99% accuracy. 

This means that I need to collect data for "Fail" cases and randomly sample data for "Success" in roughly equal amounts and then look at machine learning (classifier) for such sets to see the true accuracy of the algorithm.

# Next Steps

I want to examine this dataset to see if there are any obvious correlations and to understand the data I have in my columns.

# authentication type

In [9]:
df[5].unique()

array(['?', 'Kerberos', 'NTLM', 'MICROSOFT_AUTHENTICATION_PACKAGE_V1_0',
       'Negotiate'], dtype=object)

# logon type

In [10]:
df[6].unique()

array(['?', 'Network', 'Service', 'Unlock', 'Interactive', 'Batch',
       'NewCredentials', 'RemoteInteractive', 'NetworkCleartext',
       'CachedInteractive'], dtype=object)

# authentication orientation

In [11]:
df[7].unique()

array(['TGS', 'LogOn', 'TGT', 'LogOff', 'AuthMap', 'ScreenLock'], dtype=object)

In [14]:
df.groupby([5,8]).count()

Unnamed: 0_level_0,Unnamed: 1_level_0,0,1,2,3,4,6,7
5,8,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1
?,Fail,77,77,77,77,77,77,77
?,Success,5704,5704,5704,5704,5704,5704,5704
Kerberos,Fail,9,9,9,9,9,9,9
Kerberos,Success,3708,3708,3708,3708,3708,3708,3708
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0,Fail,8,8,8,8,8,8,8
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0,Success,1,1,1,1,1,1,1
NTLM,Fail,15,15,15,15,15,15,15
NTLM,Success,439,439,439,439,439,439,439
Negotiate,Fail,5,5,5,5,5,5,5
Negotiate,Success,548,548,548,548,548,548,548


In [15]:
df.groupby([6,8]).count()

Unnamed: 0_level_0,Unnamed: 1_level_0,0,1,2,3,4,5,7
6,8,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1
?,Fail,77,77,77,77,77,77,77
?,Success,1361,1361,1361,1361,1361,1361,1361
Batch,Fail,1,1,1,1,1,1,1
Batch,Success,12,12,12,12,12,12,12
CachedInteractive,Success,1,1,1,1,1,1,1
Interactive,Fail,3,3,3,3,3,3,3
Interactive,Success,19,19,19,19,19,19,19
Network,Fail,32,32,32,32,32,32,32
Network,Success,8463,8463,8463,8463,8463,8463,8463
NetworkCleartext,Success,1,1,1,1,1,1,1


In [13]:
df.groupby([7,8]).count()

Unnamed: 0_level_0,Unnamed: 1_level_0,0,1,2,3,4,5,6
7,8,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1
AuthMap,Success,103,103,103,103,103,103,103
LogOff,Success,4343,4343,4343,4343,4343,4343,4343
LogOn,Fail,37,37,37,37,37,37,37
LogOn,Success,4696,4696,4696,4696,4696,4696,4696
ScreenLock,Success,2,2,2,2,2,2,2
TGS,Fail,4,4,4,4,4,4,4
TGS,Success,973,973,973,973,973,973,973
TGT,Fail,73,73,73,73,73,73,73
TGT,Success,283,283,283,283,283,283,283


In [16]:
df.groupby([6,7]).count()

Unnamed: 0_level_0,Unnamed: 1_level_0,0,1,2,3,4,5,8
6,7,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1
?,AuthMap,103,103,103,103,103,103,103
?,ScreenLock,2,2,2,2,2,2,2
?,TGS,977,977,977,977,977,977,977
?,TGT,356,356,356,356,356,356,356
Batch,LogOff,7,7,7,7,7,7,7
Batch,LogOn,6,6,6,6,6,6,6
CachedInteractive,LogOn,1,1,1,1,1,1,1
Interactive,LogOff,8,8,8,8,8,8,8
Interactive,LogOn,14,14,14,14,14,14,14
Network,LogOff,4310,4310,4310,4310,4310,4310,4310


This is a simple way to see if there are any labels in columns 5-7 that predict the outcome. (answer: not really as the count for most events that can be interpreted this way is too low). Also I am try to see if there are any interesting correlations between labels.

In [18]:
print len(df[3].unique()), len(df[4].unique())

 3904 1385


Potentially too many variables to be used in analysis

In [19]:
df["source_user"], df["source_domain"] = zip(*df[1].str.split('@').tolist())

In [20]:
df["source_user"]=df["source_user"].str.rstrip('$')

In [21]:
df["destination_user"], df["destination_domain"] = zip(*df[2].str.split('@').tolist())
df["destination_user"]=df["destination_user"].str.rstrip('$')

In [22]:
df['same_user']=(df['destination_user']==df['source_user'])
df['same_domain']=(df['destination_domain']==df['source_domain'])

In [23]:
df['same_user'].value_counts()

True     10348
False      166
Name: same_user, dtype: int64

In [24]:
df['same_domain'].value_counts()

True     10432
False       82
Name: same_domain, dtype: int64

In [25]:
df['source_domain'].unique()

array(['DOM1', 'C586', 'C457', '?', 'C15108', 'C46', 'C3758', 'C13281',
       'C4576', 'C13406', 'C467', 'C3653', 'C612', 'C4379', 'C1065',
       'C793', 'C625', 'C1672', 'C1731', 'C4227', 'C529', 'C3432', 'C2769',
       'C15089', 'DOM9', 'C21690', 'C17851', 'C2743', 'C832', 'C4695',
       'C2117', 'C13204', 'DOM3', 'DOM5', 'C1871', 'C12802', 'C5306',
       'C13183', 'C5894', 'C13052', 'C2606', 'C2106', 'C17222', 'C4883',
       'C5371', 'C5404', 'C15244', 'C4438', 'C11499', 'C16598', 'C1747',
       'C1909', 'C14332', 'C423', 'C20557', 'C21598', 'C8260', 'C8814',
       'C19497', 'C2925', 'C2866', 'C22616', 'C528', 'C9610', 'C4835',
       'C4803', 'C2121', 'C8683', 'C2459', 'C11145', 'C1786', 'C9873',
       'C10865', 'C2464', 'DOM55', 'C5334', 'C7533', 'C10747', 'C3967',
       'C20567', 'C22918', 'C17437', 'C13578', 'C15888', 'C4223', 'C12502',
       'C2198', 'C12203', 'C19485', 'C5347', 'C3025', 'C8113', 'C3898',
       'C17448', 'C25360', 'C23220', 'C14660', 'C4511', 'C2148

In [26]:
df['destination_domain'].unique()

array(['DOM1', 'C586', 'C457', '?', 'C15108', 'C46', 'C3758', 'C13281',
       'C4576', 'C13406', 'C12913', 'C467', 'C3653', 'C612', 'C4379',
       'C1065', 'C15378', 'C625', 'C1672', 'C1731', 'C19776', 'C13352',
       'C4227', 'C529', 'C3432', 'C2769', 'DOM5', 'C10819', 'C15089',
       'DOM9', 'C21690', 'C17851', 'C2743', 'C4695', 'C2625', 'C2117',
       'C13204', 'DOM3', 'C832', 'C1871', 'C12802', 'C5306', 'C3495',
       'C13183', 'C5894', 'C13052', 'C2606', 'C2106', 'C17222', 'C4883',
       'C5371', 'C5404', 'C15314', 'C22758', 'C446', 'C15244', 'C4438',
       'C11499', 'C19004', 'C16598', 'C1747', 'C1909', 'C14332', 'C698',
       'C423', 'C5580', 'C7061', 'C9125', 'C20557', 'C21598', 'C8260',
       'C8814', 'C19497', 'C2925', 'C12652', 'C2866', 'C22616', 'C528',
       'C802', 'C9610', 'C4835', 'C4803', 'C2121', 'C561', 'C8683',
       'C2459', 'C11145', 'C1786', 'C9873', 'C10865', 'C2464', 'C21873',
       'C6558', 'C24871', 'C5334', 'C7533', 'C10747', 'C3967', 'C20567',


In [27]:
df['source_user'].unique()

array(['C2374', 'C1652', 'C538', ..., 'U3145', 'C18896', 'C25126'], dtype=object)

In [28]:
df['destination_user'].unique()

array(['C2374', 'C1652', 'C538', ..., 'U3145', 'C18896', 'C25126'], dtype=object)

Potentially too many variable. I now want to explore what users I have in addition to C-numbers and U-numbers. (C=computer and U=user?)

In [29]:
good=df[~df.source_user.str.startswith("U")] 
good=good.source_user[~good.source_user.str.startswith('C')]
good.unique()

array(['ANONYMOUS LOGON', 'LOCAL SERVICE', 'NETWORK SERVICE', 'SYSTEM'], dtype=object)

In [30]:
good=df[~np.logical_or(df.destination_user.str.startswith("U"), df.destination_user.str.startswith("C"))] 
#good=good.destination_user[~good.destination_user.str.contains('C')]
good.destination_user.unique()

array(['ANONYMOUS LOGON', 'LOCAL SERVICE', 'SYSTEM', 'NETWORK SERVICE'], dtype=object)

Idea: one can expand this column into into 6 categories: C-users, U-users, 'ANONYMOUS LOGON', 'LOCAL_SERVICE', 'SYSTEM', 'NETWORK SERVICE'

In [31]:
dd=df['destination_domain'].str.startswith('C')
print min(df['destination_domain'][dd].str.slice(1).astype(int)), max(df['destination_domain'][dd].str.slice(1).astype(int))
dd=df[~df.destination_domain.str.startswith('C')]
print dd.destination_domain.unique()

13 27033
['DOM1' '?' 'DOM5' 'DOM9' 'DOM3']


In [33]:
sd=df['source_domain'].str.startswith('C')
print min(df['source_domain'][sd].str.slice(1).astype(int)), max(df['source_domain'][sd].str.slice(1).astype(int))
sd=df[~df.source_domain.str.startswith('C')]
print sd.source_domain.unique()

46 27033
['DOM1' '?' 'DOM9' 'DOM3' 'DOM5' 'DOM55']


# Conclusion

This dataset contains columns of categorical data (aside from time). To work with this data, each label should be converted to its own column with values 1 (True) if the label applies and 0 (False) otherwise. Some columns (5-7) contain ~10 labels, where as other columns contain ten thousands of labels. I will ignore the 2nd class of labels on the first pass. Instead I will consider when these labels coincide. This way I will prevent my set of features from exploding. Also the 2nd class of labels most likely comes from some ordering of computers and users in the lab. Considering if one wants to authenticate to the same computer or to a different computer should matter more for authentication success than specific computer label. 

In [34]:
df['source_user_comp_same']=(df[3]==df['source_user'])
df['destination_user_comp_same']=(df['destination_user']==df[4])
df['same_comp']=(df[3]==df[4])
df['source_domain_comp_same']=(df[3]==df['source_domain'])
df['destination_domain_comp_same']=(df['destination_domain']==df[4])

In [35]:
df['source_user_comp_same'].value_counts()

False    7481
True     3033
Name: source_user_comp_same, dtype: int64

In [36]:
df['destination_user_comp_same'].value_counts()

False    9677
True      837
Name: destination_user_comp_same, dtype: int64

In [37]:
df['same_comp'].value_counts()

True     5955
False    4559
Name: same_comp, dtype: int64

In [38]:
df['source_domain_comp_same'].value_counts()

False    9936
True      578
Name: source_domain_comp_same, dtype: int64

In [39]:
df['destination_domain_comp_same'].value_counts()

False    9665
True      849
Name: destination_domain_comp_same, dtype: int64