In [1]:
"""
Pre-processing program to extract window-related data from Netflow files

Parameters
----------
window_width  : window width in seconds
window_stride : window stride in seconds
data          : pandas DataFrame of the Netflow file

Return
----------
Create 3 output files:
- data_window_botnetx.h5         : DataFrame with the extracted data: Sport, DstAddr, Dport,
                                   Dur (sum, mean, std, max, median), TotBytes (sum, mean, std, max, median),
                                   SrcBytes (sum, mean, std, max, median)
- data_window_botnetx_id.npy     : Numpy array containing SrcAddr
- data_window_botnetx_labels.npy : Numpy array containing Label
"""

'\nPre-processing program to extract window-related data from Netflow files\n\nParameters\n----------\nwindow_width  : window width in seconds\nwindow_stride : window stride in seconds\ndata          : pandas DataFrame of the Netflow file\n\nReturn\n----------\nCreate 3 output files:\n- data_window_botnetx.h5         : DataFrame with the extracted data: Sport, DstAddr, Dport,\n                                   Dur (sum, mean, std, max, median), TotBytes (sum, mean, std, max, median),\n                                   SrcBytes (sum, mean, std, max, median)\n- data_window_botnetx_id.npy     : Numpy array containing SrcAddr\n- data_window_botnetx_labels.npy : Numpy array containing Label\n'

In [2]:
! python3 -m pip install pandas
! python3 -m pip install --upgrade numpy
! python3 -m pip install --upgrade h5py
! python3 -m pip install --upgrade scipy


Defaulting to user installation because normal site-packages is not writeable
Collecting pandas
  Downloading pandas-1.1.5-cp36-cp36m-manylinux1_x86_64.whl (9.5 MB)
     |################################| 9.5 MB 6.3 MB/s            
Installing collected packages: pandas
Successfully installed pandas-1.1.5
Defaulting to user installation because normal site-packages is not writeable
Defaulting to user installation because normal site-packages is not writeable
Collecting h5py
  Downloading h5py-3.1.0-cp36-cp36m-manylinux1_x86_64.whl (4.0 MB)
     |################################| 4.0 MB 236 kB/s            
[?25hCollecting cached-property
  Downloading cached_property-1.5.2-py2.py3-none-any.whl (7.6 kB)
Installing collected packages: cached-property, h5py
Successfully installed cached-property-1.5.2 h5py-3.1.0
Defaulting to user installation because normal site-packages is not writeable
Collecting scipy
  Downloading scipy-1.5.4-cp36-cp36m-manylinux1_x86_64.whl (25.9 MB)
     |########

In [3]:
! python3 -m pip install --upgrade tables

Defaulting to user installation because normal site-packages is not writeable


In [4]:
import pandas as pd
import numpy as np
import datetime
import h5py

In [5]:
from scipy.stats import mode

In [6]:
window_width = 120 # seconds
window_stride = 60 # seconds

In [7]:
print("Import data")
data = pd.read_csv("CTU-13-Dataset/1/capture20110810.binetflow")
#with pd.option_context('display.max_rows', None, 'display.max_columns', 15):
#    print(data.shape)
#    print(data.head())
#    print(data.dtypes)

Import data


In [8]:
print(pd.DataFrame(data))

                          StartTime       Dur Proto        SrcAddr  Sport  \
0        2011/08/10 09:46:59.607825  1.026539   tcp  94.44.127.113   1577   
1        2011/08/10 09:47:00.634364  1.009595   tcp  94.44.127.113   1577   
2        2011/08/10 09:47:48.185538  3.056586   tcp   147.32.86.89   4768   
3        2011/08/10 09:47:48.230897  3.111769   tcp   147.32.86.89   4788   
4        2011/08/10 09:47:48.963351  3.083411   tcp   147.32.86.89   4850   
...                             ...       ...   ...            ...    ...   
2824631  2011/08/10 15:54:07.352393  0.000393   udp   147.32.86.92  36363   
2824632  2011/08/10 15:54:07.353854  0.000935   udp   58.165.41.84  60122   
2824633  2011/08/10 15:54:07.357302  0.000000   tcp  147.32.84.171  47077   
2824634  2011/08/10 15:54:07.366830  0.002618   udp    93.79.39.15  10520   
2824635  2011/08/10 15:54:07.368340  0.001122   udp  78.56.231.126  29419   

           Dir        DstAddr  Dport State  sTos  dTos  TotPkts  TotBytes  

In [9]:
print("Preprocessing")
def normalize_column(dt, column):
    mean = dt[column].mean()
    std = dt[column].std()
    print(mean, std)

    dt[column] = (dt[column]-mean) / std

Preprocessing


In [10]:
data['StartTime'] = pd.to_datetime(data['StartTime']).astype(np.int64)*1e-9
datetime_start = data['StartTime'].min()

In [11]:
data['Window_lower'] = (data['StartTime']-datetime_start-window_width)/window_stride+1
data['Window_lower'].clip(lower=0, inplace=True)
data['Window_upper_excl'] = (data['StartTime']-datetime_start)/window_stride+1
data = data.astype({"Window_lower": int, "Window_upper_excl": int})
data.drop('StartTime', axis=1, inplace=True)

In [12]:
data['Label'], labels = pd.factorize(data['Label'].str.slice(0, 15))
#print(data.dtypes)

In [13]:
X = pd.DataFrame()
nb_windows = data['Window_upper_excl'].max()
print(nb_windows)

368


In [14]:
for i in range(0, nb_windows):
    gb = data.loc[(data['Window_lower'] <= i) & (data['Window_upper_excl'] > i)].groupby('SrcAddr')
    X = X.append(gb.size().to_frame(name='counts').join(gb.agg({'Sport':'nunique', 
                                                       'DstAddr':'nunique', 
                                                       'Dport':'nunique', 
                                                       'Dur':['sum', 'mean', 'std', 'max', 'median'],
                                                       'TotBytes':['sum', 'mean', 'std', 'max', 'median'],
                                                       'SrcBytes':['sum', 'mean', 'std', 'max', 'median'],
                                                       'Label':lambda x: list(mode(x)[0])})).reset_index().assign(window_id=i))
    print(X.shape)



(9787, 22)




(18611, 22)




(27165, 22)




(35618, 22)




(44085, 22)




(52590, 22)




(60893, 22)




(69155, 22)




(77348, 22)




(85099, 22)




(92554, 22)




(100050, 22)




(107669, 22)




(115314, 22)




(122838, 22)




(130249, 22)




(137568, 22)




(145031, 22)




(152558, 22)




(159813, 22)




(166800, 22)




(173642, 22)




(180612, 22)




(187548, 22)




(194282, 22)




(201025, 22)




(207690, 22)




(214395, 22)




(221232, 22)




(227866, 22)




(234204, 22)




(240528, 22)




(246838, 22)




(253249, 22)




(259729, 22)




(265888, 22)




(272041, 22)




(278226, 22)




(284193, 22)




(290107, 22)




(295903, 22)




(301515, 22)




(306980, 22)




(312316, 22)




(317715, 22)




(323153, 22)




(328527, 22)




(333850, 22)




(339170, 22)




(344346, 22)




(349213, 22)




(354009, 22)




(358784, 22)




(363468, 22)




(368133, 22)




(372748, 22)




(377513, 22)




(382344, 22)




(387061, 22)




(392084, 22)




(397408, 22)




(402838, 22)




(408440, 22)




(414104, 22)




(419600, 22)




(425073, 22)




(430617, 22)




(436259, 22)




(442075, 22)




(447944, 22)




(453791, 22)




(459609, 22)




(465532, 22)




(471410, 22)




(477195, 22)




(482926, 22)




(488755, 22)




(494764, 22)




(500735, 22)




(506756, 22)




(512858, 22)




(518825, 22)




(524757, 22)




(530697, 22)




(536634, 22)




(542561, 22)




(548458, 22)




(554441, 22)




(560495, 22)




(566513, 22)




(572605, 22)




(578727, 22)




(584814, 22)




(591012, 22)




(597272, 22)




(603494, 22)




(609604, 22)




(615604, 22)




(621635, 22)




(627807, 22)




(633914, 22)




(639898, 22)




(645907, 22)




(651983, 22)




(658094, 22)




(664253, 22)




(670462, 22)




(676562, 22)




(682563, 22)




(688607, 22)




(694605, 22)




(700572, 22)




(706556, 22)




(712598, 22)




(718646, 22)




(724725, 22)




(730909, 22)




(736939, 22)




(742928, 22)




(749090, 22)




(755413, 22)




(761613, 22)




(767511, 22)




(773578, 22)




(779811, 22)




(785980, 22)




(792220, 22)




(798494, 22)




(804711, 22)




(810980, 22)




(817166, 22)




(823237, 22)




(829557, 22)




(836097, 22)




(842505, 22)




(848644, 22)




(854666, 22)




(860752, 22)




(866880, 22)




(873017, 22)




(879196, 22)




(885252, 22)




(891224, 22)




(897231, 22)




(903196, 22)




(909150, 22)




(915200, 22)




(921248, 22)




(927276, 22)




(933346, 22)




(939412, 22)




(945437, 22)




(951275, 22)




(957219, 22)




(963466, 22)




(969537, 22)




(975456, 22)




(981451, 22)




(987429, 22)




(993368, 22)




(999293, 22)




(1005165, 22)




(1011089, 22)




(1017030, 22)




(1022864, 22)




(1028639, 22)




(1034397, 22)




(1040218, 22)




(1046064, 22)




(1051719, 22)




(1057273, 22)




(1063031, 22)




(1068873, 22)




(1074712, 22)




(1080609, 22)




(1086422, 22)




(1092194, 22)




(1098025, 22)




(1103847, 22)




(1109646, 22)




(1115514, 22)




(1121442, 22)




(1127423, 22)




(1133351, 22)




(1139217, 22)




(1145045, 22)




(1150800, 22)




(1156692, 22)




(1162580, 22)




(1168399, 22)




(1174252, 22)




(1180132, 22)




(1186099, 22)




(1192250, 22)




(1198488, 22)




(1204581, 22)




(1210423, 22)




(1216261, 22)




(1222125, 22)




(1227846, 22)




(1233659, 22)




(1239584, 22)




(1245567, 22)




(1251581, 22)




(1257556, 22)




(1263450, 22)




(1269254, 22)




(1275049, 22)




(1280734, 22)




(1286405, 22)




(1292073, 22)




(1297678, 22)




(1303291, 22)




(1308911, 22)




(1314481, 22)




(1320140, 22)




(1325812, 22)




(1331380, 22)




(1337117, 22)




(1342872, 22)




(1348547, 22)




(1354342, 22)




(1360087, 22)




(1365661, 22)




(1371312, 22)




(1377006, 22)




(1382740, 22)




(1388514, 22)




(1394326, 22)




(1400211, 22)




(1405943, 22)




(1411530, 22)




(1417068, 22)




(1422728, 22)




(1428438, 22)




(1434076, 22)




(1439613, 22)




(1445205, 22)




(1450853, 22)




(1456494, 22)




(1462280, 22)




(1468069, 22)




(1473784, 22)




(1479567, 22)




(1485259, 22)




(1490961, 22)




(1496664, 22)




(1502316, 22)




(1508122, 22)




(1513956, 22)




(1519775, 22)




(1525505, 22)




(1531118, 22)




(1536896, 22)




(1542801, 22)




(1548689, 22)




(1554572, 22)




(1560553, 22)




(1566421, 22)




(1572248, 22)




(1578198, 22)




(1584065, 22)




(1589836, 22)




(1595674, 22)




(1601530, 22)




(1607385, 22)




(1613224, 22)




(1618973, 22)




(1624698, 22)




(1630492, 22)




(1636267, 22)




(1642020, 22)




(1647827, 22)




(1653567, 22)




(1659330, 22)




(1665221, 22)




(1671179, 22)




(1677026, 22)




(1682809, 22)




(1688581, 22)




(1694403, 22)




(1700357, 22)




(1706338, 22)




(1712294, 22)




(1718159, 22)




(1723990, 22)




(1729728, 22)




(1735532, 22)




(1741459, 22)




(1747380, 22)




(1753244, 22)




(1758983, 22)




(1764863, 22)




(1770819, 22)




(1776649, 22)




(1782475, 22)




(1788289, 22)




(1794133, 22)




(1800053, 22)




(1805917, 22)




(1811872, 22)




(1817979, 22)




(1824057, 22)




(1830151, 22)




(1836237, 22)




(1842257, 22)




(1848110, 22)




(1854032, 22)




(1860149, 22)




(1866175, 22)




(1872298, 22)




(1878510, 22)




(1884645, 22)




(1890740, 22)




(1896771, 22)




(1902765, 22)




(1908869, 22)




(1915122, 22)




(1921326, 22)




(1927575, 22)




(1933853, 22)




(1940149, 22)




(1946587, 22)




(1953201, 22)




(1959845, 22)




(1966339, 22)




(1972724, 22)




(1979072, 22)




(1985375, 22)




(1991646, 22)




(1997912, 22)




(2004208, 22)




(2010619, 22)




(2017101, 22)




(2023545, 22)




(2029944, 22)




(2036359, 22)




(2042841, 22)




(2049306, 22)




(2055682, 22)




(2062015, 22)




(2068404, 22)




(2074836, 22)




(2081206, 22)




(2087593, 22)




(2094123, 22)




(2100654, 22)




(2107090, 22)




(2113499, 22)




(2119924, 22)




(2126354, 22)




(2132809, 22)




(2139169, 22)




(2145347, 22)




(2151550, 22)




(2157980, 22)




(2164515, 22)




(2170958, 22)




(2177308, 22)




(2183692, 22)




(2190187, 22)




(2196724, 22)




(2203266, 22)




(2209540, 22)




(2215732, 22)




(2222010, 22)




(2225928, 22)




(2226720, 22)


In [15]:
del(data)

In [16]:
X.columns = ["_".join(x) if isinstance(x, tuple) else x for x in X.columns.ravel()]
#print(X.columns.values)

In [17]:
# std can be Nan if only one element
X.fillna(-1, inplace=True)

In [18]:
#print(X.columns.values)
columns_to_normalize = list(X.columns.values)
columns_to_normalize.remove('SrcAddr')
columns_to_normalize.remove('Label_<lambda>')
columns_to_normalize.remove('window_id')

In [19]:
normalize_column(X, columns_to_normalize)

counts                 2.532192
Sport_nunique          2.172287
DstAddr_nunique        1.312422
Dport_nunique          1.287559
Dur_sum             1090.604709
Dur_mean             791.165306
Dur_std               11.024080
Dur_max              806.506942
Dur_median           789.858249
TotBytes_sum       48577.964323
TotBytes_mean       7749.940752
TotBytes_std        7523.617775
TotBytes_max       37139.062650
TotBytes_median     6488.193718
SrcBytes_sum       10215.123229
SrcBytes_mean       3353.451307
SrcBytes_std        3037.116941
SrcBytes_max        8784.021176
SrcBytes_median     2910.874682
dtype: float64 counts             7.770941e+01
Sport_nunique      4.260579e+01
DstAddr_nunique    1.241158e+01
Dport_nunique      6.163165e+01
Dur_sum            1.923882e+04
Dur_mean           1.234872e+03
Dur_std            1.329874e+02
Dur_max            1.247477e+03
Dur_median         1.236083e+03
TotBytes_sum       5.815655e+06
TotBytes_mean      1.585917e+06
TotBytes_std       2.2455

In [20]:
with pd.option_context('display.max_rows', 10, 'display.max_columns', 22):
    print(X.shape)
    print(X)
    print(X.dtypes)

(2226720, 22)
               SrcAddr    counts  Sport_nunique  DstAddr_nunique  \
0              0.0.0.0 -0.019717      -0.027515        -0.025172   
1    00:15:17:2c:e5:2d -0.019717      -0.050986        -0.025172   
2        1.144.156.226 -0.019717      -0.027515        -0.025172   
3           1.144.5.55 -0.019717      -0.027515        -0.025172   
4        1.155.150.224 -0.019717      -0.027515        -0.025172   
..                 ...       ...            ...              ...   
787     99.192.158.141 -0.019717      -0.027515        -0.025172   
788       99.242.24.14 -0.019717      -0.027515        -0.025172   
789     99.245.126.143 -0.019717      -0.027515        -0.025172   
790     99.245.140.246 -0.019717      -0.027515        -0.025172   
791     99.254.184.154 -0.019717      -0.027515        -0.025172   

     Dport_nunique   Dur_sum  Dur_mean   Dur_std   Dur_max  Dur_median  \
0        -0.004666  0.130027  2.268262 -0.090415  2.233044    2.267097   
1        -0.020891  0

with pd.option_context('display.max_rows', 10, 'display.max_columns', 20):
   print(X.loc[X['Label'] != 0])

In [22]:
X.drop('SrcAddr', axis=1).to_hdf('data_window_botnet3.h5', key="data", mode="w")
np.save("data_window_botnet3_id.npy", X['SrcAddr'])
np.save("data_window_botnet3_labels.npy", labels)

your performance may suffer as PyTables will pickle object types that it cannot
map directly to c-types [inferred_type->mixed,key->block1_values] [items->Index(['Label_<lambda>'], dtype='object')]

  encoding=encoding,
