Author: Nik Alleyne
Author Blog: https://www.securitynik.com
Author GitHub: github.com/securitynik

Author Books: [

            "https://www.amazon.ca/Learning-Practicing-Leveraging-Practical-Detection/dp/1731254458/",  
            
            "https://www.amazon.ca/Learning-Practicing-Mastering-Network-Forensics/dp/1775383024/"  

            "https://bit.ly/41WonEI"   
        ] 



### 04 - Beginning Polars   

This post is on beginning Polars. I've done previous work with Pandas and thought it was time I put a blog post on using Polars. Like Pandas, Polars is also a DataFrame solution.   .

In [1]:
# import date time
import datetime as dt

# First import the polars library
import polars as pl

In [2]:
# Get the polars version
pl.__version__

'1.35.2'

In [4]:
# A quick test to show how we work with Series data
series_data = pl.Series(name='my_series_data', values=[2,3,4,5,6,7,2,3],  dtype=pl.Int32)
series_data

my_series_data
i32
2
3
4
5
6
7
2
3


In [5]:
# get a slightly different view
print(series_data)

shape: (8,)
Series: 'my_series_data' [i32]
[
	2
	3
	4
	5
	6
	7
	2
	3
]


In [5]:
# Let us confirm the type of my_series
type(series_data)

polars.series.series.Series

In [None]:
# Accessing a value at offset 6
# Offset 0 has 2, offset 1 has 3.
# Continuing with that pattern, offset 6 has 2
series_data[0]

2

In [7]:
# Returns an array of the unique values in the series
series_data.unique()

my_series_data
i32
2
3
4
5
6
7


In [8]:
# The above could also be confirmed by running a set on the series data
set(series_data)

{2, 3, 4, 5, 6, 7}

In [6]:
# Find the minimum value in the series
series_data
series_data.min()

2

In [10]:
# This could be confirmed by also using python's "min"
min(series_data)


2

In [11]:
# Find the max value in the series
series_data.max()

7

In [12]:
# This could be confirmed by also using python's "max" function
max(series_data)

7

In [13]:
# Get the number of bytes in the series
series_data.estimated_size()

32

In [14]:
# Above you might be wondering why the value returned is 32
# If we look at the data type of the series data, we see it's int32
# This means, every value is 4 bytes or 32 bits.
series_data.dtype

Int32

In [15]:
# We can confirm this
# First get the shape of the vector
# We see 8 below
# We also know that the data type as reported above is int32
# int32 means each number is 4 bytes
# each byte is 8 bits.
# Hence 8 bytes * 4 bytes = 32 bytes -> This is the total number of bytes in the series
series_data.shape, '-> Confirming data type: ', series_data.dtype

((8,), '-> Confirming data type: ', Int32)

In [16]:
# With our simplistic view of the series data, let's use the pl.DataFrame .
# It is more than likely you will spend your time working with dataframes 
# than you would with series data

In [17]:
# We can setup a dataframe similar to the series by doing the following
# Notice above, we used pl.Series for the series data
# In this instance, we are using pl.Dataframe to setup the dataframe
# Let's also set the datatype as float while we are at it
df = pl.DataFrame(data=[2,3,4,5,6,7,2,3], schema={'my_df' : pl.Float32})
df


my_df
f32
2.0
3.0
4.0
5.0
6.0
7.0
2.0
3.0


In [18]:
# You might not have noticed, for the dataframe, 
# I literally copied almost everything that was in the series information
# So why would I want to use a dataframe?
# Well for starters, I can use much more columns
# Let's look at it from the different perspective
# Mix the columns with int's strings and float


df = pl.DataFrame(
    {
        'col_int' : [2, 3, 4, 5, 6, 7, 2, 3],
        'col_float' : [1.1, 0.5, 1.2, 0.1, 1.0, 0.0, 1.0, 0.0],
        'col_str' : [ 'securitynik.com', 'sec595', 'sec504', 'sec503', 'github.com/securitynik', 'Mastering TShark Network Forensics', 'Hack and Detect', 'A Little Book On Adversarial AI' ],
        'date_field' : [
            dt.date(2025, 11, 9),
            dt.date(2025, 11, 9),
            dt.date(2025, 11, 9),
            dt.date(2025, 11, 9),
            dt.date(2025, 11, 9),
            dt.date(2025, 11, 9),
            dt.date(2025, 11, 9),
            dt.date(2025, 11, 9),
        ]
    },

    # This is being done to make these values 32-bit rather than 64 bits
    schema={ 'col_int' : pl.Int32, 'col_float' : pl.Float32, 'col_str' : str, 'date_field' : dt.date }
)

# Let us see what our dataframe looks like
print(df)

shape: (8, 4)
┌─────────┬───────────┬─────────────────────────────────┬────────────┐
│ col_int ┆ col_float ┆ col_str                         ┆ date_field │
│ ---     ┆ ---       ┆ ---                             ┆ ---        │
│ i32     ┆ f32       ┆ str                             ┆ date       │
╞═════════╪═══════════╪═════════════════════════════════╪════════════╡
│ 2       ┆ 1.1       ┆ securitynik.com                 ┆ 2025-11-09 │
│ 3       ┆ 0.5       ┆ sec595                          ┆ 2025-11-09 │
│ 4       ┆ 1.2       ┆ sec504                          ┆ 2025-11-09 │
│ 5       ┆ 0.1       ┆ sec503                          ┆ 2025-11-09 │
│ 6       ┆ 1.0       ┆ github.com/securitynik          ┆ 2025-11-09 │
│ 7       ┆ 0.0       ┆ Mastering TShark Network Foren… ┆ 2025-11-09 │
│ 2       ┆ 1.0       ┆ Hack and Detect                 ┆ 2025-11-09 │
│ 3       ┆ 0.0       ┆ A Little Book On Adversarial A… ┆ 2025-11-09 │
└─────────┴───────────┴─────────────────────────────────┴──────

In [19]:
# Get the columns dtype
df.dtypes

[Int32, Float32, String, Date]

In [20]:
# Let's cast the float to int and the int to float
df = df.cast({
    'col_int' : pl.Float32,
    'col_float' : pl.Int32,
})

df

col_int,col_float,col_str,date_field
f32,i32,str,date
2.0,1,"""securitynik.com""",2025-11-09
3.0,0,"""sec595""",2025-11-09
4.0,1,"""sec504""",2025-11-09
5.0,0,"""sec503""",2025-11-09
6.0,1,"""github.com/securitynik""",2025-11-09
7.0,0,"""Mastering TShark Network Foren…",2025-11-09
2.0,1,"""Hack and Detect""",2025-11-09
3.0,0,"""A Little Book On Adversarial A…",2025-11-09


In [21]:
# confirm the data types after casting
df.dtypes

[Float32, Int32, String, Date]

In [22]:
# Slice into the dataset
# Start at row 2 and collect 3 rows
df.slice(2, 3)

col_int,col_float,col_str,date_field
f32,i32,str,date
4.0,1,"""sec504""",2025-11-09
5.0,0,"""sec503""",2025-11-09
6.0,1,"""github.com/securitynik""",2025-11-09


In [23]:
# Sort on the col_flor
df.sort('col_float', nulls_last=True)

col_int,col_float,col_str,date_field
f32,i32,str,date
3.0,0,"""sec595""",2025-11-09
5.0,0,"""sec503""",2025-11-09
7.0,0,"""Mastering TShark Network Foren…",2025-11-09
3.0,0,"""A Little Book On Adversarial A…",2025-11-09
2.0,1,"""securitynik.com""",2025-11-09
4.0,1,"""sec504""",2025-11-09
6.0,1,"""github.com/securitynik""",2025-11-09
2.0,1,"""Hack and Detect""",2025-11-09


With a glimpse into what we can do with the dataframes, let's go ahead and work with some real data

Before we do ...   
Do note, most of my data will be read via Comma Separated Values (CSV) or Tabbed Separated Values (TSV) files.
You could read from Javascript Object Notation (JSON) files, Excel, HTML, contents in memory, etc.

In [24]:
# Here is an example of reading data from a URL
# Specifically, I am reading the first 5 records from the Iris dataset
pl.read_csv(source='https://raw.githubusercontent.com/SecurityNik/Data-Science-and-ML/refs/heads/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/zeek_http.log', has_header=False, separator='\t').head(5)

column_1,column_2,column_3,column_4,column_5,column_6,column_7,column_8,column_9,column_10,column_11,column_12,column_13
str,str,i64,i64,str,str,str,str,i64,i64,str,str,str
"""10.0.0.10""","""172.16.1.83""",1234,91,"""GET""","""f01.hd4.co:9999""","""/237f654d3c994416d63634c6f5bae…","""Securitynik-agent""",0,455,"""200""","""-""","""text/plain"""
"""10.0.0.10""","""172.16.1.83""",1234,92,"""GET""","""f01.hd4.co:9999""","""/237f654d3c994416d63634c6f5bae…","""Securitynik-agent""",0,926464,"""200""","""-""","""video/mp2t"""
"""10.0.0.10""","""172.16.1.83""",1234,93,"""GET""","""f01.hd4.co:9999""","""/237f654d3c994416d63634c6f5bae…","""Securitynik-agent""",0,455,"""200""","""-""","""text/plain"""
"""10.0.0.10""","""172.16.1.83""",1234,94,"""GET""","""f01.hd4.co:9999""","""/237f654d3c994416d63634c6f5bae…","""Securitynik-agent""",0,908416,"""200""","""-""","""video/mp2t"""
"""10.0.0.10""","""104.26.5.178""",80,67,"""GET""","""testing1.sn""","""/securitynik_up/server/load.ph…","""Mozilla/5.0 (QtEmbedded; U; Li…",0,164,"""200""","""-""","""text/json"""


In [25]:
# Here is an example of reading data from memory
# First store an entry int memory
my_in_mem_string = "11., 2., 9., 8."
my_in_mem_string

'11., 2., 9., 8.'

In [26]:
# import the StringIO function to read content from memory
from io import StringIO

In [27]:
# Read the variable my_in_mem_string from memory
tmp = pl.read_csv(source=StringIO(my_in_mem_string), has_header=False)
tmp

column_1,column_2,column_3,column_4
f64,str,str,str
11.0,""" 2.""",""" 9.""",""" 8."""


In [28]:
# Rename a column
tmp.rename(mapping={
    'column_1' : 'col_1',
    'column_2' : 'col_2',
    'column_3' : 'col_3',
    'column_4' : 'col_4',


})

col_1,col_2,col_3,col_4
f64,str,str,str
11.0,""" 2.""",""" 9.""",""" 8."""


Finally, working with real data Set the columns for the dataset Note, we could have also read the columns in from the file. Most of the times, this is what will be done in the real world. However, if you don't have the columns, what would you do?! You have to create your own.

Maybe you wanted to change or even set column names where they did not exist Hence the reason for using the names option here. You should notice, the names column looks similar to what was done in the Numpy notebook - 01 - Beginning Numpy

Read in tabular data from the Zeek conn.log file

This file represents Zeek (formerly Bro) connection log - conn.log`.
Zeek is a framework used for Network Security Monitoring.
This entire series is based on using Zeek's data.
The majority of the notebooks use the conn.log
You can learn more about Zeek here:

https://zeek.org/
Alternatively, come hang out with us in the: SANS SEC595: Applied Data Science and Machine Learning for Cybersecurity Professionals

    https://www.sans.org/cyber-security-courses/applied-data-science-machine-learning/ OR
SEC503 SEC503: Network Monitoring and Threat Detection In-Depth

    https://www.sans.org/cyber-security-courses/network-monitoring-threat-detection/
Here are also some blog posts on using Zeek for security monitoring Installing Zeek:

    https://www.securitynik.com/2020/06/installing-zeek-314-on-ubuntu-2004.html
Detecting PowerShell Empire Usage:

    https://www.securitynik.com/2022/02/powershell-empire-detection-with-zeek.html
Detecting Log4J Vulnerability Exploitation:

    https://www.securitynik.com/2021/12/continuing-log4shell-zeek-detection.html

In [None]:
# Read a CSV
df_conn = pl.read_csv(
    source='conn-log.csv', 
    has_header=True,
    schema={
        'Duration' : pl.Float32,
        'orig_bytes' : pl.Int32,
        'resp_bytes' : pl.Int32,
        'orig_pkts' : pl.Int32,
        'orig_ip_bytes' : pl.Int32,
        'resp_pkts' : pl.Int32,
        'resp_ip_bytes' : pl.Int32
    }, 
    # Read in batches of 32 lines at a time
    batch_size=32,
    ignore_errors=True,
    low_memory=True,
    skip_rows=0,                      )

# Grab the first 5 records
df_conn.head(5)

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f32,i32,i32,i32,i32,i32,i32
3.1e-05,0,0,1,52,1,40
4e-05,0,0,1,52,1,40
3.7e-05,0,0,1,52,1,40
2.8e-05,0,0,1,52,1,40
3.6e-05,0,0,1,52,1,40


In [30]:
# What is the size of the dataframe
df_conn.estimated_size(unit='mb')

0.23996257781982422

In [31]:
# Get the schema of the dataframe
df_conn.schema

Schema([('Duration', Float32),
        ('orig_bytes', Int32),
        ('resp_bytes', Int32),
        ('orig_pkts', Int32),
        ('orig_ip_bytes', Int32),
        ('resp_pkts', Int32),
        ('resp_ip_bytes', Int32)])

In [None]:
# We could in fact get a real glimpse
# pun intended
df_conn.glimpse()

Rows: 8865
Columns: 7
$ Duration      <f32> 3.099999958067201e-05, 4.0099999750964344e-05, 3.7000001611886546e-05, 2.809999932651408e-05, 3.600000127335079e-05, 4.0099999750964344e-05, 0.13329195976257324, 3.5000000934815034e-05, 3.099999958067201e-05, 2.789999962260481e-05
$ orig_bytes    <i32> 0, 0, 0, 0, 0, 0, 602, 0, 0, 0
$ resp_bytes    <i32> 0, 0, 0, 0, 0, 0, 4086, 0, 0, 0
$ orig_pkts     <i32> 1, 1, 1, 1, 1, 1, 6, 1, 1, 1
$ orig_ip_bytes <i32> 52, 52, 52, 52, 52, 52, 854, 52, 52, 52
$ resp_pkts     <i32> 1, 1, 1, 1, 1, 1, 8, 1, 1, 1
$ resp_ip_bytes <i32> 40, 40, 40, 40, 40, 40, 4418, 40, 40, 40



In [33]:
# Get the overall shape of the data
df_conn.shape

(8865, 7)

In [34]:
# Do we have null values?
df_conn.filter(df_conn.is_empty())

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f32,i32,i32,i32,i32,i32,i32


In [35]:
# Getting the rows with null value in one or more columns
# https://docs.pola.rs/user-guide/expressions/missing-data/#null-and-nan-values
df_conn.filter(pl.any_horizontal(pl.all().is_null()))

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f32,i32,i32,i32,i32,i32,i32
,,,1,89,0,0
,,,1,89,0,0
,,,0,0,0,0
,,,1,63,0,0
,,,1,63,0,0
…,…,…,…,…,…,…
,,,1,74,0,0
,,,1,74,0,0
,,,1,52,0,0
,,,1,94,0,0


In [36]:
# Get a count of the nulls
df_conn.null_count()

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
u32,u32,u32,u32,u32,u32,u32
1335,1335,1335,1,1,1,1


In [37]:
# Let us hardcode some config setting
pl.Config.set_fmt_float('full')

# Set the number of columns shown by polars
pl.Config.set_tbl_cols(10)

# Increase the maximum column widty
pl.Config.set_fmt_str_lengths(40)

polars.config.Config

In [None]:
# How many records do we have here?
# This coincides with what we saw above
df_conn.filter(pl.any_horizontal(pl.all().is_null())).shape

(1335, 7)

In [39]:
# Do we have any NaNs
df_conn.filter(pl.any_horizontal(pl.all().is_nan()))

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f32,i32,i32,i32,i32,i32,i32


In [40]:
# We could use the mean to fill the nulls
df_conn.fill_null(strategy='mean').tail(10)

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f32,i32,i32,i32,i32,i32,i32
2.78949737548e-05,0,0,1,52,1,40
0.0003261566162109,44,44,1,72,1,72
0.4159469604492187,88,0,2,184,0,0
0.4158749580383301,88,0,2,144,0,0
43.09535217285156,27623,111541,1,94,0,0
3.91006469726e-05,0,0,1,52,1,40
1.71661376953e-05,0,0,1,52,1,40
0.0113511085510253,30,123,1,58,1,151
0.0187020301818847,30,123,1,58,1,151
43.09535217285156,27623,111541,173,30259,213,103058


In [41]:
# We could specify a value of our own
df_conn.fill_null(value=-9999).tail(10)

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f32,i32,i32,i32,i32,i32,i32
2.78949737548e-05,0,0,1,52,1,40
0.0003261566162109,44,44,1,72,1,72
0.4159469604492187,88,0,2,184,0,0
0.4158749580383301,88,0,2,144,0,0
-9999.0,-9999,-9999,1,94,0,0
3.91006469726e-05,0,0,1,52,1,40
1.71661376953e-05,0,0,1,52,1,40
0.0113511085510253,30,123,1,58,1,151
0.0187020301818847,30,123,1,58,1,151
-9999.0,-9999,-9999,-9999,-9999,-9999,-9999


In [42]:
# use zeros to fill the nulls
df_conn.fill_null(strategy='zero').tail(10)

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f32,i32,i32,i32,i32,i32,i32
2.78949737548e-05,0,0,1,52,1,40
0.0003261566162109,44,44,1,72,1,72
0.4159469604492187,88,0,2,184,0,0
0.4158749580383301,88,0,2,144,0,0
0.0,0,0,1,94,0,0
3.91006469726e-05,0,0,1,52,1,40
1.71661376953e-05,0,0,1,52,1,40
0.0113511085510253,30,123,1,58,1,151
0.0187020301818847,30,123,1,58,1,151
0.0,0,0,0,0,0,0


In [43]:
# As can be seen there are different strategies which can be used.
# We can also look at using any of the following:
# {'forward', 'backward', 'min', 'max', 'mean', 'zero', 'one'}

# We could even drop any fields that have null values
# Let us do that in this case and update the variable
df_conn = df_conn.drop_nulls()
df_conn.head()

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f32,i32,i32,i32,i32,i32,i32
3.09999995806e-05,0,0,1,52,1,40
4.00999997509e-05,0,0,1,52,1,40
3.70000016118e-05,0,0,1,52,1,40
2.80999993265e-05,0,0,1,52,1,40
3.60000012733e-05,0,0,1,52,1,40


In [45]:
# We could also drop NaNs
# NaNs and nulls are not the same. Only float fields can contain Nan
df_conn.drop_nans()

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f32,i32,i32,i32,i32,i32,i32
0.00003099999958067201,0,0,1,52,1,40
0.000040099999750964344,0,0,1,52,1,40
0.000037000001611886546,0,0,1,52,1,40
0.00002809999932651408,0,0,1,52,1,40
0.00003600000127335079,0,0,1,52,1,40
…,…,…,…,…,…,…
0.4158749580383301,88,0,2,144,0,0
0.00003910064697265625,0,0,1,52,1,40
0.0000171661376953125,0,0,1,52,1,40
0.01135110855102539,30,123,1,58,1,151


In [46]:
# Getting the null value fields
# Looks like we do not have any null values at this time
# Now that we have closed things up
# https://docs.pola.rs/user-guide/expressions/missing-data/#null-and-nan-values
df_conn.null_count()

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
u32,u32,u32,u32,u32,u32,u32
0,0,0,0,0,0,0


In [47]:
# What is the shape of our dataset now
df_conn.shape

(7530, 7)

In [48]:
# We started out with 8865 records
# We had 1335 nulls.
# When we subtract the two we get the 7530 rows.
8865 - 1335

7530

In [49]:
# Let us select one column 
pl.col('orig_bytes')

In [50]:
# Ooops! What happened there
# Let us fix that.
df_conn.select(pl.col('orig_bytes')).head(5)

orig_bytes
i32
0
0
0
0
0


In [51]:
# Let us find values that are greater than 3_000_000 bytes
df_conn.filter(pl.col('orig_bytes') > 3_000_000)

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f32,i32,i32,i32,i32,i32,i32
1384.2095947265625,138606145,37438123,203144,144294177,69156,39374491
1384.2283935546875,4282060,11141667,11867,4614336,66715,13009687
13945.212890625,9418651,79034558,241361,19073413,380065,94238286
13945.3154296875,13230766,239072001,444766,31023138,529118,260239570
13947.5400390625,3229759,7991366,47469,5141887,72976,10963815


In [52]:
# Let us run this query again and negate it
# This return all results that do not match the criteria
df_conn.filter(~(pl.col('orig_bytes') > 3_000_000)).head(5)

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f32,i32,i32,i32,i32,i32,i32
3.09999995806e-05,0,0,1,52,1,40
4.00999997509e-05,0,0,1,52,1,40
3.70000016118e-05,0,0,1,52,1,40
2.80999993265e-05,0,0,1,52,1,40
3.60000012733e-05,0,0,1,52,1,40


In [53]:
# Let's extract the columns with id.orig_h, id.resp_h
# These fields represent the source and destination IPs, respectively
# We can attempt to cluster these values later
df_conn.select(pl.col(name=['orig_bytes', 'orig_pkts']))

orig_bytes,orig_pkts
i32,i32
0,1
0,1
0,1
0,1
0,1
…,…
88,2
0,1
0,1
30,1


In [54]:
# Let us describe the database
df_conn.describe()

statistic,Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
str,f64,f64,f64,f64,f64,f64,f64
"""count""",7530.0,7530.0,7530.0,7530.0,7530.0,7530.0,7530.0
"""null_count""",0.0,0.0,0.0,0.0,0.0,0.0,0.0
"""mean""",43.09535217285156,27623.620717131475,111541.98698539176,204.32722443559095,35607.66839309429,251.8005312084993,121315.68273572378
"""std""",476.0733947753906,1610304.7512949791,3032176.249451574,6815.298626999298,1721215.967383925,8087.578228024832,3335444.224436413
"""min""",5.0067901611e-06,0.0,0.0,0.0,0.0,0.0,0.0
"""25%""",0.0110061168670654,33.0,0.0,1.0,63.0,1.0,40.0
"""50%""",0.0338890552520751,78.0,110.0,2.0,153.0,1.0,142.0
"""75%""",3.699851036071777,1371.0,5179.0,12.0,2387.0,13.0,6064.0
"""max""",13947.5400390625,138606145.0,239072001.0,444766.0,144294177.0,529118.0,260239570.0


In [55]:
# Transpose the output
# Let us describe the database
df_conn.describe().transpose()

column_0,column_1,column_2,column_3,column_4,column_5,column_6,column_7,column_8
str,str,str,str,str,str,str,str,str
"""count""","""null_count""","""mean""","""std""","""min""","""25%""","""50%""","""75%""","""max"""
"""7530.0""","""0.0""","""43.09535217285156""","""476.0733947753906""","""5.0067901611328125e-6""","""0.01100611686706543""","""0.033889055252075195""","""3.6998510360717773""","""13947.5400390625"""
"""7530.0""","""0.0""","""27623.620717131475""","""1610304.7512949791""","""0.0""","""33.0""","""78.0""","""1371.0""","""138606145.0"""
"""7530.0""","""0.0""","""111541.98698539176""","""3032176.249451574""","""0.0""","""0.0""","""110.0""","""5179.0""","""239072001.0"""
"""7530.0""","""0.0""","""204.32722443559098""","""6815.298626999298""","""0.0""","""1.0""","""2.0""","""12.0""","""444766.0"""
"""7530.0""","""0.0""","""35607.66839309429""","""1721215.967383925""","""0.0""","""63.0""","""153.0""","""2387.0""","""144294177.0"""
"""7530.0""","""0.0""","""251.80053120849934""","""8087.578228024832""","""0.0""","""1.0""","""1.0""","""13.0""","""529118.0"""
"""7530.0""","""0.0""","""121315.68273572378""","""3335444.2244364126""","""0.0""","""40.0""","""142.0""","""6064.0""","""260239570.0"""


In [56]:
# We could also describe a single column if we wish
df_conn.select(pl.col(name='orig_bytes')).describe()

statistic,orig_bytes
str,f64
"""count""",7530.0
"""null_count""",0.0
"""mean""",27623.620717131475
"""std""",1610304.7512949791
"""min""",0.0
"""25%""",33.0
"""50%""",78.0
"""75%""",1371.0
"""max""",138606145.0


In [57]:
# Find all columns where the originator bytes is greater than the mean of the column
df_conn.filter(pl.col(name='orig_bytes') > pl.col('orig_bytes').mean())

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f32,i32,i32,i32,i32,i32,i32
0.8387191295623779,44986,7174,45,46798,29,8346
60.080169677734375,56303,3621,49,58275,2,3000
60.110069274902344,51980,3621,45,53792,3,3740
58.00806427001953,28812,0,23,29456,0,0
5518.32080078125,796066,0,595,812726,0,0
…,…,…,…,…,…,…
0.6049680709838867,41026,4907,37,42518,21,5759
242.23480224609375,59100,5690,85,63528,107,11262
560.6666259765625,114941,13088,130,120315,72,22391
0.38753414154052734,73103,5364,61,75555,32,6656


In [58]:
# Let us get the correlation matrix
df_conn.corr()

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f64,f64,f64,f64,f64,f64,f64
1.0,0.10554604157677,0.5583478211988838,0.6872519878258077,0.2071401315045429,0.7017875695750421,0.5756254586434482
0.10554604157677,1.0,0.250503673943982,0.4436132809193636,0.989615727849863,0.2123860708455457,0.2454093036866814
0.5583478211988838,0.250503673943982,1.0,0.9309153059509564,0.3794983627153522,0.9371981542452136,0.9993010430238126
0.6872519878258077,0.4436132809193636,0.9309153059509564,1.0,0.5678115823117414,0.956109133015006,0.93788757680314
0.2071401315045429,0.989615727849863,0.3794983627153522,0.5678115823117414,1.0,0.3484681324359164,0.3759348201577353
0.701787569575042,0.2123860708455457,0.9371981542452136,0.956109133015006,0.3484681324359164,1.0,0.948476172194018
0.5756254586434482,0.2454093036866814,0.9993010430238126,0.93788757680314,0.3759348201577352,0.948476172194018,1.0


In [None]:
# Get the covariance between two features
df_conn.select(pl.cov(a='orig_bytes', b='orig_pkts'))

orig_bytes
f64
4868526116.7892885


In [60]:
# Let us disable the scientific notation
pl.Config.set_fmt_float(fmt='full')
df_conn.select(pl.cov(a='orig_bytes', b='orig_pkts'))

orig_bytes
f64
4868526116.7892885


In [61]:
# We could convert this polars dataframe to a pandas dataframe
df_conn.head(10).to_pandas()

Unnamed: 0,Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
0,3.1e-05,0,0,1,52,1,40
1,4e-05,0,0,1,52,1,40
2,3.7e-05,0,0,1,52,1,40
3,2.8e-05,0,0,1,52,1,40
4,3.6e-05,0,0,1,52,1,40
5,4e-05,0,0,1,52,1,40
6,0.133292,602,4086,6,854,8,4418
7,3.5e-05,0,0,1,52,1,40
8,3.1e-05,0,0,1,52,1,40
9,2.8e-05,0,0,1,52,1,40


In [62]:
# Indexing into a dataframe
# Get the first 10 records of the first column
df_conn[:, 0].head(10)

Duration
f32
3.09999995806e-05
4.00999997509e-05
3.70000016118e-05
2.80999993265e-05
3.60000012733e-05
4.00999997509e-05
0.1332919597625732
3.50000009348e-05
3.09999995806e-05
2.78999996226e-05


In [63]:
# Indexing into a dataframe
# Get the last 10 records of the last`` column
df_conn[:, -1].tail(10)

resp_ip_bytes
i32
40
40
40
72
0
0
40
40
151
151


In [64]:
# We could also capture column by names
df_conn[:10, ['Duration', 'orig_bytes', 'resp_bytes']]

Duration,orig_bytes,resp_bytes
f32,i32,i32
3.09999995806e-05,0,0
4.00999997509e-05,0,0
3.70000016118e-05,0,0
2.80999993265e-05,0,0
3.60000012733e-05,0,0
4.00999997509e-05,0,0
0.1332919597625732,602,4086
3.50000009348e-05,0,0
3.09999995806e-05,0,0
2.78999996226e-05,0,0


In [None]:
# Get a random sample of 5 items
# Every time we run this cell the values change
sample_1 = df_conn.sample(5)
sample_1

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f32,i32,i32,i32,i32,i32,i32
2.121181011199951,1338,167132,20,2150,123,172064
0.0178830623626709,27,91,1,55,1,119
0.5206449031829834,678,3172,12,1170,14,3744
60.172000885009766,1616,664,15,2229,18,1408
0.0202717781066894,35,81,1,63,1,109


In [66]:
# Let us take another sample
sample_2 = df_conn.sample(5)
sample_2

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f32,i32,i32,i32,i32,i32,i32
0.0300080776214599,517,4128,5,729,7,4420
4.000345230102539,5000,0,4,5112,0,0
100.10694885253906,846,6547,11,1298,9,6919
7.60555267333e-05,0,0,1,52,1,40
3.0140938758850098,700,0,4,812,0,0


In [None]:
# Let us now concatenate these two dataframes to make a bigger dataset
combined_df = pl.concat(items=[sample_1, sample_2], how='vertical')
combined_df

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f32,i32,i32,i32,i32,i32,i32
2.121181011199951,1338,167132,20,2150,123,172064
0.0178830623626709,27,91,1,55,1,119
0.5206449031829834,678,3172,12,1170,14,3744
60.172000885009766,1616,664,15,2229,18,1408
0.0202717781066894,35,81,1,63,1,109
0.0300080776214599,517,4128,5,729,7,4420
4.000345230102539,5000,0,4,5112,0,0
100.10694885253906,846,6547,11,1298,9,6919
7.60555267333e-05,0,0,1,52,1,40
3.0140938758850098,700,0,4,812,0,0


In [68]:
# Find all columns where the originator bytes is greater than the mean of the column + 4 standard deviation
# From a security perspective, we could investigate these further as they are points greater than the mean + 4 standard deviation
df_conn.filter(pl.col(name='orig_bytes') > pl.col('orig_bytes').mean() + (4 * pl.col('orig_bytes').std()))

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f32,i32,i32,i32,i32,i32,i32
1384.2095947265625,138606145,37438123,203144,144294177,69156,39374491
13945.212890625,9418651,79034558,241361,19073413,380065,94238286
13945.3154296875,13230766,239072001,444766,31023138,529118,260239570


In [69]:
# Getting the packets with originator bytes greater than responder bytes
df_conn.filter(pl.col(name='orig_bytes') > pl.col('resp_bytes'))

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f32,i32,i32,i32,i32,i32,i32
119.93647003173828,3449,470,8,3781,9,842
59.66194534301758,24444,0,19,24976,0,0
0.256817102432251,158,0,2,238,0,0
59.54629898071289,24480,0,19,25012,0,0
0.8387191295623779,44986,7174,45,46798,29,8346
…,…,…,…,…,…,…
102.86412811279297,8892,7664,22,14188,17,9810
0.4154508113861084,78,0,2,174,0,0
0.4154071807861328,78,0,2,134,0,0
0.41594696044921875,88,0,2,184,0,0


In [None]:
# Create a new column with all 1s.
df_conn = df_conn.with_columns(pl.lit(value=1).alias('label'))
df_conn

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes,label
f32,i32,i32,i32,i32,i32,i32,i32
0.00003099999958067201,0,0,1,52,1,40,1
0.000040099999750964344,0,0,1,52,1,40,1
0.000037000001611886546,0,0,1,52,1,40,1
0.00002809999932651408,0,0,1,52,1,40,1
0.00003600000127335079,0,0,1,52,1,40,1
…,…,…,…,…,…,…,…
0.4158749580383301,88,0,2,144,0,0,1
0.00003910064697265625,0,0,1,52,1,40,1
0.0000171661376953125,0,0,1,52,1,40,1
0.01135110855102539,30,123,1,58,1,151,1


In [71]:
# Let us use the filter we defined before to setup some labels
# We will also update the existing labels column
# Getting the packets with originator bytes greater than responder bytes
# df_conn.filter(pl.col(name='orig_bytes') > pl.col('resp_bytes'))

df_conn = df_conn.with_columns(
    pl.when(pl.col(name='orig_bytes') > pl.col('resp_bytes'))
    .then(1)
    .otherwise(0)
    .alias('label')
)

df_conn.head(n=10)

Duration,orig_bytes,resp_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes,label
f32,i32,i32,i32,i32,i32,i32,i32
3.09999995806e-05,0,0,1,52,1,40,0
4.00999997509e-05,0,0,1,52,1,40,0
3.70000016118e-05,0,0,1,52,1,40,0
2.80999993265e-05,0,0,1,52,1,40,0
3.60000012733e-05,0,0,1,52,1,40,0
4.00999997509e-05,0,0,1,52,1,40,0
0.1332919597625732,602,4086,6,854,8,4418,0
3.50000009348e-05,0,0,1,52,1,40,0
3.09999995806e-05,0,0,1,52,1,40,0
2.78999996226e-05,0,0,1,52,1,40,0


In [72]:
# Now that we have gotten the labels, let us get the unique ones
# While above, we showed the first 10 records
# Time to confirm the unique values
# This returns only 0 and 1. Just what we wanted to see
df_conn.select(pl.col('label')).unique()

label
i32
0
1


In [73]:
# Confirming we have two unique values from a different perspective
df_conn.select(pl.col('label').n_unique())

label
u32
2


In [74]:
# Getting the count of the unique values
df_conn.select(pl.col('label').value_counts())

label
struct[2]
"{1,1346}"
"{0,6184}"


In [75]:
# Let us normalize these values to get a better look at the proportion from a percentage perspective
df_conn.select(pl.col('label').value_counts(normalize=True))

label
struct[2]
"{0,0.8212483399734396}"
"{1,0.17875166002656043}"


In [76]:
# If we wanted to visualize these values, we have to convert to pandas and plot
df_conn.select(pl.col('label').value_counts(normalize=True))

label
struct[2]
"{1,0.17875166002656043}"
"{0,0.8212483399734396}"


In [77]:
# Save the file with labels
df_conn.write_csv(file='/tmp/df_conn_saved.csv')

# Confirm the file was created
!ls /tmp/df_conn_saved.csv

/tmp/df_conn_saved.csv


In [78]:
# Read a JSON file now
df = pl.read_json(source='conn-today.json')
df.head(10)

ts,uid,id.orig_h,id.orig_p,id.resp_h,…,history,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f64,str,str,i64,str,…,str,i64,i64,i64,i64
1696017594.59247,"""ChefyE3DEW1aClvrpg""","""127.0.0.1""",6789,"""127.0.0.1""",…,"""Ccc""",0,0,0,0
1696017594.796073,"""CNVult2fJM0kSCwz44""","""192.168.0.4""",9200,"""192.168.0.4""",…,"""CccC""",0,0,0,0
1696017594.806907,"""CyrAyq3MxIBtwI3l14""","""192.168.0.4""",9200,"""192.168.0.4""",…,"""CccC""",0,0,0,0
1696017599.419025,"""CTFYJf1YlOlgiuIRq3""","""192.168.0.29""",54167,"""192.168.0.4""",…,"""Sr""",1,52,1,40
1696017599.419293,"""CFvCzJ3IqyN9ZPo6Yf""","""192.168.0.29""",54169,"""192.168.0.4""",…,"""Sr""",1,52,1,40
1696017599.424701,"""C3DwpC23QXuD21IrTd""","""192.168.0.29""",54170,"""192.168.0.4""",…,"""Sr""",1,52,1,40
1696017599.419025,"""CJZTFA4weMt0rOi6n8""","""192.168.0.29""",54168,"""192.168.0.4""",…,"""Sr""",1,52,1,40
1696017599.667551,"""CJ7CB33OMrEJAVp2Ok""","""192.168.0.29""",54173,"""192.168.0.4""",…,"""Sr""",1,52,1,40
1696017599.667551,"""CD6nHS2nP0XlCzVCMl""","""192.168.0.29""",54171,"""192.168.0.4""",…,"""Sr""",1,52,1,40
1696017599.667551,"""CDFYX72za0XMGX6uC6""","""192.168.0.29""",54172,"""192.168.0.4""",…,"""Sr""",1,52,1,40


In [79]:
# Get the shape of the dataset
df.shape

(24048, 20)

In [None]:
# Drop some columns
df = df.drop(['uid','conn_state','local_orig','local_resp','history'])
df.head(10)

ts,id.orig_h,id.orig_p,id.resp_h,id.resp_p,…,missed_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f64,str,i64,str,i64,…,i64,i64,i64,i64,i64
1696017594.59247,"""127.0.0.1""",6789,"""127.0.0.1""",59106,…,0,0,0,0,0
1696017594.796073,"""192.168.0.4""",9200,"""192.168.0.4""",59876,…,0,0,0,0,0
1696017594.806907,"""192.168.0.4""",9200,"""192.168.0.4""",59896,…,0,0,0,0,0
1696017599.419025,"""192.168.0.29""",54167,"""192.168.0.4""",80,…,0,1,52,1,40
1696017599.419293,"""192.168.0.29""",54169,"""192.168.0.4""",80,…,0,1,52,1,40
1696017599.424701,"""192.168.0.29""",54170,"""192.168.0.4""",80,…,0,1,52,1,40
1696017599.419025,"""192.168.0.29""",54168,"""192.168.0.4""",80,…,0,1,52,1,40
1696017599.667551,"""192.168.0.29""",54173,"""192.168.0.4""",80,…,0,1,52,1,40
1696017599.667551,"""192.168.0.29""",54171,"""192.168.0.4""",80,…,0,1,52,1,40
1696017599.667551,"""192.168.0.29""",54172,"""192.168.0.4""",80,…,0,1,52,1,40


In [81]:
# Let's find all duplicate rows
df.filter(df.is_duplicated())

ts,id.orig_h,id.orig_p,id.resp_h,id.resp_p,…,missed_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f64,str,i64,str,i64,…,i64,i64,i64,i64,i64
1696017721.856373,"""127.0.0.1""",6379,"""127.0.0.1""",40226,…,0,0,0,0,0
1696017721.862059,"""127.0.0.1""",6379,"""127.0.0.1""",40240,…,0,0,0,0,0
1696017721.867597,"""127.0.0.1""",6379,"""127.0.0.1""",40250,…,0,0,0,0,0
1696017721.856373,"""127.0.0.1""",6379,"""127.0.0.1""",40226,…,0,0,0,0,0
1696017721.862059,"""127.0.0.1""",6379,"""127.0.0.1""",40240,…,0,0,0,0,0
…,…,…,…,…,…,…,…,…,…,…
1696020902.161719,"""127.0.0.1""",6379,"""127.0.0.1""",50664,…,0,0,0,0,0
1696021021.523053,"""127.0.0.1""",6379,"""127.0.0.1""",49488,…,0,0,0,0,0
1696021021.523053,"""127.0.0.1""",6379,"""127.0.0.1""",49488,…,0,0,0,0,0
1696021141.99463,"""127.0.0.1""",6379,"""127.0.0.1""",38842,…,0,0,0,0,0


In [82]:
# Let us drop these rows
df = df.unique(keep='last')
df

ts,id.orig_h,id.orig_p,id.resp_h,id.resp_p,…,missed_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes
f64,str,i64,str,i64,…,i64,i64,i64,i64,i64
1696018450.53234,"""192.168.0.4""",47466,"""192.168.0.4""",27761,…,0,0,0,0,0
1696019359.74456,"""192.168.0.4""",35250,"""192.168.0.4""",9200,…,0,0,0,0,0
1696020548.832557,"""127.0.0.1""",6789,"""127.0.0.1""",55408,…,0,0,0,0,0
1696019728.038332,"""192.168.0.78""",56242,"""8.8.4.4""",53,…,0,12,800,0,0
1696020484.8208,"""192.168.0.4""",48200,"""192.168.0.4""",9200,…,0,0,0,0,0
…,…,…,…,…,…,…,…,…,…,…
1696019552.617887,"""192.168.0.31""",55892,"""52.255.102.248""",443,…,0,10,3154,10,8563
1696020300.256542,"""127.0.0.1""",55448,"""127.0.0.1""",6789,…,0,0,0,0,0
1696018451.053194,"""192.168.0.8""",34960,"""192.168.0.255""",7788,…,0,1,88,0,0
1696018538.873978,"""192.168.0.9""",34571,"""192.168.0.2""",53,…,0,1,72,1,231


In [83]:
# Get all the source IPs by groups
# How many unique source IPs are there
df.group_by(['id.orig_h']).agg()

id.orig_h
str
"""::"""
"""fe80::1013:6558:acb:e566"""
"""192.168.0.10"""
"""192.168.0.24"""
"""192.168.0.8"""
…
"""fe80::31aa:20ea:ef13:1934"""
"""fe80::a8ae:7ff:fecc:23f0"""
"""192.168.0.78"""
"""192.168.0.35"""


In [84]:
# Get a count of the source IPs occurrence
df.group_by(['id.orig_h']).agg(pl.len())

id.orig_h,len
str,u32
"""192.168.0.28""",646
"""192.168.0.2""",70
"""192.168.0.21""",367
"""::""",2
"""fe80::31aa:20ea:ef13:1934""",12
…,…
"""192.168.0.29""",662
"""192.168.0.24""",465
"""fe80::1013:6558:acb:e566""",5
"""255.255.255.255""",1


In [85]:
# Group again by the source and destination IPs
# This is done to see the frequency of the communication
# We also get the frequency of the combinations
df.group_by(['id.orig_h', 'id.resp_h']).agg(pl.len()).sort(by='len', descending=True)

id.orig_h,id.resp_h,len
str,str,u32
"""127.0.0.1""","""127.0.0.1""",9827
"""192.168.0.4""","""192.168.0.4""",4279
"""192.168.0.9""","""192.168.0.2""",1793
"""192.168.0.31""","""192.168.0.2""",907
"""127.0.0.1""","""127.0.0.53""",381
…,…,…
"""192.168.0.28""","""52.96.230.226""",1
"""192.168.0.35""","""52.22.210.206""",1
"""192.168.0.28""","""142.251.41.67""",1
"""192.168.0.31""","""20.189.173.8""",1


### Looking at the Lazy mode rather than the previous eager mode

In [86]:
# Read the file again, this time via scan_csv
df_conn_scan = pl.scan_csv(source='conn-log.csv' )
df_conn_scan

In [87]:
# Get the column names
df_conn_scan.collect_schema().names()

['Duration',
 'orig_bytes',
 'resp_bytes',
 'orig_pkts',
 'orig_ip_bytes',
 'resp_pkts',
 'resp_ip_bytes']

In [88]:
# Let's aggregate the orig_bytes 
df_conn_scan.group_by('orig_bytes').agg([pl.len()]).collect()

orig_bytes,len
str,u32
"""335660""",1
"""3448""",1
"""1853""",1
"""56""",7
"""5569""",1
…,…
"""5265""",1
"""13146""",1
"""2206""",1
"""1342""",9


In [89]:
# Let's aggregate the orig_bytes 
df_conn_scan.group_by('orig_bytes').agg([pl.len()]).sort(by='len', descending=True).head(n=10).collect()

orig_bytes,len
str,u32
"""0""",1348
"""null""",1334
"""35""",320
"""524""",202
"""88""",186
"""44""",161
"""46""",156
"""32""",126
"""675""",123
"""31""",111


In [90]:
# Confirm that we have 1348 0s
df_conn_scan.select(pl.col('orig_bytes') == '0').sum().collect()

orig_bytes
u32
1348


**Reerences**  
- https://python.plainenglish.io/polars-101-getting-started-with-pythons-next-gen-dataframe-library-7581a351f164     
- https://docs.pola.rs/user-guide/migration/pandas/  
- https://python.plainenglish.io/polars-101-getting-started-with-pythons-next-gen-dataframe-library-7581a351f164
- https://medium.com/data-science/practical-introduction-to-polars-8d9cdca350f1
- https://github.com/ddotta/awesome-polars?tab=readme-ov-file  
- https://noroinsight.com/polars-for-data-science-complete-guide/
- https://polars-ds-extension.readthedocs.io/en/latest/index.html
- https://arrow.apache.org/docs/format/Columnar.html
- 
- #