# Hunting With Data Science


### Parte 1 - Filtrado y preprocesamiento

In [2]:
import pandas as pd
from pandas import json_normalize

**1. Cargue las librerías y archivos a utilizar en la misma ubicación** <br>
**2. Cargue la información del archivo large_even.json en una lista, muestre la cantidad de registros total.**

In [3]:
df = pd.read_json("large_eve.json", lines=True)
print(df.info)

<bound method DataFrame.info of                               timestamp       flow_id  pcap_cnt event_type  \
0       2017-07-22T17:33:15.784100-0500  2.835707e+14   18519.0      alert   
1       2017-07-22T17:33:16.571273-0500  1.519048e+15   21531.0        ssh   
2       2017-07-22T17:33:16.661646-0500  1.327836e+15   22269.0        dns   
3       2017-07-22T17:33:17.561063-0500  9.632021e+14   28731.0       http   
4       2017-07-22T17:33:17.595416-0500  9.632021e+14   28994.0   fileinfo   
...                                 ...           ...       ...        ...   
746904  2017-07-22T19:47:49.301548-0500  1.970284e+15       NaN       flow   
746905  2017-07-22T19:47:49.301548-0500  2.251792e+15       NaN       flow   
746906  2017-07-22T19:47:49.301548-0500  8.444188e+14       NaN       flow   
746907  2017-07-22T19:47:49.301548-0500  2.814688e+14       NaN       flow   
746908  2017-07-19T17:39:33.004305-0400           NaN       NaN      stats   

         vlan                  

**3. Debido a que estamos buscando dominios web, del total de registros, solamente estamos interesados en los registros DNS. Cargue únicamente aquellos registros que sean DNS** <br>
**4. Muestre la nueva cantidad de registros filtrados**

In [4]:
df_dns = df[df['event_type'] == 'dns']
df_dns.info

**5. Muestre la información de 2 registros cualesquiera**

In [5]:
df_dns.head(2)

Unnamed: 0,timestamp,flow_id,pcap_cnt,event_type,vlan,src_ip,src_port,dest_ip,dest_port,proto,...,vars,flow,icmp_type,icmp_code,tcp,smtp,email,app_proto_tc,app_proto_ts,stats
2,2017-07-22T17:33:16.661646-0500,1327836000000000.0,22269.0,dns,110.0,2001:0dbb:0c18:0011:0260:6eff:fe30:0863,59680.0,2001:0500:0001:0000:0000:0000:803f:0235,53.0,UDP,...,,,,,,,,,,
38,2017-07-22T17:33:24.990320-0500,2022925000000000.0,54352.0,dns,110.0,2001:0dbb:0c18:0011:0260:6eff:fe30:0863,38051.0,2001:0500:0003:0000:0000:0000:0000:0042,53.0,UDP,...,,,,,,,,,,


**6. Debido a que la data consiste en json anidados, utilice la característica json_normalize para normalizar la información y asignarla en un dataframe.**

In [6]:
df['dns'] = df['dns'].apply(lambda x: [x] if isinstance(x, dict) else x)
df_normalized = pd.json_normalize(df.to_dict('records'), 'dns', ['timestamp', 'flow_id', 'pcap_cnt', 'event_type', 'vlan', 'src_ip', 'src_port', 'dest_ip', 'dest_port', 'proto'])
df_normalized.head()

Unnamed: 0,type,id,rrname,rrtype,tx_id,rcode,ttl,rdata,timestamp,flow_id,pcap_cnt,event_type,vlan,src_ip,src_port,dest_ip,dest_port,proto
0,query,15529,api.wunderground.com,A,0.0,,,,2017-07-22T17:33:16.661646-0500,1327836194150542.0,22269.0,dns,110.0,2001:0dbb:0c18:0011:0260:6eff:fe30:0863,59680.0,2001:0500:0001:0000:0000:0000:803f:0235,53.0,UDP
1,query,58278,stork79.dropbox.com,A,0.0,,,,2017-07-22T17:33:24.990320-0500,2022925111925872.0,54352.0,dns,110.0,2001:0dbb:0c18:0011:0260:6eff:fe30:0863,38051.0,2001:0500:0003:0000:0000:0000:0000:0042,53.0,UDP
2,query,54724,hpca-tier2.office.aol.com.ad.aol.aoltw.net,A,0.0,,,,2017-07-22T17:33:27.379891-0500,578544790391795.0,54519.0,dns,150.0,192.168.205.170,31393.0,192.168.207.4,53.0,UDP
3,answer,54724,hpca-tier2.office.aol.com.ad.aol.aoltw.net,,,NXDOMAIN,,,2017-07-22T17:33:27.380146-0500,578544790391795.0,54520.0,dns,150.0,192.168.207.4,53.0,192.168.205.170,31393.0,UDP
4,answer,54724,<root>,SOA,,NXDOMAIN,20864.0,,2017-07-22T17:33:27.380146-0500,578544790391795.0,54520.0,dns,150.0,192.168.207.4,53.0,192.168.205.170,31393.0,UDP


**7. Como estamos buscando dominios DGA, debemos filtrar los registros DNS para aquellos registros tipo A (son aquellos que mantienen una dirección IP asociada a un dominio).**

In [7]:
df_dns_a = df_normalized[df_normalized['rrtype'] == 'A']
print(df_dns_a.shape)
df_dns_a.head()

(2849, 18)


Unnamed: 0,type,id,rrname,rrtype,tx_id,rcode,ttl,rdata,timestamp,flow_id,pcap_cnt,event_type,vlan,src_ip,src_port,dest_ip,dest_port,proto
0,query,15529,api.wunderground.com,A,0.0,,,,2017-07-22T17:33:16.661646-0500,1327836194150542.0,22269.0,dns,110.0,2001:0dbb:0c18:0011:0260:6eff:fe30:0863,59680.0,2001:0500:0001:0000:0000:0000:803f:0235,53.0,UDP
1,query,58278,stork79.dropbox.com,A,0.0,,,,2017-07-22T17:33:24.990320-0500,2022925111925872.0,54352.0,dns,110.0,2001:0dbb:0c18:0011:0260:6eff:fe30:0863,38051.0,2001:0500:0003:0000:0000:0000:0000:0042,53.0,UDP
2,query,54724,hpca-tier2.office.aol.com.ad.aol.aoltw.net,A,0.0,,,,2017-07-22T17:33:27.379891-0500,578544790391795.0,54519.0,dns,150.0,192.168.205.170,31393.0,192.168.207.4,53.0,UDP
5,query,45082,api.wunderground.com,A,0.0,,,,2017-07-22T17:33:36.672785-0500,237919524635665.0,55496.0,dns,110.0,2001:0dbb:0c18:0011:0260:6eff:fe30:0863,41663.0,2001:07fd:0000:0000:0000:0000:0000:0001,53.0,UDP
6,query,7425,safebrowsing.clients.google.com.home,A,0.0,,,,2017-07-22T17:33:38.537426-0500,2167545251640146.0,55687.0,dns,180.0,192.168.198.62,35092.0,192.168.207.4,53.0,UDP


**8. Filtre los dominios únicos.**

In [8]:
dominios_unicos = df_dns_a['rrname'].unique()
print("Hay " + str(len(dominios_unicos)) + " registros unicos registrados:\n")
print(dominios_unicos)

Hay 177 registros unicos registrados:

['api.wunderground.com' 'stork79.dropbox.com'
 'hpca-tier2.office.aol.com.ad.aol.aoltw.net'
 'safebrowsing.clients.google.com.home' 'fxfeeds.mozilla.com'
 'www.metasploit.com' 'aolmtcmxm03.office.aol.com'
 'aolmtcmxm02.office.aol.com.ad.aol.aoltw.net'
 'aolmtcmxm02.office.aol.com' 'hpca-tier2.office.aol.com'
 'aolmtcmxm03.office.aol.com.ad.aol.aoltw.net'
 'aolmtcmxm04.office.aol.com' 'safebrowsing.clients.google.com'
 'wpad.home' 'safebrowsing.clients.google.com.stayonline.net'
 'aolmtcmxm04.office.aol.com.ad.aol.aoltw.net'
 'AOLDTCMA04.ad.aol.aoltw.net.office.aol.com' 'AOLDTCMA04.office.aol.com'
 '192.168.22.110phpmyadmin' 'secure.informaction.com'
 'secure.informaction.com.localdomain'
 'safebrowsing.clients.google.com.localdomain' 'ueip.vmware.com'
 'en-us.fxfeeds.mozilla.com' '192.168.22.110phpmyadmin.localdomain'
 'time.windows.com' 'softwareupdate.vmware.com' 'proxim.ntkrnlpa.info'
 'portswigger.net' 'www.offensive-security.com'
 'www.offens

**9. Escriba una función que obtenga el TLD para un dominio. Por ejemplo, para api.wunderground.com el TLD es wunderground.com, para safebrowsing.clients.google.com.home, el TLD es home. Utilice ChatGPT para esta función, verifique que obtiene correctamente el TLD, incluya el prompt utilizado en su notebook.**

Sure, here's the function to extract the Top-Level Domain (TLD) from a given domain:

In [9]:
def get_tld(domain):
    """
    Function to extract the Top-Level Domain (TLD) from a given domain.

    Args:
    - domain (str): The domain from which the TLD is to be extracted.

    Returns:
    - tld (str): The TLD of the domain.
    """
    parts = domain.split('.')
    if len(parts) > 1:
        return '.'.join(parts[-2:])
    else:
        return domain

# Usage examples
domain_1 = "api.wunderground.com"
domain_2 = "safebrowsing.clients.google.com.home"

tld_1 = get_tld(domain_1)
tld_2 = get_tld(domain_2)

print("TLD of", domain_1, ":", tld_1)
print("TLD of", domain_2, ":", tld_2)

TLD of api.wunderground.com : wunderground.com
TLD of safebrowsing.clients.google.com.home : com.home


This function takes a domain as input and returns its TLD. It splits the domain into parts separated by dots (.), then joins the last two parts to get the TLD. If the domain has only one part (as in the second example "home"), it simply returns that value since there's no defined TLD in this case.

**10. Del dataframe de dominios únicos de tipo A, obtenga el TLD (top level domain) utilizando la función anterior para crear una columna nueva llamada domain_tld, y elimine todas las demás columnas.**

In [10]:
# Crear la nueva columna 'domain_tld' con los TLD de cada dominio
df_dns_a['domain_tld'] = df_dns_a['rrname'].apply(get_tld)

# Eliminar todas las demás columnas excepto 'domain_tld'
df_dns_a = df_dns_a[['domain_tld']]
df_dns_a.head()

A value is trying to be set on a copy of a slice from a DataFrame.
Try using .loc[row_indexer,col_indexer] = value instead

See the caveats in the documentation: https://pandas.pydata.org/pandas-docs/stable/user_guide/indexing.html#returning-a-view-versus-a-copy
  df_dns_a['domain_tld'] = df_dns_a['rrname'].apply(get_tld)


Unnamed: 0,domain_tld
0,wunderground.com
1,dropbox.com
2,aoltw.net
5,wunderground.com
6,com.home


### Parte 2 - Data Science

**11. Utilice el clasificador proporcionado, debe pasarle como parámetro el dataframe con la columna domain_tld, y asignar el resultado a un nuevo dataframe**

In [11]:
from clasificador import clasificacion

resultado = clasificacion(df_dns_a[['domain_tld']])
resultado

https://scikit-learn.org/stable/model_persistence.html#security-maintainability-limitations


Unnamed: 0,domain_tld,isDGA
0,wunderground.com,0
1,dropbox.com,1
2,aoltw.net,1
5,wunderground.com,0
6,com.home,0
...,...,...
15713,comcast.net,0
15716,stayonline.net,0
15725,aoltw.net,1
15737,real.com,1


**12. Filtre aquellos considerados como DGA (valor 1 ) y muéstrelos. Recuerde que los modelos de ML ofrecen una predicción, pero los resultados pueden incluir falsos positivos y falsos negativos, por lo que no podemos fiarnos por completo de esta clasificación y debemos seguir indagando. Por último, elimine duplicados.**

In [12]:
resultado_filtrado = resultado[resultado['isDGA'] == 1]
resultado_filtrado_sin_duplicados = resultado_filtrado['domain_tld'].unique()
print("Hay " + str(len(resultado_filtrado_sin_duplicados)) + " registros unicos registrados:\n")
print(resultado_filtrado_sin_duplicados)

Hay 36 registros unicos registrados:

['dropbox.com' 'aoltw.net' 'metasploit.com' '22.110phpmyadmin'
 '110phpmyadmin.localdomain' 'windows.com' 'ntkrnlpa.info'
 'sql-ledger.org' 'backtrack-linux.org' 'hackerlabs.vpn' 'phpmyadmin.net'
 'microsoft.com' 'postgresql.org' 'freepbx.org' 'bigflickrfeed.com'
 'flickr.com' 'malwarecity.com' 'facebook.com' 'xmarks.com' 'cakephp.org'
 'adams.net' 'clarkson.edu' 'ecvps.com' 'wisc.edu' 'easynews.com'
 'bluehost.com' 'kernel.org' 'liquidweb.com' 'team-cymru.org'
 'xmission.com' 'apple.com' 'msftncsi.com' 'vtlfccmfxlkgifuf.com'
 'macromates.com' 'ejfodfmfxlkgifuf.xyz' 'real.com']


### Parte 3 - Dominio experto

**13. Ahora ya tenemos un listado de dominios reducido y considerado como sospechoso, por lo que debemos aplicar dominio experto para encontrar los verdaderos registros maliciosos. Escriba una función que utilice la lista de un millón de TLD proporcionada en Canvas, y devuelva 0 si el TLD se encuentra en la lista y 1 si no está.**

Got it. You can create a DataFrame with two columns: "domain_tld" and "isOnList", where "domain_tld" contains the unique TLDs and "isOnList" indicates whether each TLD is present in the top-1m.csv file. Here's how:

In [13]:
import csv

def domain_expert(tld):
    """
    Function to check if a given TLD is present in the list of one million TLDs.

    Args:
    - tld (str): The TLD to be checked.

    Returns:
    - int: 0 if the TLD is present in the list, 1 if it's not.
    """
    with open('top-1m.csv', 'r') as file:
        reader = csv.reader(file)
        for row in reader:
            if row[1] == tld:
                return 0
    return 1

# Create a list of dictionaries with the results
results_list = []
for tld in resultado_filtrado_sin_duplicados:
    results_list.append({'domain_tld': tld, 'isOnList': domain_expert(tld)})

# Create a DataFrame from the list of dictionaries
df_domain_experts = pd.DataFrame(results_list)

# Display the resulting DataFrame
df_domain_experts

Unnamed: 0,domain_tld,isOnList
0,dropbox.com,0
1,aoltw.net,1
2,metasploit.com,0
3,22.110phpmyadmin,1
4,110phpmyadmin.localdomain,1
5,windows.com,0
6,ntkrnlpa.info,1
7,sql-ledger.org,1
8,backtrack-linux.org,1
9,hackerlabs.vpn,1


This code will create a DataFrame named df_domain_experts with two columns: "domain_tld", which contains the unique TLDs, and "isOnList", which indicates whether each TLD is present in the top-1m.csv file. You can use this DataFrame for any further analysis or processing you need to perform.

**14. Utilice la función para determinar si los TLD se encuentran en dicha lista. Filtre aquellos que si se encuentran.**

In [14]:
df_dominios_expertos_filtrado = df_domain_experts[df_domain_experts['isOnList'] == 0]
print(df_dominios_expertos_filtrado.shape)
df_dominios_expertos_filtrado

(22, 2)


Unnamed: 0,domain_tld,isOnList
0,dropbox.com,0
2,metasploit.com,0
5,windows.com,0
10,phpmyadmin.net,0
11,microsoft.com,0
12,postgresql.org,0
13,freepbx.org,0
15,flickr.com,0
17,facebook.com,0
18,xmarks.com,0


**15. Finalmente, para confirmar los dominios maliciosos podemos buscar la fecha de creación del TLD. Cree una función qué en base al TLD, devuelva la fecha de creación de este.**

To create a function that returns the creation date of a TLD, you'll need to utilize a data source that provides this information. Unfortunately, there isn't a single centralized and comprehensive data source that provides the creation date of all TLDs.

However, there are some options you could consider:

1. WHOIS: You can use WHOIS services to query information about a specific domain, including the creation date. There are some Python libraries that allow you to make WHOIS queries, such as whois or python-whois. For example:

In [16]:
import whois

def get_creation_date(tld):
    try:
        w = whois.whois(tld)
        return w.creation_date
    except Exception as e:
        print(f"Failed to retrieve WHOIS information for {tld}: {str(e)}")
        return None

# Aplica la función fecha_creacion_tld a la columna 'domain_tld' y guarda los resultados en una nueva columna 'fecha_creacion'
df_dominios_expertos_filtrado['fecha_creacion'] = df_dominios_expertos_filtrado['domain_tld'].apply(get_creation_date)

# Muestra el DataFrame con la nueva columna 'fecha_creacion'
df_dominios_expertos_filtrado

A value is trying to be set on a copy of a slice from a DataFrame.
Try using .loc[row_indexer,col_indexer] = value instead

See the caveats in the documentation: https://pandas.pydata.org/pandas-docs/stable/user_guide/indexing.html#returning-a-view-versus-a-copy
  df_dominios_expertos_filtrado['fecha_creacion'] = df_dominios_expertos_filtrado['domain_tld'].apply(fecha_creacion_tld)


Unnamed: 0,domain_tld,isOnList,fecha_creacion
0,dropbox.com,0,1995-06-28 04:00:00
2,metasploit.com,0,2003-06-10 06:53:17
5,windows.com,0,1995-09-11 04:00:00
10,phpmyadmin.net,0,"[2002-04-02 19:34:53, 2002-04-02 12:34:53]"
11,microsoft.com,0,1991-05-02 04:00:00
12,postgresql.org,0,1996-10-22 04:00:00
13,freepbx.org,0,2005-10-11 15:55:49
15,flickr.com,0,2003-11-22 07:49:51
17,facebook.com,0,1997-03-29 05:00:00
18,xmarks.com,0,2003-12-29 19:12:14


2. Third-party APIs: Some services offer APIs that allow you to access WHOIS data programmatically. You can search for such services and consult their documentation for more information on how to use them.

3. Domain databases: Some companies or institutions maintain databases of domains that may include information such as the creation date. You could search for public or commercial databases that provide this information and explore the available options.

It's important to note that the availability and accuracy of the creation date information may vary depending on the data source used. Additionally, consider the usage policies and potential restrictions when accessing this information.

**16. Muestre la fecha de creación para cada uno de los 13 dominios finales ¿Cuáles son los dominios que podemos confirmar como sospechosos?**

In [17]:
df_dominios_expertos_filtrado = df_domain_experts[df_domain_experts['isOnList'] == 1]
df_dominios_expertos_filtrado['fecha_creacion'] = df_dominios_expertos_filtrado['domain_tld'].apply(get_creation_date)
df_dominios_expertos_filtrado

No se pudo obtener la información de WHOIS para bigflickrfeed.com: No match for "BIGFLICKRFEED.COM".
>>> Last update of whois database: 2024-04-09T22:09:07Z <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist p

A value is trying to be set on a copy of a slice from a DataFrame.
Try using .loc[row_indexer,col_indexer] = value instead

See the caveats in the documentation: https://pandas.pydata.org/pandas-docs/stable/user_guide/indexing.html#returning-a-view-versus-a-copy
  df_dominios_expertos_filtrado['fecha_creacion'] = df_dominios_expertos_filtrado['domain_tld'].apply(fecha_creacion_tld)


Unnamed: 0,domain_tld,isOnList,fecha_creacion
1,aoltw.net,1,2000-01-10 04:09:19
3,22.110phpmyadmin,1,
4,110phpmyadmin.localdomain,1,
6,ntkrnlpa.info,1,2023-06-27 08:18:55
7,sql-ledger.org,1,2000-09-08 16:25:09
8,backtrack-linux.org,1,2009-04-29 00:26:42
9,hackerlabs.vpn,1,
14,bigflickrfeed.com,1,
16,malwarecity.com,1,"[2008-02-06 15:42:35, 2008-02-06 00:00:00]"
19,cakephp.org,1,2005-06-13 23:07:32


Según investigué, la falta de fecha de creación en un TLD puede deberse a la privacidad del dominio, problemas de red o dominios recientemente registrados. Aunque la falta de información de WHOIS puede ser una señal de alerta, no es necesariamente indicativa de actividad maliciosa por sí sola. Sin embargo, en un contexto de análisis de seguridad como lo estamos haciendo en este ejercicio, los dominios sin fecha de creación (los que aparecen como "None") podríamos considerarlos más sospechosos y puede ser indicativo de que estos son los verdaderos sitios maliciosos que pudimos encontrar. Aquellos que fueron sospechosos pero sí muestran una fecha podríamos descartarlos ya que llevan bastante tiempo publicados.