<a href="https://colab.research.google.com/github/neal-logan/dsba6211-summer2024/blob/main/nophishing/01_exploratory_analysis.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# 01 Exploratory Analysis


### Setup

#### Required Packages
Developed with Python version 3.10.12 in Colab version 1.0.0

In [33]:
##https://github.com/facebookresearch/hiplot
!pip install hiplot==0.1.33

Collecting hiplot==0.1.33
  Downloading hiplot-0.1.33-py3-none-any.whl.metadata (4.9 kB)
Collecting flask-compress (from hiplot==0.1.33)
  Downloading Flask_Compress-1.15-py3-none-any.whl.metadata (8.4 kB)
Collecting jedi>=0.16 (from ipython>=7.0.1->hiplot==0.1.33)
  Using cached jedi-0.19.1-py2.py3-none-any.whl.metadata (22 kB)
Collecting brotli (from flask-compress->hiplot==0.1.33)
  Downloading Brotli-1.1.0-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl.metadata (5.5 kB)
Collecting zstandard (from flask-compress->hiplot==0.1.33)
  Downloading zstandard-0.23.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (3.0 kB)
Downloading hiplot-0.1.33-py3-none-any.whl (863 kB)
[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m863.2/863.2 kB[0m [31m2.2 MB/s[0m eta [36m0:00:00[0m
[?25hDownloading Flask_Compress-1.15-py3-none-any.whl (8.6 kB)
Using cached jedi-0.19.1-py2.py3-none-any.whl (1.6 MB)
Downloading 

In [None]:

#https://github.com/SelfExplainML/PiML-Toolbox
!pip install PiML==0.6.0

#### Random Seed

In [9]:
random_seed = 42

#### Load and Prepare Data

In [71]:
# Load and prepare training data
import pandas as pd

train_url = 'https://raw.githubusercontent.com/neal-logan/dsba6211-summer2024/main/nophishing/data/phishing-url-pirochet-train.csv'
df = pd.read_csv(train_url)

#Create numeric target variable column
df['y'] = df['status'].replace('legitimate', 0).replace('phishing', 1)

#Drop unnecessary columns
df = df.drop(columns=['status','url'])

#X/y split
X = df.drop(columns=['y'])
y = df['y']


In [72]:
#Split training set into training and validation set (test set not yet loaded)

from sklearn.model_selection import train_test_split
X_train, X_validation, y_train, y_validation = train_test_split(
    X,
    y,
    test_size = 0.2,
    random_state = random_seed)

In [78]:
# Establish a list of columns being dropped from exploration and modeling
column_drop_list = ['url','status']

### Overview of the Data

Most of the columns are a mix of binary, small discrete numbers, or ratios in decimal format.  Some columns have significantly larger values.  Some columns contain negative values that are apparently invalid.

While the column names follow some degree of convention, there's no simple way to delineate how each of them should be handled.  I will need to analyze each feature individually and organize a preprocessing pipeline that takes into account what each feature needs.

Some of the fields are obtained from third-party providers.  Because these might not always be available, I will develop a set of models that use this data as well as a second set of models that do not.

#### Categorize Features by Source

In [73]:
# Split features into categories based on origin: from URL, from site content,
# or from third parties

url_columns = ['length_url', 'length_hostname', 'ip', 'nb_dots',
  'nb_hyphens', 'nb_at', 'nb_qm', 'nb_and', 'nb_or', 'nb_eq',
  'nb_underscore', 'nb_tilde', 'nb_percent', 'nb_slash', 'nb_star',
  'nb_colon', 'nb_comma', 'nb_semicolumn', 'nb_dollar', 'nb_space',
  'nb_www', 'nb_com', 'nb_dslash', 'http_in_path', 'https_token',
  'ratio_digits_url', 'ratio_digits_host', 'punycode', 'port',
  'tld_in_path', 'tld_in_subdomain', 'abnormal_subdomain',
  'nb_subdomains', 'prefix_suffix', 'random_domain', 'shortening_service',
  'path_extension', 'nb_redirection', 'nb_external_redirection',
  'length_words_raw', 'char_repeat', 'shortest_words_raw',
  'shortest_word_host', 'shortest_word_path', 'longest_words_raw',
  'longest_word_host', 'longest_word_path', 'avg_words_raw',
  'avg_word_host', 'avg_word_path', 'phish_hints', 'domain_in_brand',
  'brand_in_subdomain', 'brand_in_path', 'suspecious_tld',
  'statistical_report' ]

site_content_columns = ['nb_hyperlinks', 'ratio_intHyperlinks',
  'ratio_extHyperlinks', 'ratio_nullHyperlinks', 'nb_extCSS',
  'ratio_intRedirection', 'ratio_extRedirection', 'ratio_intErrors',
  'ratio_extErrors', 'login_form', 'external_favicon', 'links_in_tags',
  'submit_email', 'ratio_intMedia', 'ratio_extMedia', 'sfh', 'iframe',
  'popup_window', 'safe_anchor', 'onmouseover', 'right_clic',
  'empty_title', 'domain_in_title', 'domain_with_copyright']

third_party_columns = ['whois_registered_domain', 'domain_registration_length', 'domain_age',
       'web_traffic', 'dns_record', 'google_index', 'page_rank']


X_url_train = X_train[url_columns]
X_site_content_train = X_train[site_content_columns]
X_third_party_train = X_train[third_party_columns]

#### Feature-Target Correlation

Third-party features google_index and page_rank dominate the correlations.  However, url features nb_www and ratio_digits_url also look promising, and they're closely followed by site content variables domain_in_title and nb_hyperlinks.

On the other hand, most features show very little correlation, including several under 0.01.  And 5 features show no variation at all after removing the validation set from the training set.

While the uncorrelated features could still plausibly be useful to decision tree models, features that do not vary can't be of any use and will be dropped.

On closer inspection,


In [None]:
# Recombine X,y training data sets for exploration
Xy_train = X_train.copy()
Xy_train['y'] = y_train

In [None]:
# Calculate correlation matrix
corr_matrix = Xy_train.corr().abs()

# Get top features correlated with the target variable
# top_correlated_columns = corr_matrix['y'].sort_values(ascending=False).head(10)
print(corr_matrix['y'].sort_values(ascending=False).head(45))
print(corr_matrix['y'].sort_values(ascending=False).tail(45))



In [None]:
# Identify non-varying features
non_varying_columns = []
for col in X_train.columns:
  if len(pd.unique(X_train[col])) < 2:
    non_varying_columns.append(col)

print(non_varying_columns)

In [None]:
# Add non-varying features to the drop list & drop from X_train
column_drop_list.extend(non_varying_columns)

X_train.drop(columns=non_varying_columns, inplace=True)
X_validation.drop(columns=non_varying_columns, inplace=True)
Xy_train.drop(columns=non_varying_columns, inplace=True)

# print(column_drop_list)


##### Source-specific lists

In [74]:
# Create source-specific lists

# Xy_url_train = X_url_train.copy()
# Xy_url_train['y'] = y_train

# Xy_site_content_train = X_site_content_train.copy()
# Xy_site_content_train['y'] = y_train

# Xy_third_party_train = X_third_party_train.copy()
# Xy_third_party_train['y'] = y_train

In [14]:
# Calculate correlation matrix
# corr_matrix_url = Xy_url_train.corr().abs()

# # Get top 10 url features correlated with the target variable
# top_correlated_url_columns = corr_matrix_url['y'].sort_values(ascending=False).head(10)
# print(top_correlated_url_columns)

y                    1.000000
nb_www               0.434337
ratio_digits_url     0.357516
phish_hints          0.326646
ip                   0.316615
nb_qm                0.301241
nb_slash             0.246719
length_hostname      0.243607
length_url           0.231634
ratio_digits_host    0.227973
Name: y, dtype: float64


In [15]:
# corr_matrix_site_content = Xy_site_content_train.corr().abs()

# # Get top 10 url features correlated with the target variable
# top_correlated_site_content_columns = corr_matrix_site_content['y'].sort_values(ascending=False).head(10)
# print(top_correlated_site_content_columns)

y                        1.000000
domain_in_title          0.338552
nb_hyperlinks            0.334818
ratio_intHyperlinks      0.255428
empty_title              0.221384
ratio_intMedia           0.202347
links_in_tags            0.191689
safe_anchor              0.190779
domain_with_copyright    0.180982
ratio_extRedirection     0.163749
Name: y, dtype: float64


In [16]:
# corr_matrix_third_party = Xy_third_party_train.corr().abs()

# # Get top 10 url features correlated with the target variable
# top_correlated_third_party_columns = corr_matrix_third_party['y'].sort_values(ascending=False).head(10)
# print(top_correlated_third_party_columns)

y                             1.000000
google_index                  0.738908
page_rank                     0.503734
domain_age                    0.325361
domain_registration_length    0.170025
dns_record                    0.111166
whois_registered_domain       0.074040
web_traffic                   0.064179
Name: y, dtype: float64


#### Boxplots - TODO - fix or eliminate

A quick (if bulky) look at the distributions the features.  There appear to be some invalid values, mostly -1s in features where these values don't make sense.

In [None]:
#Boxplots
import pandas as pd
import matplotlib.pyplot as plt

# Define the number of columns per plot
columns_per_plot = 12

# Split the numeric columns into chunks
chunks = [Xy_train[i:i + columns_per_plot] for i in range(0, len(Xy_train), columns_per_plot)]

# Create boxplots for each chunk
for i, chunk in enumerate(chunks):
    plt.figure()
    Xy_train[chunk].boxplot()
    plt.title(f'Boxplots for Columns {i * columns_per_plot + 1} to {(i + 1) * columns_per_plot}')
    plt.xticks(rotation=90)  # Rotate x-axis labels for better readability
    plt.show()


#### Parallel coordinate plots (correlated feature groups)

I generated several groups of correlated features and plotted those groups (with the target variable) in parallel coordinate plots.

##### **Narrowly-applicable Red Flags and Weak Indicators**

This exposed interesting relationships that couldn't be seen in the correlation matrix.  For example, tld_in_subdomain = 1 in only about 5% of observations, but the vast majority of these are phishing.  In a similar vein, ip = 1 accounts for about 15% of observations, of which about 5/6 are phishing.  Each of these could potentially serve as a red flag for phishing, even if they don't provide much information about most of the dataset.   

We can also see somewhat less narrowly-applicable features.  For example, setting a threshold of ratio_digits_url >= 0.05 gives us a little over 30% of observations, and of these almost 3/4 are phishing.  At nb_dots >= 4, we select about 13% of observations, nearly all phishing, but at nb_dots >= 3, this increases to about 33% of observations, which which almost 2/3 are phishing.

This pattern continues across numerous features: they may serve as red flags at higher thresholds, or may provide useful correlation at lower thresholds, or in some cases they may do both.

##### **Strong, Broadly-Applicable Indicators**

As the correlation matrix indicated, google_index is a strong foundation for a phishing model by itself. page_rank and domain_age are also very strong, common indicators.






##### Group correlated features

In [92]:

import pandas as pd

#Create empty dataframes
dfs_eda = []
for i in range(0,13):
  df = pd.DataFrame()
  dfs_eda.append(df)

form_group_threshold = 0.3
join_group_threshold = 0.15


# Add the target variable to the first data frame to ensure
# highly-correlated variables will be explored
dfs_eda[0]['y'] = y_train

# Iterate through columns prioritizing those most correlated with the target
# grouping them based on correlation with columns already assigned to groups,
# correlation with the most-correlated other column, the presence of empty
# groups, and correlation thresholds.
for col in Xy_train:

  #Get the next most-correlated column other than col itself

  most_correlated = corr_matrix[col].sort_values(ascending=False).index[1]
  correlation = corr_matrix.loc[col, most_correlated]

  # Check if there are any remaining empty groups
  empty_remaining = False
  for df in dfs_eda:
    if df.empty:
      empty_remaining = True

  # If there are empty remaining groups and correlation for the current column
  # exceeds the threshold for group formation, add both to the first empty df
  if empty_remaining and correlation > form_group_threshold:
    for df in dfs_eda:
      if df.empty:
        df[col] = Xy_train[col]
        df[most_correlated] = Xy_train[most_correlated]
        break
  # Otherwise, if the correlation exceeds the minimum threshold for joining a
  # group
  elif corr_matrix['y'][col] > 0.3:
    dfs_eda[0][col] = Xy_train[col]
  elif correlation > join_group_threshold:
    for df in dfs_eda:
      if most_correlated in df.columns:
        df[col] = Xy_train[col]
        break
  elif corr_matrix['y'][col] > 0.15:
    dfs_eda[0][col] = Xy_train[col]


# Add the target variable to each group
for df in dfs_eda:
  if not 'y' in df.columns:
    df['y'] = y_train



In [None]:
for df in dfs_eda:
  if not df.empty:
    print(df.columns)

##### Generate parallel coordinate plots

In [None]:
import hiplot as hip

# add y to df1
df['y'] = y_train

# convert dfs_eda to list of dicts because hiplot requires
dicts_eda = [df.to_dict('records') for df in dfs_eda]

for d in dicts_eda:
  hip.Experiment.from_iterable(d).display()

#### Baseline Models

##### Logistic Regression

In [None]:
#Set up pipeline

import numpy as np
from sklearn.preprocessing import StandardScaler
from sklearn.linear_model import LogisticRegression
from sklearn.pipeline import make_pipeline

pipe_lr = make_pipeline(
      StandardScaler(),
      LogisticRegression(random_state=42)
)

pipe_lr.fit(X_train, y_train)


In [None]:
print_model_evaluation("Logistic Regression\nPerformance on Training Set",
                       pipe_lr, X_train, y_train)

print_model_evaluation("Logistic Regression\nPerformance on Validation Set",
                       pipe_lr, X_validation, y_validation)

In [None]:
from sklearn.metrics import accuracy_score
from sklearn.metrics import roc_auc_score
from sklearn.metrics import precision_score
from sklearn.metrics import recall_score
from sklearn.metrics import f1_score
from sklearn.metrics import confusion_matrix
from sklearn.pipeline import Pipeline
import pandas as pd

# Define model evaluation function

def print_model_evaluation(
    title: str,
    pipe : Pipeline,
    X : pd.DataFrame,
    y : pd.DataFrame):

    print("\n" + title)
    pred_y = pipe.predict(X)
    print(confusion_matrix(pred_y, y))
    print("\nROC-AUC: " + str(roc_auc_score(pred_y, y)))
    print("Precision: " + str(precision_score(pred_y, y)))
    print("Recall: " + str(recall_score(pred_y, y)))

##### Random Forest

In [None]:
#Set up & run pipeline - random forest

from sklearn.preprocessing import StandardScaler
from sklearn.ensemble import RandomForestClassifier
from sklearn.pipeline import make_pipeline

pipe_rf = make_pipeline(
      StandardScaler(),
      RandomForestClassifier(random_state=42)
)

pipe_rf.fit(X_train, y_train)


In [None]:
print_model_evaluation("Random Forest\nPerformance on Training Set",
                       pipe_rf, X_train, y_train)

print_model_evaluation("Random Forest\nPerformance on Validation Set",
                       pipe_rf, X_validation, y_validation)


#### Feature Importance

##### Gradient-boosted Trees

In [None]:
# Set up and run pipeline - gradient boosted trees

from sklearn.preprocessing import StandardScaler
from sklearn.ensemble import HistGradientBoostingClassifier
from sklearn.pipeline import make_pipeline

pipe_gbt = make_pipeline(
      StandardScaler(),
      HistGradientBoostingClassifier(random_state=42)
)

pipe_gbt.fit(X_train, y_train)

In [None]:
print_model_evaluation("Gradient-boosted Trees\nPerformance on Training Set",
                       pipe_gbt, X_train, y_train)

print_model_evaluation("Gradient-boosted Trees\nPerformance on Validation Set",
                       pipe_gbt, X_validation, y_validation)

#####

#### Small Multiples -
heatmaps for something?

### Feature Engineering and Selection

### Preprocessing Development