In [1]:
import boto3
import pandas as pd
import numpy as np
import matplotlib.pyplot as plt
from io import BytesIO
from mlxtend.preprocessing import TransactionEncoder
import random
#from mlxtend.frequent_patterns import apriori
from apyori import apriori 
from itertools import combinations, groupby
from collections import Counter

In [2]:
#load data
# based off https://www.datatheque.com/posts/association-analysis/

client = boto3.client('s3')
obj = client.get_object(Bucket='manifolddata', Key='week1.csv')
df = pd.read_csv(BytesIO(obj['Body'].read()))


  interactivity=interactivity, compiler=compiler, result=result)


In [3]:
df=df.iloc[:,[0,1,3,4,5,6,7,8]]
df.columns=['Date', 'Duration', 'Src_IP', 'Src_pt', 'Dst_IP', 'Dst_pt','Packets', 'Bytes']
#add an date column that is rounded to nearest hour, so we can use this as a timestep to see how frequently IP pairs occur in each timestep
df['Date']=pd.to_datetime(df['Date'], format="%Y-%m-%d %H:%M:%S.%f", errors = 'coerce')
df['date_hr']=pd.Series(df['Date']).dt.round("H")

In [4]:
#create a pair column, which is a touple of the src and dst IP, sorted. 
#It does not matter which call came first, we simply want to know which pair occurs most frequently.

df['pairs']=list(zip(df.Src_IP, df.Dst_IP))
df['pairs']=df['pairs'].apply(sorted)
df['pairs2']=tuple(df['pairs'])

In [5]:
data=df[['Date', 'Src_IP', 'Dst_IP']]
#melt 
data2=data
data2=pd.melt(data2, id_vars=['Date'])

In [21]:
df.head()

Unnamed: 0,Date,Duration,Src_IP,Src_pt,Dst_IP,Dst_pt,Packets,Bytes,date_hr,pairs,pairs2
0,2017-08-02 00:00:00.419,0.003,192.168.210.55,44870,192.168.100.11,445.0,2,174,2017-08-02,"[192.168.100.11, 192.168.210.55]","(192.168.100.11, 192.168.210.55)"
1,2017-08-02 00:00:00.421,0.0,192.168.100.11,445,192.168.210.55,44870.0,1,108,2017-08-02,"[192.168.100.11, 192.168.210.55]","(192.168.100.11, 192.168.210.55)"
2,2017-08-02 00:00:02.593,0.004,192.168.220.47,55101,192.168.100.11,445.0,2,174,2017-08-02,"[192.168.100.11, 192.168.220.47]","(192.168.100.11, 192.168.220.47)"
3,2017-08-02 00:00:02.859,0.0,10000_34,443,192.168.210.54,59628.0,1,100,2017-08-02,"[10000_34, 192.168.210.54]","(10000_34, 192.168.210.54)"
4,2017-08-02 00:00:02.594,0.0,192.168.100.11,445,192.168.220.47,55101.0,1,108,2017-08-02,"[192.168.100.11, 192.168.220.47]","(192.168.100.11, 192.168.220.47)"


In [6]:
# Convert from DataFrame to a Series, with order_id as index and item_id as value
# Convert from DataFrame to a Series, with order_id as index and item_id as value
#necessary for assocation mining
data2=data2[['Date', 'value']]
data2.columns=['Date', 'IP']
data_series = data2.set_index('Date')['IP'].rename('IP')

type(data_series)

pandas.core.series.Series

In [7]:
data_series.loc['2017-08-02 00:00:00.419']# yes we get two results, 1 for source and 1 for destination

Date
2017-08-02 00:00:00.419    192.168.210.55
2017-08-02 00:00:00.419    192.168.100.11
Name: IP, dtype: object

In [8]:
#Returns frequency counts for items and item pairs
def freq(iterable):
    if type(iterable) == pd.core.series.Series:
        return iterable.value_counts().rename("freq")
    else: 
        return pd.Series(Counter(iterable)).rename("freq")

    
# Returns number of unique orders
def order_count(order_item):
    return len(set(order_item.index))


# Returns generator that yields item pairs, one at a time
def get_item_pairs(order_item):
    order_item = order_item.reset_index().as_matrix()
    for order_id, order_object in groupby(order_item, lambda x: x[0]):
        item_list = [item[1] for item in order_object]
              
        for item_pair in combinations(item_list, 2):
            yield item_pair
            

# Returns frequency and support associated with item
def merge_item_stats(item_pairs, item_stats):
    return (item_pairs
                .merge(item_stats.rename(columns={'freq': 'freqA', 'support': 'supportA'}), left_on='item_A', right_index=True)
                .merge(item_stats.rename(columns={'freq': 'freqB', 'support': 'supportB'}), left_on='item_B', right_index=True))


# Returns name associated with item
def merge_item_name(rules, item_name):
    columns = ['itemA','itemB','freqAB','supportAB','freqA','supportA','freqB','supportB', 
               'confidenceAtoB','confidenceBtoA','lift']
    rules = (rules
                .merge(item_name.rename(columns={'item_name': 'itemA'}), left_on='item_A', right_on='item_id')
                .merge(item_name.rename(columns={'item_name': 'itemB'}), left_on='item_B', right_on='item_id'))
    return rules[columns]   

In [9]:
def association_rules(order_item, min_support):

    print("Starting order_item: {:22d}".format(len(order_item)))


    # Calculate item frequency and support
    item_stats             = freq(order_item).to_frame("freq")
    item_stats['support']  = item_stats['freq'] / order_count(order_item) * 100


    # Filter from order_item items below min support 
    qualifying_items       = item_stats[item_stats['support'] >= min_support].index
    order_item             = order_item[order_item.isin(qualifying_items)]

    print("Items with support >= {}: {:15d}".format(min_support, len(qualifying_items)))
    print("Remaining order_item: {:21d}".format(len(order_item)))


    # Filter from order_item orders with less than 2 items
    order_size             = freq(order_item.index)
    qualifying_orders      = order_size[order_size >= 2].index
    order_item             = order_item[order_item.index.isin(qualifying_orders)]

    print("Remaining orders with 2+ items: {:11d}".format(len(qualifying_orders)))
    print("Remaining order_item: {:21d}".format(len(order_item)))


    # Recalculate item frequency and support
    item_stats             = freq(order_item).to_frame("freq")
    item_stats['support']  = item_stats['freq'] / order_count(order_item) * 100


    # Get item pairs generator
    item_pair_gen          = get_item_pairs(order_item)


    # Calculate item pair frequency and support
    item_pairs              = freq(item_pair_gen).to_frame("freqAB")
    item_pairs['supportAB'] = item_pairs['freqAB'] / len(qualifying_orders) * 100

    print("Item pairs: {:31d}".format(len(item_pairs)))


    # Filter from item_pairs those below min support
    item_pairs              = item_pairs[item_pairs['supportAB'] >= min_support]

    print("Item pairs with support >= {}: {:10d}\n".format(min_support, len(item_pairs)))


    # Create table of association rules and compute relevant metrics
    item_pairs = item_pairs.reset_index().rename(columns={'level_0': 'item_A', 'level_1': 'item_B'})
    item_pairs = merge_item_stats(item_pairs, item_stats)
    
    item_pairs['confidenceAtoB'] = item_pairs['supportAB'] / item_pairs['supportA']
    item_pairs['confidenceBtoA'] = item_pairs['supportAB'] / item_pairs['supportB']
    item_pairs['lift']           = item_pairs['supportAB'] / (item_pairs['supportA'] * item_pairs['supportB'])
    
    
    # Return association rules sorted by lift in descending order
    return item_pairs.sort_values('lift', ascending=False)

Set minimum threshold to the same value used in the FP-Growth Model, for comparisoin. The FP-Growth wants the support in whole numbers, like it occurs '50' times in the dataset. Here, the Apriori wants the support in percent, like the pair makes up 1% of the dataset.

In [11]:
#group the dataset by unique pairs, then count how frequently each pair occurs, and also get the average normalized latency time for that pair. The latency times vary because the servers they are assigned are random.
pairs_count=(df.groupby('pairs2').agg({'Date':'count', 'Duration': 'sum', 'Packets':'sum'}).reset_index())

pairs_count.columns=['pairs','frequency', 'total_duration', 'total_packets']
pairs_count['norm_latency']=(pairs_count['total_duration']/pairs_count['total_packets'].sum())*100 #sum of all duration time divided by sum of all packets transfered for that pair

In [12]:
per_80=np.percentile(pairs_count['frequency'], [80])

min_support=per_80/len(df)

In [16]:
min_support=min_support[0]
min_support

1.5392147952257956e-05

In [None]:
#run the model

rules = association_rules(data_series, min_support)  #0.001 is minimum support or that the IP address must appear in the requests 1% of time

In [11]:
#add back in the pairs column so we can match it up with our dataframe

rules['pairs']=list(zip(rules.item_A, rules.item_B))
rules['pairs']=rules['pairs'].apply(sorted)

How many rules did we create?

In [12]:
len(rules)

582

582 rules is not a lot, considering we have 44,000 unique pairs of IP addresses

In [13]:
rules.head()

Unnamed: 0,item_A,item_B,freqAB,supportAB,freqA,supportA,freqB,supportB,confidenceAtoB,confidenceBtoA,lift,pairs
429,12166_169,12166_169,82,0.001236,303,0.004568,303,0.004568,0.270627,0.270627,59.245712,"[12166_169, 12166_169]"
546,11424_123,11424_123,70,0.001055,305,0.004598,305,0.004598,0.229508,0.229508,49.914496,"[11424_123, 11424_123]"
456,10127_72,10127_72,177,0.002668,576,0.008683,576,0.008683,0.307292,0.307292,35.38805,"[10127_72, 10127_72]"
348,10513_90,10513_90,122,0.001839,488,0.007357,488,0.007357,0.25,0.25,33.981967,"[10513_90, 10513_90]"
404,11935_173,11935_173,83,0.001251,407,0.006136,407,0.006136,0.203931,0.203931,33.236678,"[11935_173, 11935_173]"


## Create Scheduler

Assume we have enough servers to host each app (IP address), and each server can hold 20 apps. How many servers do we need?

In [14]:
apps_server=20
num_server=int(df['Dst_IP'].nunique()/apps_server)

In [15]:
int(num_server)

467

We know we can only fit 20 apps on each server, so in terms of the rules dataframe this is 10 rows (because each row contains 2 apps).
Create a sequence that fills in the server number on the rules dataframe, then merge these servers into the entire dataset.

In [16]:
#how many servers will we use for our rules
import math
pairs_server=apps_server/2

#how many servers do we need for our rules, which are in pairs?
servers_rule=math.ceil(len(rules)/pairs_server)

In [17]:
servers_rule_list=list(range(0,servers_rule+1))
servers_rule_list=np.repeat(servers_rule_list,pairs_server)

#remove the extra items
servers_rule_list=servers_rule_list[0:len(rules)]

In [18]:
rules['server']=servers_rule_list

In [19]:
rules.tail(10)

Unnamed: 0,item_A,item_B,freqAB,supportAB,freqA,supportA,freqB,supportB,confidenceAtoB,confidenceBtoA,lift,pairs,server
247,192.168.210.55,192.168.220.47,80,0.001206,500703,7.548347,1087696,16.397559,0.00016,7.4e-05,1e-05,"[192.168.210.55, 192.168.220.47]",57
90,192.168.220.47,192.168.220.42,69,0.00104,1087696,16.397559,483956,7.295878,6.3e-05,0.000143,9e-06,"[192.168.220.42, 192.168.220.47]",57
374,192.168.220.51,192.168.220.47,250,0.003769,1774490,26.751321,1087696,16.397559,0.000141,0.00023,9e-06,"[192.168.220.47, 192.168.220.51]",57
418,192.168.220.42,192.168.220.51,109,0.001643,483956,7.295878,1774490,26.751321,0.000225,6.1e-05,8e-06,"[192.168.220.42, 192.168.220.51]",57
139,192.168.220.47,192.168.220.51,237,0.003573,1087696,16.397559,1774490,26.751321,0.000218,0.000134,8e-06,"[192.168.220.47, 192.168.220.51]",57
432,192.168.220.51,192.168.210.54,73,0.001101,1774490,26.751321,335533,5.058327,4.1e-05,0.000218,8e-06,"[192.168.210.54, 192.168.220.51]",57
442,192.168.220.50,192.168.220.51,75,0.001131,366341,5.522773,1774490,26.751321,0.000205,4.2e-05,8e-06,"[192.168.220.50, 192.168.220.51]",57
113,192.168.220.51,192.168.220.42,89,0.001342,1774490,26.751321,483956,7.295878,5e-05,0.000184,7e-06,"[192.168.220.42, 192.168.220.51]",57
350,DNS,192.168.220.51,100,0.001508,995938,15.014261,1774490,26.751321,0.0001,5.6e-05,4e-06,"[192.168.220.51, DNS]",58
382,192.168.220.51,DNS,95,0.001432,1774490,26.751321,995938,15.014261,5.4e-05,9.5e-05,4e-06,"[192.168.220.51, DNS]",58


In [22]:
rules_A=rules[['item_A', 'server']]
rules_B=rules[['item_B', 'server']]
rules_A.columns=['item', 'server']
rules_B.columns=['item', 'server']

In [23]:
rules_AB=pd.concat([rules_A, rules_B])

In [24]:
rules_AB.head()

Unnamed: 0,item,server
429,12166_169,0
546,11424_123,0
456,10127_72,0
348,10513_90,0
404,11935_173,0


### merge in the servers from the rules to the  main dataframe

In [26]:
df2=df


In [27]:
df2=df2.merge(rules_AB, left_on='Src_IP', right_on='item', how='left') #creates a column that shows the server used for Src_IP


In [28]:
df2=df2.rename(columns = {'server':'server_Src'})

MemoryError: 

In [25]:
df2=df2.merge(rules_AB, left_on='Dst_IP', right_on='item', how='left') #creates a column that shows the server used for Src_IP
 #creates a column that shows the server used for Dst_IP, or 'itemB' in the rules

In [26]:
df2=df2.rename(columns = {'server':'server_Dst'})


Unnamed: 0,Date,Duration,Src_IP,Src_pt,Dst_IP,Dst_pt,Packets,Bytes,date_hr,pairs,pairs2,item_x,server_Src,item_y,server_Dst
0,2017-08-02 00:00:00.419,0.003,192.168.210.55,44870,192.168.100.11,445.0,2,174,2017-08-02,"[192.168.100.11, 192.168.210.55]","(192.168.100.11, 192.168.210.55)",192.168.210.55,7.0,,
1,2017-08-02 00:00:00.419,0.003,192.168.210.55,44870,192.168.100.11,445.0,2,174,2017-08-02,"[192.168.100.11, 192.168.210.55]","(192.168.100.11, 192.168.210.55)",192.168.210.55,7.0,,
2,2017-08-02 00:00:00.421,0.0,192.168.100.11,445,192.168.210.55,44870.0,1,108,2017-08-02,"[192.168.100.11, 192.168.210.55]","(192.168.100.11, 192.168.210.55)",,,192.168.210.55,7.0
3,2017-08-02 00:00:00.421,0.0,192.168.100.11,445,192.168.210.55,44870.0,1,108,2017-08-02,"[192.168.100.11, 192.168.210.55]","(192.168.100.11, 192.168.210.55)",,,192.168.210.55,7.0
4,2017-08-02 00:00:02.593,0.004,192.168.220.47,55101,192.168.100.11,445.0,2,174,2017-08-02,"[192.168.100.11, 192.168.220.47]","(192.168.100.11, 192.168.220.47)",192.168.220.47,7.0,,


In [32]:
df2=df2.drop(['item_y', 'item_x'], axis=1)

create new column with the predicted durationo. if servers are the same for the pair, set duration=0

In [71]:
df2['duration_pred']=df2['Duration']
df2['duration_pred'][df2['server_Src']==df2['server_Dst']]=0

A value is trying to be set on a copy of a slice from a DataFrame

See the caveats in the documentation: http://pandas.pydata.org/pandas-docs/stable/indexing.html#indexing-view-versus-copy
  from ipykernel import kernelapp as app


In [72]:
#want to check that we do indeed have matching servers for the rules we created
df2[df2['server_Src']==df2['server_Dst']]

Unnamed: 0,Date,Duration,Src_IP,Src_pt,Dst_IP,Dst_pt,Packets,Bytes,date_hr,pairs,pairs2,server_Src,server_Dst,duration_pred
30485,2017-08-02 04:00:44.530,0.000,192.168.210.2,67,192.168.210.55,68.0,1,375,2017-08-02 04:00:00,"[192.168.210.2, 192.168.210.55]","(192.168.210.2, 192.168.210.55)",7.0,7.0,0.0
30486,2017-08-02 04:00:44.530,0.000,192.168.210.2,67,192.168.210.55,68.0,1,375,2017-08-02 04:00:00,"[192.168.210.2, 192.168.210.55]","(192.168.210.2, 192.168.210.55)",7.0,7.0,0.0
30487,2017-08-02 04:00:44.530,0.000,192.168.210.2,67,192.168.210.55,68.0,1,375,2017-08-02 04:00:00,"[192.168.210.2, 192.168.210.55]","(192.168.210.2, 192.168.210.55)",7.0,7.0,0.0
30488,2017-08-02 04:00:44.530,0.000,192.168.210.2,67,192.168.210.55,68.0,1,375,2017-08-02 04:00:00,"[192.168.210.2, 192.168.210.55]","(192.168.210.2, 192.168.210.55)",7.0,7.0,0.0
30489,2017-08-02 04:00:44.525,0.000,192.168.210.55,68,192.168.210.2,67.0,1,342,2017-08-02 04:00:00,"[192.168.210.2, 192.168.210.55]","(192.168.210.2, 192.168.210.55)",7.0,7.0,0.0
30490,2017-08-02 04:00:44.525,0.000,192.168.210.55,68,192.168.210.2,67.0,1,342,2017-08-02 04:00:00,"[192.168.210.2, 192.168.210.55]","(192.168.210.2, 192.168.210.55)",7.0,7.0,0.0
30491,2017-08-02 04:00:44.525,0.000,192.168.210.55,68,192.168.210.2,67.0,1,342,2017-08-02 04:00:00,"[192.168.210.2, 192.168.210.55]","(192.168.210.2, 192.168.210.55)",7.0,7.0,0.0
30492,2017-08-02 04:00:44.525,0.000,192.168.210.55,68,192.168.210.2,67.0,1,342,2017-08-02 04:00:00,"[192.168.210.2, 192.168.210.55]","(192.168.210.2, 192.168.210.55)",7.0,7.0,0.0
45864,2017-08-02 06:03:19.583,0.143,10042_29,80,192.168.220.46,42768.0,3,1002,2017-08-02 06:00:00,"[10042_29, 192.168.220.46]","(10042_29, 192.168.220.46)",6.0,6.0,0.0
45865,2017-08-02 06:03:19.583,0.143,10042_29,80,192.168.220.46,42768.0,3,1002,2017-08-02 06:00:00,"[10042_29, 192.168.220.46]","(10042_29, 192.168.220.46)",6.0,6.0,0.0


Sum up the originial duration times for latency, and compare that with our predicted latency times

In [73]:
df2['Duration'].sum()

7001653.546000004

In [74]:
df2['duration_pred'].sum()

6887416.561999986

% Difference:

In [76]:
(df2['Duration'].sum()- df2['duration_pred'].sum())/ df2['Duration'].sum()

0.016315715030670242

a 1% improvement

Now, fill in the rest of the servers based on random chance.