## Import libraries

In [1]:
import numpy as np
import pandas as pd
from os import path
import time
import tensorflow as tf
from tensorflow import keras
from tensorflow.keras import layers
from tensorflow.keras.layers.experimental import preprocessing
from tensorflow.keras.callbacks import EarlyStopping
from collections import Counter
import sklearn
from sklearn import preprocessing, metrics
from sklearn.metrics import (roc_curve, auc, accuracy_score, precision_score, 
                             recall_score, f1_score, balanced_accuracy_score, 
                             matthews_corrcoef)
from sklearn.preprocessing import StandardScaler, LabelEncoder, OneHotEncoder, LabelBinarizer
import shap
from imblearn.over_sampling import RandomOverSampler
import innvestigate

# Make numpy printouts easier to read.
np.set_printoptions(precision=3, suppress=True)
np.random.seed(0)

tf.compat.v1.disable_eager_execution()

2024-06-08 21:41:16.367928: I tensorflow/stream_executor/platform/default/dso_loader.cc:53] Successfully opened dynamic library libcudart.so.11.0
  from .autonotebook import tqdm as notebook_tqdm


In [2]:

output_file_name = "Example.txt"
with open(output_file_name, "w") as f: print('---------------------------------------------------------------------------------', file = f)
with open(output_file_name, "a") as f: print('---- Example NSLKDD', file = f)
start_program = time.time()


#### Function definition

In [3]:

def confusion_metrics (name_model,predictions,true_labels,time_taken):

    name = name_model
    pred_label = predictions
    y_test_01 = true_labels 

    with open(output_file_name, "a") as f: print('--------------------------------------------------------------------------', file = f)

    with open(output_file_name, "a") as f: print(name, file = f)


    print('---------------------------------------------------------------------------------')
    print('CONFUSION MATRIX')
    print('---------------------------------------------------------------------------------')


    # pred_label = label[ypred]

    confusion_matrix = pd.crosstab(y_test_01, pred_label,rownames=['Actual ALERT'],colnames = ['Predicted ALERT'], dropna=False).sort_index(axis=0).sort_index(axis=1)
    all_unique_values = sorted(set(pred_label) | set(y_test_01))
    z = np.zeros((len(all_unique_values), len(all_unique_values)))
    rows, cols = confusion_matrix.shape
    z[:rows, :cols] = confusion_matrix
    confusion_matrix  = pd.DataFrame(z, columns=all_unique_values, index=all_unique_values)
    # confusion_matrix.to_csv('Ensemble_conf_matrix.csv')
    # with open(output_file_name, "a") as f:print(confusion_matrix,file=f)
    print(confusion_matrix)
    with open(output_file_name, "a") as f: print('Confusion Matrix', file = f)

    with open(output_file_name, "a") as f: print(confusion_matrix, file = f)


    FP = confusion_matrix.sum(axis=0) - np.diag(confusion_matrix)
    FN = confusion_matrix.sum(axis=1) - np.diag(confusion_matrix)
    TP = np.diag(confusion_matrix)
    TN = confusion_matrix.values.sum() - (FP + FN + TP)
    TP_total = sum(TP)
    TN_total = sum(TN)
    FP_total = sum(FP)
    FN_total = sum(FN)

    TP_total = np.array(TP_total,dtype=np.float64)
    TN_total = np.array(TN_total,dtype=np.float64)
    FP_total = np.array(FP_total,dtype=np.float64)
    FN_total = np.array(FN_total,dtype=np.float64)
    FPR = FP / (FP + TN)
    FPR = 100*(sum(FPR)/len(FPR))

    #----------------------------------------------------------------#----------------------------------------------------------------

    print('---------------------------------------------------------------------------------')
    print('METRICS')
    print('---------------------------------------------------------------------------------')


    Acc = accuracy_score(y_test_01, pred_label)
    Precision = precision_score(y_test_01, pred_label, average='macro')
    Recall = recall_score(y_test_01, pred_label, average='macro')
    F1 =  f1_score(y_test_01, pred_label, average='macro')
    BACC = balanced_accuracy_score(y_test_01, pred_label)
    MCC = matthews_corrcoef(y_test_01, pred_label)

    print('Accuracy total: ', Acc)
    print('Precision total: ', Precision )
    print('Recall total: ', Recall )
    print('F1 total: ', F1 )
    print('BACC total: ', BACC)
    print('MCC total: ', MCC)

    with open(output_file_name, "a") as f: print('Accuracy total: ', Acc, file = f)
    with open(output_file_name, "a") as f: print('Precision total: ', Precision, file = f)
    with open(output_file_name, "a") as f: print('Recall total: ', Recall , file = f)
    with open(output_file_name, "a") as f: print('F1 total: ', F1, file = f)
    with open(output_file_name, "a") as f: print('BACC total: ', BACC , file = f)
    with open(output_file_name, "a") as f: print('MCC total: ', MCC, file = f)
    with open(output_file_name, "a") as f: print('Time Taken: ', time_taken, file = f)
    with open(output_file_name, "a") as f: print('FPR: ', FPR, '%' ,file = f)

    return Acc, Precision, Recall, F1, BACC, MCC, FPR



## LOAD NSL KDD DATASET

In [4]:
# attach the column names to the dataset
feature=["duration","protocol_type","service","flag","src_bytes","dst_bytes","land","wrong_fragment","urgent","hot",
          "num_failed_logins","logged_in","num_compromised","root_shell","su_attempted","num_root","num_file_creations","num_shells",
          "num_access_files","num_outbound_cmds","is_host_login","is_guest_login","count","srv_count","serror_rate","srv_serror_rate",
          "rerror_rate","srv_rerror_rate","same_srv_rate","diff_srv_rate","srv_diff_host_rate","dst_host_count","dst_host_srv_count", 
          "dst_host_same_srv_rate","dst_host_diff_srv_rate","dst_host_same_src_port_rate","dst_host_srv_diff_host_rate","dst_host_serror_rate",
          "dst_host_srv_serror_rate","dst_host_rerror_rate","dst_host_srv_rerror_rate","label","difficulty"]
# KDDTrain+_2.csv & KDDTest+_2.csv are the datafiles without the last column about the difficulty score
# these have already been removed.

train='KDDTrain+.txt'
test='KDDTest+.txt'

df=pd.read_csv(train,names=feature)
df_test=pd.read_csv(test,names=feature)



# shape, this gives the dimensions of the dataset
print('Dimensions of the Training set:',df.shape)
print('Dimensions of the Test set:',df_test.shape)


df.drop(['difficulty'],axis=1,inplace=True)
df_test.drop(['difficulty'],axis=1,inplace=True)



print('Label distribution Training set:')
print(df['label'].value_counts())
print()
print('Label distribution Test set:')
print(df_test['label'].value_counts())



# colums that are categorical and not binary yet: protocol_type (column 2), service (column 3), flag (column 4).
# explore categorical features
print('Training set:')
for col_name in df.columns:
    if df[col_name].dtypes == 'object' :
        unique_cat = len(df[col_name].unique())
        print("Feature '{col_name}' has {unique_cat} categories".format(col_name=col_name, unique_cat=unique_cat))

#see how distributed the feature service is, it is evenly distributed and therefore we need to make dummies for all.
print()
print('Distribution of categories in service:')
print(df['service'].value_counts().sort_values(ascending=False).head())



# Test set
print('Test set:')
for col_name in df_test.columns:
    if df_test[col_name].dtypes == 'object' :
        unique_cat = len(df_test[col_name].unique())
        print("Feature '{col_name}' has {unique_cat} categories".format(col_name=col_name, unique_cat=unique_cat))



categorical_columns=['protocol_type', 'service', 'flag']
# insert code to get a list of categorical columns into a variable, categorical_columns
categorical_columns=['protocol_type', 'service', 'flag'] 
 # Get the categorical values into a 2D numpy array
df_categorical_values = df[categorical_columns]
testdf_categorical_values = df_test[categorical_columns]
df_categorical_values.head()


# protocol type
unique_protocol=sorted(df.protocol_type.unique())
string1 = 'Protocol_type_'
unique_protocol2=[string1 + x for x in unique_protocol]
# service
unique_service=sorted(df.service.unique())
string2 = 'service_'
unique_service2=[string2 + x for x in unique_service]
# flag
unique_flag=sorted(df.flag.unique())
string3 = 'flag_'
unique_flag2=[string3 + x for x in unique_flag]
# put together
dumcols=unique_protocol2 + unique_service2 + unique_flag2
print(dumcols)

#do same for test set
unique_service_test=sorted(df_test.service.unique())
unique_service2_test=[string2 + x for x in unique_service_test]
testdumcols=unique_protocol2 + unique_service2_test + unique_flag2




df_categorical_values_enc=df_categorical_values.apply(LabelEncoder().fit_transform)
print(df_categorical_values_enc.head())
# test set
testdf_categorical_values_enc=testdf_categorical_values.apply(LabelEncoder().fit_transform)



enc = OneHotEncoder()
df_categorical_values_encenc = enc.fit_transform(df_categorical_values_enc)
df_cat_data = pd.DataFrame(df_categorical_values_encenc.toarray(),columns=dumcols)
# test set
testdf_categorical_values_encenc = enc.fit_transform(testdf_categorical_values_enc)
testdf_cat_data = pd.DataFrame(testdf_categorical_values_encenc.toarray(),columns=testdumcols)

df_cat_data.head()


trainservice=df['service'].tolist()
testservice= df_test['service'].tolist()
difference=list(set(trainservice) - set(testservice))
string = 'service_'
difference=[string + x for x in difference]
difference

for col in difference:
    testdf_cat_data[col] = 0

testdf_cat_data.shape

newdf=df.join(df_cat_data)
newdf.drop('flag', axis=1, inplace=True)
newdf.drop('protocol_type', axis=1, inplace=True)
newdf.drop('service', axis=1, inplace=True)
# test data
newdf_test=df_test.join(testdf_cat_data)
newdf_test.drop('flag', axis=1, inplace=True)
newdf_test.drop('protocol_type', axis=1, inplace=True)
newdf_test.drop('service', axis=1, inplace=True)
print(newdf.shape)
print(newdf_test.shape)


# take label column
labeldf=newdf['label']
labeldf_test=newdf_test['label']
# change the label column
newlabeldf=labeldf.replace({ 'normal' : 0, 'neptune' : 1 ,'back': 1, 'land': 1, 'pod': 1, 'smurf': 1, 'teardrop': 1,'mailbomb': 1, 'apache2': 1, 'processtable': 1, 'udpstorm': 1, 'worm': 1,
                           'ipsweep' : 2,'nmap' : 2,'portsweep' : 2,'satan' : 2,'mscan' : 2,'saint' : 2
                           ,'ftp_write': 3,'guess_passwd': 3,'imap': 3,'multihop': 3,'phf': 3,'spy': 3,'warezclient': 3,'warezmaster': 3,'sendmail': 3,'named': 3,'snmpgetattack': 3,'snmpguess': 3,'xlock': 3,'xsnoop': 3,'httptunnel': 3,
                           'buffer_overflow': 4,'loadmodule': 4,'perl': 4,'rootkit': 4,'ps': 4,'sqlattack': 4,'xterm': 4})
newlabeldf_test=labeldf_test.replace({ 'normal' : 0, 'neptune' : 1 ,'back': 1, 'land': 1, 'pod': 1, 'smurf': 1, 'teardrop': 1,'mailbomb': 1, 'apache2': 1, 'processtable': 1, 'udpstorm': 1, 'worm': 1,
                           'ipsweep' : 2,'nmap' : 2,'portsweep' : 2,'satan' : 2,'mscan' : 2,'saint' : 2
                           ,'ftp_write': 3,'guess_passwd': 3,'imap': 3,'multihop': 3,'phf': 3,'spy': 3,'warezclient': 3,'warezmaster': 3,'sendmail': 3,'named': 3,'snmpgetattack': 3,'snmpguess': 3,'xlock': 3,'xsnoop': 3,'httptunnel': 3,
                           'buffer_overflow': 4,'loadmodule': 4,'perl': 4,'rootkit': 4,'ps': 4,'sqlattack': 4,'xterm': 4})
# put the new label column back
newdf['label'] = newlabeldf
newdf_test['label'] = newlabeldf_test
print(newdf['label'].head())


# Specify your selected features. Note that you'll need to modify this list according to your final processed dataframe
#Uncomment the below lines to use these top 20 features from shap analysis
#selected_features = ["root_shell","service_telnet","num_shells","service_uucp","dst_host_same_src_port_rate"
#                     ,"dst_host_rerror_rate","dst_host_srv_serror_rate","dst_host_srv_count","service_private","logged_in",
#                    "dst_host_serror_rate","serror_rate","srv_serror_rate","flag_S0","diff_srv_rate","dst_host_srv_diff_host_rate","num_file_creations","flag_RSTR"#,"dst_host_same_srv_rate","service_Idap","label"]
                     

# Select those features from your dataframe
#newdf = newdf[selected_features]
#newdf_test = newdf_test[selected_features]

# Now your dataframe only contains your selected features.

# creating a dataframe with multi-class labels (Dos,Probe,R2L,U2R,normal)
multi_data = newdf.copy()
multi_label = pd.DataFrame(multi_data.label)

multi_data_test=newdf_test.copy()
multi_label_test = pd.DataFrame(multi_data_test.label)


# using standard scaler for normalizing
std_scaler = StandardScaler()
def standardization(df,col):
    for i in col:
        arr = df[i]
        arr = np.array(arr)
        df[i] = std_scaler.fit_transform(arr.reshape(len(arr),1))
    return df

numeric_col = multi_data.select_dtypes(include='number').columns
data = standardization(multi_data,numeric_col)
numeric_col_test = multi_data_test.select_dtypes(include='number').columns
data_test = standardization(multi_data_test,numeric_col_test)

# label encoding (0,1,2,3,4) multi-class labels (Dos,normal,Probe,R2L,U2R)
le2 = preprocessing.LabelEncoder()
le2_test = preprocessing.LabelEncoder()
enc_label = multi_label.apply(le2.fit_transform)
enc_label_test = multi_label_test.apply(le2_test.fit_transform)
multi_data = multi_data.copy()
multi_data_test = multi_data_test.copy()

multi_data['intrusion'] = enc_label
multi_data_test['intrusion'] = enc_label_test


multi_data.drop(labels= [ 'label'], axis=1, inplace=True)
multi_data_test.drop(labels= [ 'label'], axis=1, inplace=True)

y_train_multi= multi_data[['intrusion']]
X_train_multi= multi_data.drop(labels=['intrusion'], axis=1)

print('X_train has shape:',X_train_multi.shape,'\ny_train has shape:',y_train_multi.shape)

y_test_multi= multi_data_test[['intrusion']]
X_test_multi= multi_data_test.drop(labels=['intrusion'], axis=1)

print('X_test has shape:',X_test_multi.shape,'\ny_test has shape:',y_test_multi.shape)

label_counts = Counter(y_train_multi['intrusion'])
print(label_counts)

y_train_multi = LabelBinarizer().fit_transform(y_train_multi)

y_test_multi = LabelBinarizer().fit_transform(y_test_multi)


Y_train=y_train_multi.copy()
X_train=X_train_multi.copy()

Y_test=y_test_multi.copy()
X_test=X_test_multi.copy()

# Assuming you have features X and labels Y
# X, Y = make_classification()

ros = RandomOverSampler(sampling_strategy='minority', random_state=100)

X_train, Y_train = ros.fit_resample(X_train, Y_train)

single_class_train = np.argmax(y_train_multi, axis=1)
single_class_test = np.argmax(y_test_multi, axis=1)


df1 = X_train_multi.assign(Label = single_class_train)
df2 =  X_test_multi.assign(Label = single_class_test)

frames = [df1,  df2]

df = pd.concat(frames,ignore_index=True)


Dimensions of the Training set: (125973, 43)
Dimensions of the Test set: (22544, 43)
Label distribution Training set:
normal             67343
neptune            41214
satan               3633
ipsweep             3599
portsweep           2931
smurf               2646
nmap                1493
back                 956
teardrop             892
warezclient          890
pod                  201
guess_passwd          53
buffer_overflow       30
warezmaster           20
land                  18
imap                  11
rootkit               10
loadmodule             9
ftp_write              8
multihop               7
phf                    4
perl                   3
spy                    2
Name: label, dtype: int64

Label distribution Test set:
normal             9711
neptune            4657
guess_passwd       1231
mscan               996
warezmaster         944
apache2             737
satan               735
processtable        685
smurf               665
back                359
snmpguess  

## Description Accuracy Feature elimination

##### These features are obtained by running the program once, then you need to manually copy and paste them below, and remove them to performe the Descriptive Accuracy Experiment. We first remove the 5, 10, and 20 features... There is a list for each one of the XAI methods, IG, LRP and DeepLift. 

In [5]:

# IG popping the features

# df.pop('same_srv_rate')
# df.pop('service_http')
# df.pop('flag_SF')
# df.pop('dst_host_count')
# df.pop('service_private')

# df.pop('logged_in')
# df.pop('count')
# df.pop('dst_host_serror_rate')
# df.pop('flag_S0')
# df.pop('Protocol_type_tcp')

# df.pop('dst_host_srv_serror_rate')
# df.pop('srv_diff_host_rate')
# df.pop('dst_host_same_srv_rate')
# df.pop('srv_serror_rate')
# df.pop('dst_host_srv_count')
# df.pop('serror_rate')
# df.pop('dst_host_same_src_port_rate')
# df.pop('Protocol_type_udp')
# df.pop('service_ecr_i')
# df.pop('srv_count')
# df.pop('srv_rerror_rate')

# df.pop('dst_host_srv_rerror_rate')
# df.pop('rerror_rate')
# df.pop('dst_host_srv_diff_host_rate')
# df.pop('diff_srv_rate')
# df.pop('service_other')
# df.pop('service_ftp_data')
# df.pop('service_smtp')
# df.pop('dst_host_rerror_rate')
# df.pop('dst_host_diff_srv_rate')
# df.pop('Protocol_type_icmp')
# df.pop('flag_REJ')
# df.pop('service_telnet')
# df.pop('hot')
# df.pop('service_eco_i')
# df.pop('flag_RSTR')
# df.pop('service_domain_u')
# df.pop('service_ftp')
# df.pop('flag_RSTO')
# df.pop('is_guest_login')
# df.pop('service_Z39_50')
# df.pop('duration')

# df.pop('service_iso_tsap')
# df.pop('service_pop_3')
# df.pop('service_ldap')
# df.pop('service_efs')
# df.pop('service_http_443')
# df.pop('service_daytime')
# df.pop('service_finger')
# df.pop('service_sunrpc')
# df.pop('service_systat')
# df.pop('service_echo')
# df.pop('service_discard')
# df.pop('service_uucp')
# df.pop('service_uucp_path')
# df.pop('service_mtp')
# df.pop('service_urp_i')
# df.pop('service_vmnet')
# df.pop('service_netbios_dgm')
# df.pop('service_courier')
# df.pop('service_name')
# df.pop('service_whois')
# df.pop('service_imap4')
# df.pop('service_csnet_ns')
# df.pop('service_login')
# df.pop('service_netstat')
# df.pop('service_kshell')
# df.pop('service_klogin')
# df.pop('service_netbios_ns')
# df.pop('service_bgp')
# df.pop('service_exec')
# df.pop('service_nnsp')
# df.pop('service_hostnames')
# df.pop('service_ctf')
# df.pop('service_link')
# df.pop('service_ssh')
# df.pop('wrong_fragment')
# df.pop('service_gopher')
# df.pop('service_sql_net')


# df.pop('service_netbios_ssn')
# df.pop('service_time')
# df.pop('flag_S1')
# df.pop('service_supdup')
# df.pop('flag_SH')
# df.pop('num_failed_logins')
# df.pop('service_domain')
# df.pop('root_shell')
# df.pop('dst_bytes')
# df.pop('num_access_files')
# df.pop('service_remote_job')
# df.pop('flag_RSTOS0')
# df.pop('service_auth')
# df.pop('service_shell')
# df.pop('service_pop_2')
# df.pop('service_IRC')
# df.pop('service_ntp_u')
# df.pop('flag_S3')
# df.pop('service_nntp')
# df.pop('flag_S2')
# df.pop('service_rje')
# df.pop('num_shells')
# df.pop('su_attempted')
# df.pop('service_printer')
# df.pop('num_file_creations')
# df.pop('service_X11')
# df.pop('src_bytes')
# df.pop('land')
# df.pop('flag_OTH')
# df.pop('num_root')
# df.pop('num_compromised')
# df.pop('service_tim_i')
# df.pop('service_pm_dump')
# df.pop('service_red_i')
# df.pop('urgent')
# df.pop('service_http_2784')
# df.pop('service_tftp_u')
# df.pop('is_host_login')
# df.pop('service_urh_i')
# df.pop('service_http_8001')
# df.pop('service_harvest')
# df.pop('service_aol')
# df.pop('num_outbound_cmds')



# LRP popping the features

# df.pop('flag_S0')
# df.pop('flag_SF')
# df.pop('srv_serror_rate')
# df.pop('dst_host_count')
# df.pop('dst_host_srv_count')

# df.pop('dst_host_srv_serror_rate') 
# df.pop('serror_rate')
# df.pop('service_http')
# df.pop('count')
# df.pop('dst_host_rerror_rate')

# df.pop('dst_host_same_srv_rate')
# df.pop('same_srv_rate')
# df.pop('logged_in')
# df.pop('Protocol_type_udp')
# df.pop('dst_host_serror_rate')
# df.pop('service_private')
# df.pop('service_ftp_data')
# df.pop('flag_REJ')
# df.pop('service_telnet')
# df.pop('dst_host_srv_diff_host_rate')
# df.pop('dst_host_srv_rerror_rate')

# df.pop('srv_count')
# df.pop('srv_rerror_rate')
# df.pop('service_eco_i')
# df.pop('dst_host_same_src_port_rate')
# df.pop('rerror_rate')
# df.pop('Protocol_type_icmp')
# df.pop('is_guest_login')
# df.pop('service_ftp')
# df.pop('service_iso_tsap')
# df.pop('service_domain_u')
# df.pop('service_uucp_path')
# df.pop('service_Z39_50')
# df.pop('dst_host_diff_srv_rate')
# df.pop('service_smtp')
# df.pop('diff_srv_rate')
# df.pop('service_vmnet')
# df.pop('service_courier')
# df.pop('Protocol_type_tcp')
# df.pop('service_bgp')
# df.pop('flag_RSTO')
# df.pop('srv_diff_host_rate')

# df.pop('service_other')
# df.pop('wrong_fragment')
# df.pop('duration')
# df.pop('service_ldap')
# df.pop('service_ecr_i')
# df.pop('service_login')
# df.pop('service_nntp')
# df.pop('flag_RSTR')
# df.pop('service_nnsp')
# df.pop('hot')
# df.pop('service_finger')
# df.pop('service_urp_i')
# df.pop('service_netbios_dgm')
# df.pop('service_efs')
# df.pop('service_pop_3')
# df.pop('service_uucp')
# df.pop('service_http_443')
# df.pop('service_auth')
# df.pop('flag_SH')
# df.pop('service_imap4')
# df.pop('service_gopher')
# df.pop('service_csnet_ns')
# df.pop('service_sunrpc')
# df.pop('service_klogin')
# df.pop('flag_S1')
# df.pop('service_IRC')
# df.pop('service_ctf')
# df.pop('service_domain')
# df.pop('service_time')
# df.pop('service_whois')
# df.pop('service_supdup')
# df.pop('service_hostnames')
# df.pop('num_failed_logins')
# df.pop('service_ntp_u')
# df.pop('flag_RSTOS0')
# df.pop('service_X11')
# df.pop('service_link')
# df.pop('service_mtp')
# df.pop('service_netstat')
# df.pop('service_discard')
# df.pop('service_pop_2')

# df.pop('service_echo')
# df.pop('service_exec')
# df.pop('service_kshell')
# df.pop('service_systat')
# df.pop('service_netbios_ns')
# df.pop('flag_S2')
# df.pop('service_netbios_ssn')
# df.pop('su_attempted')
# df.pop('num_access_files')
# df.pop('num_file_creations')
# df.pop('service_name')
# df.pop('service_remote_job')
# df.pop('flag_S3')
# df.pop('service_daytime')
# df.pop('service_rje')
# df.pop('num_shells')
# df.pop('root_shell')
# df.pop('service_shell')
# df.pop('service_ssh')
# df.pop('service_printer')
# df.pop('service_urh_i')
# df.pop('service_red_i')
# df.pop('land')
# df.pop('urgent')
# df.pop('service_sql_net')
# df.pop('num_root')
# df.pop('service_http_2784')
# df.pop('service_http_8001')
# df.pop('dst_bytes')
# df.pop('num_compromised')
# df.pop('src_bytes')
# df.pop('flag_OTH')
# df.pop('service_pm_dump')
# df.pop('service_tim_i')
# df.pop('service_tftp_u')
# df.pop('is_host_login')
# df.pop('service_harvest')
# df.pop('service_aol')
# df.pop('num_outbound_cmds')



# DeepLift popping

# df.pop('serror_rate')
# df.pop('flag_S0')
# df.pop('dst_host_srv_serror_rate')
# df.pop('flag_SF')
# df.pop('srv_serror_rate')

# df.pop('dst_host_serror_rate')
# df.pop('dst_host_srv_count')
# df.pop('dst_host_same_srv_rate')
# df.pop('service_http')
# df.pop('dst_host_count')

# df.pop('same_srv_rate')
# df.pop('Protocol_type_udp')
# df.pop('dst_host_rerror_rate')
# df.pop('count')
# df.pop('service_ftp_data')
# df.pop('logged_in')
# df.pop('service_private')
# df.pop('dst_host_same_src_port_rate')
# df.pop('service_eco_i')
# df.pop('is_guest_login')

# df.pop('service_telnet')
# df.pop('dst_host_srv_diff_host_rate')
# df.pop('service_Z39_50')
# df.pop('service_iso_tsap')
# df.pop('service_ftp')
# df.pop('flag_REJ')
# df.pop('dst_host_diff_srv_rate')
# df.pop('srv_count')
# df.pop('dst_host_srv_rerror_rate')
# df.pop('diff_srv_rate')
# df.pop('service_pop_3')
# df.pop('service_domain_u')
# df.pop('Protocol_type_icmp')
# df.pop('service_other')
# df.pop('service_bgp')
# df.pop('service_nntp')
# df.pop('service_uucp_path')
# df.pop('service_courier')
# df.pop('rerror_rate')
# df.pop('Protocol_type_tcp')
# df.pop('flag_RSTR')

# df.pop('srv_diff_host_rate')
# df.pop('duration')
# df.pop('srv_rerror_rate')
# df.pop('service_ecr_i')
# df.pop('flag_RSTO')
# df.pop('service_vmnet')
# df.pop('service_smtp')
# df.pop('service_ldap')
# df.pop('service_urh_i')
# df.pop('service_login')
# df.pop('wrong_fragment')
# df.pop('hot')
# df.pop('service_finger')
# df.pop('service_netbios_dgm')
# df.pop('service_IRC')
# df.pop('flag_SH')
# df.pop('service_auth')
# df.pop('service_nnsp')
# df.pop('service_imap4')
# df.pop('service_klogin')
# df.pop('service_discard')
# df.pop('service_time')
# df.pop('service_urp_i')
# df.pop('service_sunrpc')
# df.pop('service_uucp')
# df.pop('service_echo')
# df.pop('land')
# df.pop('service_daytime')
# df.pop('service_mtp')
# df.pop('service_ctf')
# df.pop('service_sql_net')
# df.pop('service_gopher')
# df.pop('service_ntp_u')
# df.pop('service_supdup')
# df.pop('service_csnet_ns')
# df.pop('flag_S1')
# df.pop('flag_RSTOS0')
# df.pop('service_pop_2')
# df.pop('service_netbios_ns')
# df.pop('service_link')
# df.pop('service_http_443')
# df.pop('su_attempted')
# df.pop('flag_S2')

# df.pop('service_X11')
# df.pop('service_netstat')
# df.pop('num_failed_logins')
# df.pop('service_whois')
# df.pop('service_efs')
# df.pop('service_hostnames')
# df.pop('service_domain')
# df.pop('service_kshell')
# df.pop('service_red_i')
# df.pop('num_access_files')
# df.pop('flag_OTH')
# df.pop('service_shell')
# df.pop('root_shell')
# df.pop('service_printer')
# df.pop('service_systat')
# df.pop('service_ssh')
# df.pop('service_exec')
# df.pop('service_netbios_ssn')
# df.pop('service_tftp_u')
# df.pop('flag_S3')
# df.pop('service_rje')
# df.pop('service_name')
# df.pop('num_file_creations')
# df.pop('num_shells')
# df.pop('service_remote_job')
# df.pop('num_root')
# df.pop('num_compromised')
# df.pop('service_tim_i')
# df.pop('dst_bytes')
# df.pop('urgent')
# df.pop('src_bytes')
# df.pop('is_host_login')
# df.pop('service_pm_dump')
# df.pop('service_harvest')
# df.pop('service_http_8001')
# df.pop('service_aol')
# df.pop('service_http_2784')
# df.pop('num_outbound_cmds')





#### Replace One hot encoded to Label encoding

In [6]:

df_fs = df

y = df.pop('Label')
X = df
df = X.assign(Label = y)


# y = df.pop('Label')
# X = df

y1, y2 = pd.factorize(y)

y_0 = pd.DataFrame(y1)
y_1 = pd.DataFrame(y1)
y_2 = pd.DataFrame(y1)
y_3 = pd.DataFrame(y1)
y_4 = pd.DataFrame(y1)


# y_0 = y_0.replace(0, 0)
# y_0 = y_0.replace(1, 1)
y_0 = y_0.replace(2, 1)
y_0 = y_0.replace(3, 1)
y_0 = y_0.replace(4, 1)


y_1 = y_1.replace(1, 999)
y_1 = y_1.replace(0, 1)
# y_1 = y_1.replace(1, 0)
y_1 = y_1.replace(2, 1)
y_1 = y_1.replace(3, 1)
y_1 = y_1.replace(4, 1)
y_1 = y_1.replace(999, 1)


y_2 = y_2.replace(0, 1)
y_2 = y_2.replace(1, 1)
y_2 = y_2.replace(2, 0)
y_2 = y_2.replace(3, 1)
y_2 = y_2.replace(4, 1)


y_3 = y_3.replace(0, 1)
# y_3 = y_3.replace(1, 1)
y_3 = y_3.replace(2, 1)
y_3 = y_3.replace(3, 0)
y_3 = y_3.replace(4, 1)


y_4 = y_4.replace(0, 1)
# y_4 = y_4.replace(1, 1)
y_4 = y_4.replace(2, 1)
y_4 = y_4.replace(3, 1)
y_4 = y_4.replace(4, 0)



df = df.assign(Label = y)

#### NSL KDD dataset display

In [7]:
X

Unnamed: 0,duration,src_bytes,dst_bytes,land,wrong_fragment,urgent,hot,num_failed_logins,logged_in,num_compromised,...,flag_REJ,flag_RSTO,flag_RSTOS0,flag_RSTR,flag_S0,flag_S1,flag_S2,flag_S3,flag_SF,flag_SH
0,-0.110249,-0.007679,-0.004919,-0.014089,-0.089486,-0.007736,-0.095076,-0.027023,-0.809262,-0.011664,...,-0.312889,-0.11205,-0.028606,-0.139982,-0.618438,-0.053906,-0.031767,-0.019726,0.825150,-0.046432
1,-0.110249,-0.007737,-0.004919,-0.014089,-0.089486,-0.007736,-0.095076,-0.027023,-0.809262,-0.011664,...,-0.312889,-0.11205,-0.028606,-0.139982,-0.618438,-0.053906,-0.031767,-0.019726,0.825150,-0.046432
2,-0.110249,-0.007762,-0.004919,-0.014089,-0.089486,-0.007736,-0.095076,-0.027023,-0.809262,-0.011664,...,-0.312889,-0.11205,-0.028606,-0.139982,1.616978,-0.053906,-0.031767,-0.019726,-1.211901,-0.046432
3,-0.110249,-0.007723,-0.002891,-0.014089,-0.089486,-0.007736,-0.095076,-0.027023,1.235694,-0.011664,...,-0.312889,-0.11205,-0.028606,-0.139982,-0.618438,-0.053906,-0.031767,-0.019726,0.825150,-0.046432
4,-0.110249,-0.007728,-0.004814,-0.014089,-0.089486,-0.007736,-0.095076,-0.027023,1.235694,-0.011664,...,-0.312889,-0.11205,-0.028606,-0.139982,-0.618438,-0.053906,-0.031767,-0.019726,0.825150,-0.046432
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
148512,-0.155534,-0.020309,-0.081202,-0.017624,-0.059104,-0.019459,-0.113521,-0.143999,1.123125,-0.016494,...,-0.453815,-0.18843,-0.009419,-0.174880,-0.313124,-0.030535,-0.025803,-0.105681,0.718027,-0.056997
148513,-0.155534,-0.021318,-0.052690,-0.017624,-0.059104,-0.019459,-0.113521,-0.143999,1.123125,-0.016494,...,-0.453815,-0.18843,-0.009419,-0.174880,-0.313124,-0.030535,-0.025803,-0.105681,0.718027,-0.056997
148514,-0.155534,0.093373,0.294926,-0.017624,-0.059104,-0.019459,2.040705,-0.143999,1.123125,0.121069,...,-0.453815,-0.18843,-0.009419,-0.174880,-0.313124,-0.030535,-0.025803,-0.105681,0.718027,-0.056997
148515,-0.155534,-0.021899,-0.094917,-0.017624,-0.059104,-0.019459,-0.113521,-0.143999,-0.890373,-0.016494,...,-0.453815,-0.18843,-0.009419,-0.174880,-0.313124,-0.030535,-0.025803,-0.105681,0.718027,-0.056997


In [8]:
y

0         0
1         0
2         1
3         0
4         0
         ..
148512    0
148513    0
148514    1
148515    0
148516    2
Name: Label, Length: 148517, dtype: int64

#### Separate Training and Testing db


In [9]:

X_train,X_test, y_train, y_test = sklearn.model_selection.train_test_split(X, y, train_size=0.7,random_state=42)
df = X.assign( Label = y)


#### Training model

In [10]:

nodes = 5
model = tf.keras.Sequential()
model.add(tf.keras.Input(shape=(len(X_train.columns,))))

model.add(tf.keras.layers.Dense(nodes, activation='relu'))
# model.add(tf.keras.layers.Dense(nodes, activation='relu'))

model.add(tf.keras.layers.Dense(5))

optimizer = tf.keras.optimizers.Adam(learning_rate=0.1)
model.compile(optimizer=optimizer, loss='sparse_categorical_crossentropy', metrics=['accuracy'])

model.summary()

start = time.time()

# Define EarlyStopping callback
early_stopping = EarlyStopping(monitor='accuracy', patience=10, restore_best_weights=True)

# Modify model.fit to include the EarlyStopping callback
model.fit(X_train, y_train, epochs=1000, batch_size=len(X_train), callbacks=[early_stopping])

end = time.time()
print('---------------------------------------------------------------------------------')
print('ELAPSE TIME TRAINING MODEL: ',(end - start)/60, 'min')
print('---------------------------------------------------------------------------------')
print('')


Model: "sequential"
_________________________________________________________________
Layer (type)                 Output Shape              Param #   
dense (Dense)                (None, 5)                 615       
_________________________________________________________________
dense_1 (Dense)              (None, 5)                 30        
Total params: 645
Trainable params: 645
Non-trainable params: 0
_________________________________________________________________
Train on 103961 samples
Epoch 1/1000


2024-06-08 21:41:20.201245: I tensorflow/stream_executor/platform/default/dso_loader.cc:53] Successfully opened dynamic library libcuda.so.1
2024-06-08 21:41:20.226905: I tensorflow/core/common_runtime/gpu/gpu_device.cc:1733] Found device 0 with properties: 
pciBusID: 0000:67:00.0 name: NVIDIA RTX A6000 computeCapability: 8.6
coreClock: 1.8GHz coreCount: 84 deviceMemorySize: 47.54GiB deviceMemoryBandwidth: 715.34GiB/s
2024-06-08 21:41:20.227080: I tensorflow/core/common_runtime/gpu/gpu_device.cc:1733] Found device 1 with properties: 
pciBusID: 0000:68:00.0 name: NVIDIA RTX A6000 computeCapability: 8.6
coreClock: 1.8GHz coreCount: 84 deviceMemorySize: 47.53GiB deviceMemoryBandwidth: 715.34GiB/s
2024-06-08 21:41:20.227109: I tensorflow/stream_executor/platform/default/dso_loader.cc:53] Successfully opened dynamic library libcudart.so.11.0
2024-06-08 21:41:20.243315: I tensorflow/stream_executor/platform/default/dso_loader.cc:53] Successfully opened dynamic library libcublas.so.11
2024-06

Epoch 2/1000
Epoch 3/1000
Epoch 4/1000
Epoch 5/1000
Epoch 6/1000
Epoch 7/1000
Epoch 8/1000
Epoch 9/1000
Epoch 10/1000
Epoch 11/1000
Epoch 12/1000
Epoch 13/1000
Epoch 14/1000
Epoch 15/1000
---------------------------------------------------------------------------------
ELAPSE TIME TRAINING MODEL:  0.03019265333811442 min
---------------------------------------------------------------------------------



In [11]:

print('---------------------------------------------------------------------------------')
print('Model Prediction')
print('---------------------------------------------------------------------------------')
print('')
print('---------------------------------------------------------------------------------')
start = time.time()
y_pred = model.predict(X_test)
end = time.time()
print('ELAPSE TIME MODEL PREDICTION: ',(end - start)/60, 'min')
print('---------------------------------------------------------------------------------')
print('')

ynew = np.argmax(y_pred,axis = 1)
score = model.evaluate(X_test, y_test,verbose=1)
label = y2

label_counts = Counter(y_test)
print(label_counts)

label_counts = Counter(ynew)
print(label_counts)

accuracy =accuracy_score(y_test, ynew)*100
print('accuracy (%)', accuracy)

---------------------------------------------------------------------------------
Model Prediction
---------------------------------------------------------------------------------

---------------------------------------------------------------------------------


`Model.state_updates` will be removed in a future version. This property should not be used in TensorFlow 2.0, as `updates` are applied automatically.


ELAPSE TIME MODEL PREDICTION:  0.00721973180770874 min
---------------------------------------------------------------------------------

Counter({0: 23102, 1: 16081, 2: 4144, 3: 1197, 4: 32})
Counter({0: 42076, 1: 2480})
accuracy (%) 52.92889846485321


#### Take note of the accuracy for the descriptive accuracy experiment.

#### Note that for the Running time experiment you may want to run the code multiple times with different sample number, and take note of the Running time, since we are using a python notebook we are using %%time


#### Note2 for the stability experiment, rerun de the codes a few times and copy and paste the top features list for each run in to the Stability experiment. For Local Stability use a single sample when generating the list for IG, LRP, and DeepLift. 

In [12]:
# Single Sample 
single_sample_df = X_test.iloc[[0]]

## Integrated Gradients

In [13]:
%%time

# Create an analyzer for the model
analyzer = innvestigate.create_analyzer("integrated_gradients", model)
analysis = analyzer.analyze(X_test)

#uncomment for single sample

# analysis = analyzer.analyze(single_sample_df)
# Print or use the analysis results as needed

# Perform IG analysis on a certain number of samples
# analysis = analyzer.analyze(X_test.sample(2500))

names = X_test.columns
scores = pd.DataFrame(analysis)
scores_abs = scores.abs()

# Calculate the sum of each column
sum_of_columns = scores_abs.sum(axis=0)
names = list(names)
sum_of_columns = list(sum_of_columns)

# Zip the two lists together
combined = list(zip(names, sum_of_columns))

# Sort the combined list in descending order based on the values from sum_of_columns
sorted_combined = sorted(combined, key=lambda x: x[1], reverse=True)

# Unzip the sorted_combined list to separate names and sum_of_columns
sorted_names, sorted_sum_of_columns = zip(*sorted_combined)
print('---------------------------------------------------------------------------------')
print('INSTRUCTIONS')
print('Print the sorted names with the score values.')
print('Copy the names and paste them after loading the dataset to pop the features.')
print('Copy the values and paste into the sparsity program')

print('---------------------------------------------------------------------------------')
print(sorted_names)
print('---------------------------------------------------------------------------------')
print(sorted_sum_of_columns)
print('---------------------------------------------------------------------------------')
print('Dont forget to take note of the runtime')

`Model.state_updates` will be removed in a future version. This property should not be used in TensorFlow 2.0, as `updates` are applied automatically.


---------------------------------------------------------------------------------
INSTRUCTIONS
Print the sorted names with the score values.
Copy the names and paste them after loading the dataset to pop the features.
Copy the values and paste into the sparsity program
---------------------------------------------------------------------------------
('srv_serror_rate', 'dst_host_rerror_rate', 'flag_S0', 'logged_in', 'dst_host_srv_count', 'service_private', 'count', 'srv_rerror_rate', 'same_srv_rate', 'flag_SF', 'service_telnet', 'flag_REJ', 'rerror_rate', 'dst_host_count', 'dst_host_srv_serror_rate', 'Protocol_type_tcp', 'dst_host_srv_rerror_rate', 'serror_rate', 'srv_count', 'dst_host_same_srv_rate', 'service_http', 'dst_host_diff_srv_rate', 'Protocol_type_udp', 'Protocol_type_icmp', 'dst_host_serror_rate', 'service_eco_i', 'dst_host_srv_diff_host_rate', 'srv_diff_host_rate', 'service_whois', 'dst_host_same_src_port_rate', 'service_ecr_i', 'flag_RSTR', 'service_smtp', 'service_ftp_dat

## LRP

In [14]:
%%time

# Create an analyzer for the model
analyzer = innvestigate.create_analyzer("lrp.z", model)
analysis = analyzer.analyze(X_test)

#uncomment for single sample

# analysis = analyzer.analyze(single_sample_df)
# Print or use the analysis results as needed

# Perform LRP analysis on a certain number of samples
# analysis = analyzer.analyze(X_test.sample(2500))

names = X_test.columns
scores = pd.DataFrame(analysis)
scores_abs = scores.abs()

# Calculate the sum of each column
sum_of_columns = scores_abs.sum(axis=0)
names = list(names)
sum_of_columns = list(sum_of_columns)

# Zip the two lists together
combined = list(zip(names, sum_of_columns))

# Sort the combined list in descending order based on the values from sum_of_columns
sorted_combined = sorted(combined, key=lambda x: x[1], reverse=True)

# Unzip the sorted_combined list to separate names and sum_of_columns
sorted_names, sorted_sum_of_columns = zip(*sorted_combined)
print('---------------------------------------------------------------------------------')
print('INSTRUCTIONS')
print('Print the sorted names with the score values.')
print('Copy the names and paste them after loading the dataset to pop the features.')
print('Copy the values and paste into the sparsity program')
print('---------------------------------------------------------------------------------')
print(sorted_names)
print('---------------------------------------------------------------------------------')
print(sorted_sum_of_columns)
print('---------------------------------------------------------------------------------')
print('Dont forget to take note of the runtime')

---------------------------------------------------------------------------------
INSTRUCTIONS
Print the sorted names with the score values.
Copy the names and paste them after loading the dataset to pop the features.
Copy the values and paste into the sparsity program
---------------------------------------------------------------------------------
('srv_serror_rate', 'dst_host_rerror_rate', 'logged_in', 'flag_S0', 'same_srv_rate', 'flag_SF', 'service_private', 'dst_host_srv_count', 'srv_rerror_rate', 'count', 'flag_REJ', 'service_telnet', 'dst_host_srv_serror_rate', 'rerror_rate', 'dst_host_count', 'Protocol_type_tcp', 'dst_host_srv_rerror_rate', 'serror_rate', 'srv_count', 'dst_host_same_srv_rate', 'dst_host_diff_srv_rate', 'dst_host_serror_rate', 'Protocol_type_icmp', 'service_http', 'Protocol_type_udp', 'dst_host_same_src_port_rate', 'srv_diff_host_rate', 'service_ftp_data', 'dst_host_srv_diff_host_rate', 'flag_RSTR', 'service_ecr_i', 'service_whois', 'service_other', 'service_eco

## DEEPLIFT 

In [15]:
%%time
print('---------------------------------------------------------------------------------')
print('Generating Explainer')
print('---------------------------------------------------------------------------------')

samples = 2500
# uncomment for single sample
# samples = 1

test = X_test
train = X_train

start_index = 0
end_index = samples

explainer = shap.DeepExplainer(model,train[start_index:end_index].values.astype('float'))
shap_values = explainer.shap_values(test[start_index:end_index].values.astype('float'))


vals= np.abs(shap_values).mean(1)
feature_importance = pd.DataFrame(list(zip(train.columns, sum(vals))), columns=['col_name','feature_importance_vals'])
feature_importance.sort_values(by=['feature_importance_vals'], ascending=False,inplace=True)
feature_importance.head()
print(feature_importance.to_string())



print('---------------------------------------------------------------------------------')
feature_val = feature_importance['feature_importance_vals'].tolist()

feature_name = feature_importance['col_name'].tolist()

# Use zip to combine the two lists, sort based on list1, and then unzip them
zipped_lists = list(zip(feature_name, feature_val))
zipped_lists.sort(key=lambda x: x[1],reverse=True)

# Convert the sorted result back into separate lists
sorted_list1, sorted_list2 = [list(x) for x in zip(*zipped_lists)]

for k in sorted_list1:
  with open(output_file_name, "a") as f:print("df.pop('",k,"')", sep='',file = f)
with open(output_file_name, "a") as f:print("Trial_ =[", file = f)
for k in sorted_list1:
  with open(output_file_name, "a") as f:print("'",k,"',", sep='', file = f)
  print("'",k,"',", sep='')
with open(output_file_name, "a") as f:print("]", file = f)
print('---------------------------------------------------------------------------------')
print('INSTRUCTIONS')
print('Print the sorted names with the score values.')
print('Copy the names and paste them after loading the dataset to pop the features.')
print('Copy the values and paste into the sparsity program')
print('---------------------------------------------------------------------------------')
print('Dont forget to take note of the runtime')



---------------------------------------------------------------------------------
Generating Explainer
---------------------------------------------------------------------------------


Your TensorFlow version is newer than 2.4.0 and so graph support has been removed in eager mode and some static graphs may not be supported. See PR #1483 for discussion.



                        col_name  feature_importance_vals
22               srv_serror_rate                 1.365581
8                      logged_in                 1.258927
36          dst_host_rerror_rate                 1.232268
29            dst_host_srv_count                 1.174452
116                      flag_S0                 1.105175
25                 same_srv_rate                 1.096178
24               srv_rerror_rate                 1.072300
112                     flag_REJ                 1.017502
120                      flag_SF                 0.999743
19                         count                 0.954317
90               service_private                 0.857332
23                   rerror_rate                 0.824341
101               service_telnet                 0.820237
20                     srv_count                 0.795080
35      dst_host_srv_serror_rate                 0.720662
37      dst_host_srv_rerror_rate                 0.694081
30        dst