# <center>**Malware Detection**</center>
# <center>**MLWR**</center>

<center>Rodrigo Cofré, Santiago Cuervo, Maciej Grabias</center>


# What is a malware? 

Malware (a blend of words for malicious software) is any software intentionally designed to cause damage to a computer, server, client, or computer network. It is one of the biggest threats on the internet and they are present in a variety of forms. The independent IT security institure, The AV-test Institute, registers over 350,000 new malwares everyday. 


<p class="aligncenter">
    <img src="newmalwares.png" alt="centered image" />
</p>
Some of the types of malwares that exists are: 



*   Adware
*   Riskware Tool
*   Trojan
*   Hacktool
*   Crack Tool
*   Backdoor
*   Hijacker
*   Spyware
*   Rogue
*   Worm
     .
     .
     .

Furthermore, the IT company COMTACT has provided us with the following list of warning signs, that in case of noticing any of them, may suggest that your device has been afected by malware:

 *  A slow, crashing or freezing computer
 *  Blue screen of death (BSOD)
 *  Programmes opening and closing automatically or altering themselves
 *  Lack of storage space
 *  Increased pop-ups, toolbars and other unwanted programs
 *  Emails and messages being sent without you prompting them

Now that you have started thinking about that time your computer was unusually slow or that program you do not remember installing, it is clear that being a victim of malware is not a question of "if" but "when". Therefore, it makes the ability to predict the likelihood of a device being infected by a malware very valuable.

# Data exploration

The data was taken from the _[Kaggle competition](https://www.kaggle.com/c/microsoft-malware-prediction/data)_. Training set contains almost 9 million records, testing set is only 'slightly smaller' with almost 8 million observations. The problem at hand is a binary classification task, where the goal is to predict whether a machine has been infected by malicious software (1) or not (0).

The data is defined through the following 83 features (definitions were taken from the Kaggle competition description):

*Unavailable or self-documenting column names are marked with an "NA"*

- MachineIdentifier - Individual machine ID
- ProductName - Defender state information e.g. win8defender
- EngineVersion - Defender state information e.g. 1.1.12603.0
- AppVersion - Defender state information e.g. 4.9.10586.0
- AvSigVersion - Defender state information e.g. 1.217.1014.0
- IsBeta - Defender state information e.g. false
- RtpStateBitfield - NA
- IsSxsPassiveMode - NA
- DefaultBrowsersIdentifier - ID for the machine's default browser
- AVProductStatesIdentifier - ID for the specific configuration of a user's antivirus software
- AVProductsInstalled - NA
- AVProductsEnabled - NA
- HasTpm - True if machine has tpm
- CountryIdentifier - ID for the country the machine is located in
- CityIdentifier - ID for the city the machine is located in
- OrganizationIdentifier - ID for the organization the machine belongs in, organization ID is mapped to both specific companies and broad industries
- GeoNameIdentifier - ID for the geographic region a machine is located in
- LocaleEnglishNameIdentifier - English name of Locale ID of the current user
- Platform - Calculates platform name (of OS related properties and processor property)
- Processor - This is the process architecture of the installed operating system
- OsVer - Version of the current operating system
- OsBuild - Build of the current operating system
- OsSuite - Product suite mask for the current operating system.
- OsPlatformSubRelease - Returns the OS Platform sub-release (Windows Vista, Windows 7, Windows 8, TH1, TH2)
- OsBuildLab - Build lab that generated the current OS. Example: 9600.17630.amd64fre.winblue_r7.150109-2022
- SkuEdition - The goal of this feature is to use the Product Type defined in the MSDN to map to a 'SKU-Edition' name that is useful in population reporting. The valid Product Type are defined in %sdxroot%\data\windowseditions.xml. This API has been used since Vista and Server 2008, so there are many Product Types that do not apply to Windows 10. The 'SKU-Edition' is a string value that is in one of three classes of results. The design must hand each class.
- IsProtected - This is a calculated field derived from the Spynet Report's AV Products field. Returns: a. TRUE if there is at least one active and up-to-date antivirus product running on this machine. b. FALSE if there is no active AV product on this machine, or if the AV is active, but is not receiving the latest updates. c. null if there are no Anti Virus Products in the report. Returns: Whether a machine is protected.
- AutoSampleOptIn - This is the SubmitSamplesConsent value passed in from the service, available on CAMP 9+
- PuaMode - Pua Enabled mode from the service
- SMode - This field is set to true when the device is known to be in 'S Mode', as in, Windows 10 S mode, where only Microsoft Store apps can be installed
- IeVerIdentifier - NA
- SmartScreen - This is the SmartScreen enabled string value from registry. This is obtained by checking in order, HKLM\SOFTWARE\Policies\Microsoft\Windows\System\SmartScreenEnabled and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SmartScreenEnabled. If the value exists but is blank, the value "ExistsNotSet" is sent in telemetry.
- Firewall - This attribute is true (1) for Windows 8.1 and above if windows firewall is enabled, as reported by the service.
- UacLuaenable - This attribute reports whether or not the "administrator in Admin Approval Mode" user type is disabled or enabled in UAC. The value reported is obtained by reading the regkey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA.
- Census_MDC2FormFactor - A grouping based on a combination of Device Census level hardware characteristics. The logic used to define Form Factor is rooted in business and industry standards and aligns with how people think about their device. (Examples: Smartphone, Small Tablet, All in One, Convertible...)
- Census_DeviceFamily - AKA DeviceClass. Indicates the type of device that an edition of the OS is intended for. Example values: Windows.Desktop, Windows.Mobile, and iOS.Phone
- Census_OEMNameIdentifier - NA
- Census_OEMModelIdentifier - NA
- Census_ProcessorCoreCount - Number of logical cores in the processor
- Census_ProcessorManufacturerIdentifier - NA
- Census_ProcessorModelIdentifier - NA
- Census_ProcessorClass - A classification of processors into high/medium/low. Initially used for Pricing Level SKU. No longer maintained and updated
- Census_PrimaryDiskTotalCapacity - Amount of disk space on primary disk of the machine in MB
- Census_PrimaryDiskTypeName - Friendly name of Primary Disk Type - HDD or SSD
- Census_SystemVolumeTotalCapacity - The size of the partition that the System volume is installed on in MB
- Census_HasOpticalDiskDrive - True indicates that the machine has an optical disk drive (CD/DVD)
- Census_TotalPhysicalRAM - Retrieves the physical RAM in MB
- Census_ChassisTypeName - Retrieves a numeric representation of what type of chassis the machine has. A value of 0 means xx
- Census_InternalPrimaryDiagonalDisplaySizeInInches - Retrieves the physical diagonal length in inches of the primary display
- Census_InternalPrimaryDisplayResolutionHorizontal - Retrieves the number of pixels in the horizontal direction of the internal display.
- Census_InternalPrimaryDisplayResolutionVertical - Retrieves the number of pixels in the vertical direction of the internal display
- Census_PowerPlatformRoleName - Indicates the OEM preferred power management profile. This value helps identify the basic form factor of the device
- Census_InternalBatteryType - NA
- Census_InternalBatteryNumberOfCharges - NA
- Census_OSVersion - Numeric OS version Example - 10.0.10130.0
- Census_OSArchitecture - Architecture on which the OS is based. Derived from OSVersionFull. Example - amd64
- Census_OSBranch - Branch of the OS extracted from the OsVersionFull. Example - OsBranch = fbl_partner_eeap where OsVersion = 6.4.9813.0.amd64fre.fbl_partner_eeap.140810-0005
- Census_OSBuildNumber - OS Build number extracted from the OsVersionFull. Example - OsBuildNumber = 10512 or 10240
- Census_OSBuildRevision - OS Build revision extracted from the OsVersionFull. Example - OsBuildRevision = 1000 or 16458
- Census_OSEdition - Edition of the current OS. Sourced from HKLM\Software\Microsoft\Windows NT\CurrentVersion@EditionID in registry. Example: Enterprise
- Census_OSSkuName - OS edition friendly name (currently Windows only)
- Census_OSInstallTypeName - Friendly description of what install was used on the machine i.e. clean
- Census_OSInstallLanguageIdentifier - NA
- Census_OSUILocaleIdentifier - NA
- Census_OSWUAutoUpdateOptionsName - Friendly name of the WindowsUpdate auto-update settings on the machine.
- Census_IsPortableOperatingSystem - Indicates whether OS is booted up and running via Windows-To-Go on a USB stick.
- Census_GenuineStateName - Friendly name of OSGenuineStateID. 0 = Genuine
- Census_ActivationChannel - Retail license key or Volume license key for a machine.
- Census_IsFlightingInternal - NA
- Census_IsFlightsDisabled - Indicates if the machine is participating in flighting.
- Census_FlightRing - The ring that the device user would like to receive flights for. This might be different from the ring of the OS which is currently installed if the user changes the ring after getting a flight from a different ring.
- Census_ThresholdOptIn - NA
- Census_FirmwareManufacturerIdentifier - NA
- Census_FirmwareVersionIdentifier - NA
- Census_IsSecureBootEnabled - Indicates if Secure Boot mode is enabled.
- Census_IsWIMBootEnabled - NA
- Census_IsVirtualDevice - Identifies a Virtual Machine (machine learning model)
- Census_IsTouchEnabled - Is this a touch device ?
- Census_IsPenCapable - Is the device capable of pen input ?
- Census_IsAlwaysOnAlwaysConnectedCapable - Retreives information about whether the battery enables the device to be AlwaysOnAlwaysConnected .
- Wdft_IsGamer - Indicates whether the device is a gamer device or not based on its hardware combination.
- Wdft_RegionIdentifier - NA

With the huge amount of data to consider it was necessary to get familiar with it a bit before any attempts at modelling. While the full Explanatory Data Analysis notebook has been included in the supporting materials, here we cover only the essential parts.

**General remarks about the dataset**

- Duplicated features (at least one)
- Features missing most of (>99%) or parts of data
- Features with big variety of categories (cardinality)
- Some features with significantly dominant one type of class
- Some categorical features have significantly different values in the train and test sets
- Target distribution seems well balanced
- Test set is pretty 'bad' and Kaggle users have managed to absolutely exploit this (one could win the whole competiton with 8 lines of code without even considering the training set - see next sections)

### Relevant plots obtained from raw data

**Types of features in the dataset**:
<p class="aligncenter">
    <img src="feat_types.png" alt="centered image" width="700" />
</p>


**Missing data (% of all)**:
<p class="aligncenter">
    <img src="nans_percentage.png" alt="centered image" width="500" height="600"/>
</p>

**Cardinalities**:
<p class="aligncenter">
    <img src="cardinalities.png" alt="centered image" width="500" height="600"/>
</p>

**Class dominance (% of all)**:
<p class="aligncenter">
    <img src="class_dominance.png" alt="centered image" width="500" height="600"/>
</p>

**Target distribution**:
<p class="aligncenter">
    <img src="target_distribution.png" alt="centered image" width="500" height="600"/>
</p>


## Initial pre-processing

Our first attempt at pre-processing consisted of:

* Format categorical variables as such when its cardinality was lower than 100, otherwise format them as discrete numerical variables.
* Format discrete numerical variables as the smallest possible integer type that can represent them without loss of information.
* For categorical variables deal with missing values as another category.
* For numerical discrete variables use the mode to fill in missing values.
* For numerical continuous variables use the mean to fill in missing values.

Below we show a sample code used for encoding categorical variables into integers for e.g. LGBM training purposes:

In [0]:
### TEXTBOOK CORRECT INTEGER ENCODING OF CATEGORICAL VARIABLES ###

def custom_factorize(train, test, col):
    
    print(f"Currently encoding {col}")
    
    # changing category to object ensures sorted uniques from factorize
    # and makes encoding of the test set easier
    if hasattr(train[col], 'cat'):
        train[col] = train[col].astype('object')
        test[col] = test[col].astype('object')
        
    encoded_train, uniques = train[col].factorize(sort=True)
    max_encoded_val = encoded_train.max()
    # factorize turns NaNs into -1s
    encoded_train = np.where(encoded_train == -1, max_encoded_val + 1, encoded_train)
    train[col] = encoded_train
    encoding_dict = {}
    for encoded_val, previous_val in enumerate(uniques):
        encoding_dict[previous_val] = encoded_val
        
    # possibly non-exhaustvie mapping: 
    # https://stackoverflow.com/questions/42529454/using-map-for-columns-in-a-pandas-dataframe
    test[col].fillna(-1, inplace = True)
    test[col] = test[col].apply(lambda x: max_encoded_val + 2 if x not in uniques and x != -1 else x)
    test[col] = test[col].map(encoding_dict).fillna(test[col])
    
    # now handling the values which were not in the train set
    # just make them any integer not used already, e.g. max + 2, LGBM doesn't care and nor should we
    test[col] = np.where(test[col] == -1, max_encoded_val + 1, test[col])
    
    # giving RAM a break
    test[col] = test[col].astype('uint32')

# Feature importance

## Forward selection with conditional mutual information

A first approach taken to establish what features are important was the usage of conditional mutual information to assess the relevance of the variables as the algorithm selects and adds them to the set of selected variables. The selection and ranking of features was done only considering categorical variables to not deal with continuos or mixed calculation of mutual information values. The forward selection algorithm works as follows 

Initialize set of selected variables $S={\emptyset}$ and $X$ the set of all variables being considered for analysis.

**Step 1.** *Selection of the first feature*

   Find feature $X^* \in X$ that maximizes $I(C,X_i)$;
   
   set $X = X\setminus \{X^*\}, S=\{X^*\}.$ Where $C$ is the target variable $C$.
   
**Step 2.** *greedy feature selection*

Find feature $X^+ \in X$ according to:

$$X^+ = \text{argmax}_{X_i\in X\setminus S}\left\{I(C,X_i) - \max_{X_s\in S}{CU_{X_i,X_s}I(C,X_s)}\right\}$$

Where $CU_{X_i,X_s}= \cfrac{I(X_i,X_s)}{H(X_s)}$

and finally, set $X = X\setminus \{X^+\}, S=S\cup\{X^+\}.$

**Step 3.** Go to step 2.

The next lines of code present how the algorithm is run.

In [0]:
# utiliy functions. We load the respective dictionaries that contain the precomputed values of Mutual information and entropies
def get_MI(X_i,X_s):
    val = 0
    try:
        val =  MI[f"{X_i},{X_s}"]
    except:
        val =  MI[f"{X_s},{X_i}"]
    
    return val
def CU(X_i,X_s):
    '''
    X_i,X_s: labels of columns representing the variables, respectively.
    
    '''
    mi = get_MI(X_i,X_s)
    H  = entropy[X_s]
    
    return mi/H


## Forward selection algorithm



def get_inner_max(X_i,Selected):
    max_val=-1e10
    for X_s in Selected:
        value = CU(X_i,X_s)*MI_target[X_s]
        if value >max_val:
            max_val = value
            
    return max_val

def get_next_var(Selected):
    best_var = None
    max_val  = -1e10
    for X_i in features:
        if X_i in Selected:
            continue
        value = MI_target[X_i] - get_inner_max(X_i,Selected)
        if value >max_val:
            max_val  = value
            best_var = X_i
    
    return best_var

def select_n_features(n):
    if len(features)==n:
        return features
    # Initialization
    Selected_features = []
    # Step 1
    Selected_features.append(max(MI_target.items(), key=operator.itemgetter(1))[0])
    criteria = True
    n_vars_selected =1
    while n_vars_selected <n:
        # Step 2
        next_var = get_next_var(Selected_features)
        Selected_features.append(next_var)
        n_vars_selected+=1
    print("Features selected: ", n_vars_selected)
    return Selected_features

In [0]:
## Output for selected variables by the algorithm. They are sorted in the order the algorithm selected them.
['Census_SystemVolumeTotalCapacity',
 'Census_PowerPlatformRoleName',
 'Census_ChassisTypeName',
 'Census_InternalBatteryType',
 'SmartScreen',
 'AVProductsInstalled',
 'Processor',
 'RtpStateBitfield',
 'OsBuildLab',
 'AVProductsEnabled',
 'Census_MDC2FormFactor',
 'Census_OSArchitecture',
 'PuaMode',
 'Census_ProcessorClass',
 'UacLuaenable',
 'Census_DeviceFamily',
 'ProductName',
 'Platform',
 'Census_FlightRing',
 'Census_GenuineStateName',
 'Census_ProcessorManufacturerIdentifier',
 'Census_OSWUAutoUpdateOptionsName',
 'OsPlatformSubRelease',
 'Census_OSSkuName',
 'Census_OSEdition',
 'SkuEdition',
 'Census_ActivationChannel',
 'Census_OSBranch',
 'Census_PrimaryDiskTypeName']

# Initial modeling

## Logistic regression classifier:

Our first approach to modeling was to built a logistic regression classifier to be used as a baseline against which to compare more complex models. We used the Scikit-learn _SGDClassifier_ implementation with its default parameters. Considering the large size of the data set, we performed the updates using mini-batches of 1024 samples.

For this first model we applied a simple cross-validation strategy splitting the Kaggle training data in a train set consisting of 99% of the samples and a validation set of 1%. This proportions were chosen considering the large size of the data set, as a 1% was equal to over 80 000 samples.

Below we show the obtained ROC curve on the validation set and a snippet of the code for the model. The AUC score obtained on the test set was ***0.63644 for the public test set*** and ***0.57975 for the private test set***.

<img src="AUCLogReg1.png" alt="arch" width="400"/>

In [0]:
model = SGDClassifier(loss='log', verbose=False)

# For number of epochs
for n in range(numEpochs):
    # Iterate through the train set on mini-batches
    for batch in iterateMiniBatches(xTrain, yTrain, batchSize, shuffle=True):
        batchCounter += 1
        xBatch, yBatch = batch
        # Encode each minibatch
        xBatchNumerical = xBatch[numericalColumns].values
        xBatchCategorical = xBatch[categoricalColumns]
        xBatchCategorical = categoricalEncoder.transform(xBatchCategorical)
        xBatch = np.concatenate([xBatchNumerical, scipy.sparse.csr_matrix.toarray(xBatchCategorical)], axis=1)
        # Fit the model
        model.partial_fit(xBatch, yBatch, classes=classes)

## Neural network classifier:

A neural net classifier was applied with hyperparameters obtained by performing a random search with the possible values described in the table below:

|             Parameter            	|                                 Possible values 	|
|:--------------------------------:	|:------------------------------------------------:	|
|      Number of hidden layers     	|                                \{1, 2, 3, 4\} 	|
| Number of hidden units per layer 	|                     \{64, 128, 256, 512, 1024\}  	|
|           Learning rate          	| \{0.00001, 0.0001, ..., 0.01, 0.1\} 	|
|     L2 regularization weight     	|    \{0.000001, 0.00001, ..., 0.1, 1.0\} 	|

The _Adam_ optimizer and _ReLU_ activation function were fixed hyperparameters. For the random search we considered 50 models on 10 possible splits each of 1% of the data for training and 0.1% for validation. The resulting found best hyperparameters were:

* 2 hidden layers of 64 units each.
* Learning rate of $10^{-5}$.
* No regularization.

Below a snippet of the code for the random search:

In [0]:
# Neural net size layers
maxNumLayers = 4
neuralNetArch = [(layerSize,) * numLayers for numLayers in range(1, maxNumLayers + 1) for layerSize in [64, 128, 256, 512, 1024]]
# Learning rate
learningRates = np.logspace(start=-5, stop=-1, num=8, base=10)
# L2 Regularization coefficient
alphas = [0.0, 0.000001, 0.00001, 0.0001, 0.001, 0.01, 0.1, 1.0]
neuralNetGrid = {
    'hiddenLayerSizes': neuralNetArch,
    'learningRate': learningRates,
    'l2RegCoefficient': alphas
}
# Create the model to be tuned (custom scikit classifier with the desired params)
neuralNetBase = CustomMLPClassifier()
# Create the random search Neural Net
neuralNetRandom = RandomizedSearchCV(estimator = neuralNetBase, param_distributions = neuralNetGrid, 
                               n_iter = 10, cv = ShuffleSplit(n_splits=10, test_size=0.001, train_size=0.01), verbose = 2, random_state = 11, 
                               n_jobs = 1, refit=False)
# Fit the random search model
neuralNetRandom.fit(X, y)
# View the best parameters from the random search
print(neuralNetRandom.best_params_)

We then applied the neural network classifier with the best found parameters to the whole data set. As with logistic regression we applied cross-validation splitting the data in a train set of 99% of the samples and a validation set of 1%. Below we show the obtained ROC curve on the validation set and a snippet of the code for training the model. The AUC score obtained on the test set was ***0.63801 for the public test set*** and ***0.61156 for the private test set***.

<img src="AUCNN1.png" alt="arch" width="400"/>

Below we show a snippet of the code to train the model.

In [0]:
model = MLPClassifier(hidden_layer_sizes=(64, 64), activation='relu', solver='adam', batch_size=batchSize, max_iter=1, learning_rate_init=0.00001)

# For number of epochs
for n in range(numEpochs):
    # Iterate through the train set on mini-batches
    for batch in iterateMiniBatches(xTrain, yTrain, batchSize, shuffle=True):
        batchCounter += 1
        xBatch, yBatch = batch
        # Encode each minibatch
        xBatchNumerical = xBatch[numericalColumns].values
        xBatchCategorical = xBatch[categoricalColumns]
        xBatchCategorical = categoricalEncoder.transform(xBatchCategorical)
        xBatch = np.concatenate([xBatchNumerical, scipy.sparse.csr_matrix.toarray(xBatchCategorical)], axis=1)
        # Fit the model
        model.partial_fit(xBatch, yBatch, classes=classes)

##### NOTE: futher pre-processing for logistic regression and neural network models: 
_For logistic regression and neural networks aside of the previously described pre-processing we applied one-hot encoding to categorical variables and normalized the numerical variables to have mean zero and standard deviation of one._

## Light Gradient Boosting Machine

Different variations of the LGBM model have been developed by training on data matrices of varying number of columns (features used). Categorical features have been encoded as integers (given that this format is acceptable by the _[LGBM Classifier](https://lightgbm.readthedocs.io/en/latest/pythonapi/lightgbm.LGBMClassifier.html)_). Missing data in a particular column has been encoded as an additional category shared between the train and test sets.

Hyperparameters for all the following non-baseline models have been determined by means of a Randomized Grid Search on the following hyperparameter space:

|             Parameter            	|                                 Possible values 	|
|:--------------------------------:	|:------------------------------------------------:	|
|      Number of leaves     	|                                \{10, 30, ..., 150\} 	|
|           Subsample       	|                     \{0.3, 0.4, ..., 1.0\}  	|
|           Learning rate          	| \{0.00001, 0.0001, ..., 0.01, 0.1\} 	|
|     Number of estimators (trees)     	|    \{20, 40, 100, 200\} 	|
|     Minimum child samples     	|    \{100, 300, ..., 2000\} 	|
|     Column sample by tree     	|    \{0.3, 0.4, ..., 1.0\} 	|
|     Boosting type     	|    \{gbdt, goss\} 	|
|     L1 regularization weight     	|    \{0, 0.01, 0.1, 1, 5, 10, 100\} 	|

100 iterations of RGS have been performed, in each the cross-validation has been performed with a 10-split ShuffleSplit into train and test sets of sizes equal to 10% and 1% of the original dataset respectively. New model has then been instantiated with the best parameters obtained from RGS and trained using the whole training dataset (with 85%-15% of the data for training and validation purposes respectively). Below we present a snippet of code showing a general procedure of RGS and model fitting:

In [0]:
### CODE SAMPLE OF THE LGBM RANDOMIZED GRID SEARCH AND MODEL FIT ###

# instantiate the model for RGS
RGS_lgb = lgb.LGBMClassifier(
              device = "cpu",
              objective = 'binary',
              n_jobs = -1,
              silent = True,
              max_depth = -1
              )

# define hyperparameter space
gridParams = {
    'boosting_type': ['gbdt', 'goss'],
    'n_estimators': [20, 40, 100, 200],
    'min_child_samples': list(range(100, 2000, 200)),
    'num_leaves': list(range(10, 150, 20)),
    'subsample': [0.3, 0.4, 0.5, 0.6,  0.7, 0.8, 0.9, 1.0],
    'colsample_bytree': [0.3, 0.4, 0.5, 0.6,  0.7, 0.8, 0.9, 1.0],
    'learning_rate': np.logspace(start=-5, stop=-1, num=5, base=10),
    'reg_alpha': [0, 1e-2, 1e-1, 1, 5, 10, 100]
    }

N_ITERATIONS = 100

radom = RandomizedSearchCV(
                    estimator = RGS_lgb,
                    param_distributions = gridParams,
                    n_iter = N_ITERATIONS,
                    verbose = 0,
                    cv = ShuffleSplit(n_splits=10,
                                      test_size=0.01,
                                      train_size=0.1),
                    n_jobs = -1,
                    scoring = 'roc_auc',
                    refit = True,
                    )

# Run the grid
radom.fit(df_train, targets, **{'categorical_feature' : cat_cols})

# get the best hyperparameters
best_params = radom.best_params_

# instantiate new model to be fit on the whole train set with best hyperparams from the RGS
lgbm = lgb.LGBMClassifier()
lgbm.set_params(**best_params)

# enable reproduction of results
x_train, x_val, y_train, y_val = train_test_split(df_train, targets,
                                                  test_size=0.15, stratify=targets,
                                                  random_state = 42)

cmi_lgbm.fit(x_train, y_train,
                early_stopping_rounds = 100,
                eval_set=[(x_val, y_val)],
                feature_name = x_train.columns.to_list(),
                categorical_feature = cat_cols,
                eval_metric = 'auc',
                verbose = 0)

The hyperparameters obtained with the RGS method are as follows (the meaning of the two right outermost columns will become clearer in the next section):

|             Parameter            	|   CMI Ranking   	|    Kaggle FE  	|   Kaggle FE unseen test  	|
|:--------------------------------:	|:-----------:	|:--------------------------:	|:-----------:	|
|      Number of leaves     	|      130 	|      90 	| 110 |
|           Subsample       	|    0.9  	|   0.6 	| 0.9 |
|           Learning rate          	| 0.1 	| 0.1 	|  0.1 |
|     Number of estimators (trees)     	|   200 	| 100 	|  200 |
|     Minimum child samples     	|    500 	 |  100 	|  1500 |
|     Column sample by tree     	|    0.6 	| 0.4 	|  0.6 |
|     Boosting type     	|    gbdt 	| gbdt |  gbdt |
|     L1 regularization weight     	|    5 	| 100 	|  10 |

**Baseline Model**

For the baseline model, no preprocessing apart from integer-encoding the categorical features has been performed. Encoding has been done based on the train set, values from a particular feature that appeared in the test set but not in the train set have been encoded as a single category ('other'). The LGBM model has been fitted using default parameters of the library (apart from `objective = 'binary'` and `scoring = 'auc'`).

- Achieved AUC score of ***0.67157 for the public test set*** and ***0.61237 for the private test set*** (winning submission scored 0.6758 on Private)

- Feature importances from the model:
<p class="aligncenter">
    <img src="fi_baseline.png" alt="centered image" width="800" />
</p>

- ROC AUC curve from the model:
<p class="aligncenter">
    <img src="roc_baseline.png" alt="centered image" width="400"/>
</p>

**CMI Ranking Model**

For this model, the top 28 features from the CMI ranking have been used for model training and predictions on the test set. Integer encoding of categorical data has been performed as described above for the baseline model.

- Achieved AUC score of ***0.32604 for the public test set*** and ***0.38615 for the private test set***

- Feature importances from the model:
<p class="aligncenter">
    <img src="fi_cmi.png" alt="centered image" width="800"/>
</p>

- ROC AUC curve from the model:
<p class="aligncenter">
    <img src="roc_cmi.png" alt="centered image" width="400"/>
</p>

# Second iteration of data pre-processing and feature engineering

After having aproached the problem with our own solution, we surveyed some of the _[highest scoring solutions published in the Kaggle competition]()_ and decided to implement some of the ideas there proposed. Specifically, we set up a new data set in which:

* We obtained the time stamps of the features _AvSigVersion_ and _Census_OSVersion_ and used them to define a new feature, _Lag1_, as the difference between these two time stamps. This feature tells us wether the version of Defender is behind the current OS update.
* We defined a new feature _driveA_ as the ratio between the size of the OS partition (_Census_SystemVolumeTotalCapacity_) and total hard drive space (_Census_PrimaryDiskTotalCapacity_). This feature encodes the idea that tech oriented users tend to have more than OS, and therefore a smaller ratio, and, as savy users, they probably have less malware infections.
* We defined a new feature _driveB_ as the difference between the total hard drive space (_Census_PrimaryDiskTotalCapacity_) and the amount used in the OS partition (_Census_SystemVolumeTotalCapacity_). This feature encodes the idea that tech oriented users tend to manage better their space and have more free disk non used on OS. As before, intuitively tech oriented users probably have less malware infections.
* We applied frequency encoding to the _CountryIdentifier_ feature. More popular countries are more frequently attacked, therefore there is likely a correlation between infection rate and frequency of appereance of a country code.
* We applied frequency encoding to the _Census_InternalBatteryNumberOfCharges_ feature. This feature tells us wether a machine is a laptop or desktop PC. According to several Kaggle users the frequency of this feature was correlated with the infection rate, indicating that either laptops or desktops are more frequently attacked.
* We removed features which took on more than 98% of the samples a unique value.
* We removed features which were highly correlated to another feature. 
* All variables except the ones to which we apply frequency encoding and the two new added variables were formated as categorical.

# Second iteration of modeling

## Deep Neural Network with categorical embeddings

With the new data pre-processing most variables were considered categorical and the one-hot encoding applied in the previous models would result in a very large number of input features, which was not feasible due to memory constraints. Following the approach described in _[Entity Embeddings of Categorical Variables](https://arxiv.org/abs/1604.06737)_ we implemented a new neural network architecture which used _entity embeddings_. 

### A brief description of entity embeddings:

The basic idea of entity embeddings is to map every possible value of a categorical variable to a vector in $\mathbb{R}^{d}$, where $d$ is the dimension of the embedding and is tipically lower than the number of possible values the variable can take, being therefore more efficient memory-wise than one-hot encoding. This mapping to $\mathbb{R}^d$ (termed _embedding layer_ in the context of neural nets) is learned implicitly during the learning process of the model itself by back-propagation, and it often reveals useful intrinsic properties of the categorical variables.

### The architecture used:

Below we illustrate the architecture of the new neural network model. The numbers to the right of the ReLU layers indicate the dimensions of the matrix defining the linear transformation of the layer. Additionally, we use _dropout regularization_ and _batch normalization_, which are techniques typical of _deep learning models_ that help to avoid overfitting and speed up the training process. The number to the left of the dropout layers indicate the probability of dropping a given input (making it zero). It should be noted that batch normalization is applied before the ReLU activation.

<img src="MLWR_DNN.png" alt="arch" width="500"/>

Below a snippet of the code corresponding to the definition of the model:

In [0]:
class MalwareModel(nn.Module):
    def __init__(self, embbedingSizes, nCont):
        super().__init__()
        self.embeddings = nn.ModuleList([nn.Embedding(categories, size) for categories,size in embbedingSizes])
        nEmb = sum(e.embedding_dim for e in self.embeddings) #length of all embeddings combined
        self.nEmb, self.nCont = nEmb, nCont
        self.lin1 = nn.Linear(self.nEmb + self.nCont, 200)
        self.lin2 = nn.Linear(200, 70)
        self.lin3 = nn.Linear(70, 1)
        self.bn1 = nn.BatchNorm1d(self.nCont)
        self.bn2 = nn.BatchNorm1d(200)
        self.bn3 = nn.BatchNorm1d(70)
        self.embDrop = nn.Dropout(0.6)
        self.drops = nn.Dropout(0.3)
        

    def forward(self, xCat, xCont):
        x = [e(xCat[:,i]) for i,e in enumerate(self.embeddings)]
        x = torch.cat(x, 1)
        x = self.embDrop(x)
        x2 = self.bn1(xCont)
        x = torch.cat([x, x2], 1)
        x = torch.relu(self.bn2(self.lin1(x)))
        x = self.drops(x)
        x = torch.relu(self.bn3(self.lin2(x)))
        x = self.drops(x)
        x = torch.sigmoid(self.lin3(x))
        return x

We used the _Adam_ optimizer with a learning rate of $10^{-4}$ and an L2 regularization coefficient of $10^{-6}$. As with the previous neural network we applied cross-validation splitting the data in a train set of 99% of the samples and a validation set of 1%. With this model the AUC score obtained on the test set was ***0.67653 for the public test set*** and ***0.62734 for the private test set***, making it the **best model on the private test set of the ones considered on the project**.

For this model we calculated the feature importance as the increase in classification error on the validation set when randomly permuting the values of the feature. Below we show the 30 most important variables according to this model and the code to compute the importance:

<p class="aligncenter">
    <img src="FeatureRankingDNN.png" alt="centered image" width="850"/>
</p>

In [0]:
importances = {}
# For all the features
for column in xVal:
    perturbedXVal = xVal.copy()
    # Define a new dataset with the values of the feature shuffled
    perturbedXVal[column] = np.random.permutation(perturbedXVal[column].values)
    valDF = MalwareDataset(perturbedXVal, yVal, embeddedColNames)
    valDL = DataLoader(valDF, batch_size=1024)
    valDL = DeviceDataLoader(valDL, device)
    # Input the data to the model
    correct = 0
    with torch.no_grad():
        for x1, x2, y in valDL:
            prob = model(x1, x2).view(-1) 
            pred = torch.round(prob)
            correct += (pred == y).float().sum().item()
    # Compute the importance as the decrease in accuracy
    importances[column] = initPerformance - correct/xVal.shape[0]

## Light Gradient Boosting Machine

Search for the optimal training hyperparameters has been performed analogously to the method described before and the results are available in the table from the previous section.


**Kaggle Feature-Engineering & Data Preprocessing**

For this model, additional feature engineering and removal have been performed as described above. Additionally, the encoding of categorical features has been done on unions of values from both train and test sets. In the end, the model fitting has been done on the remaining ~70 features.

- Achieved AUC score of ***0.68297 for the public test set*** and ***0.62568 for the private test set***

- Feature importances from the model:

<p class="aligncenter">
    <img src="fi_kagg.png" alt="centered image" width="800" />
</p>

- ROC AUC curve from the model:
<p class="aligncenter">
    <img src="roc_kaggle.png" alt="centered image" width="400"/>
</p>


**Kaggle FE & 'Textbook-correct' Data Preprocessing**

For this model, feature engineering and removal has been done analogously as above, but this time **no information** from the test set have been 'leaked' into the training process: the encoding of categorical variables has been done as described for the baseline model above.

- Achieved AUC score of ***0.68408 for the public test set*** and ***0.61584 for the private test set***

- Feature importances from the model:
<p class="aligncenter">
    <img src="fi_kagg_unseen_test.png" alt="centered image" width="800"/>
</p>

- ROC AUC curve from the model:
<p class="aligncenter">
    <img src="roc_kaggle_unseen.png" alt="centered image" width="400"/>
</p>

# Results and Discussion

## Usage of forward selection using CMI

As mentioned in the feature importance section, a forward selection algorithm based on conditional mutual information was implemented and thus, it was possible to rank the categorical features by this criteria. The following plot shows the predictions distribution for two models, one considers all the features available and drops a set of 15 less important according to the CMI selection algorithm.

<img src="full_vs_cmi_2.png" alt="centered image" />

From the plots is possible to see how eliminating variables of the model affects it predictions distribution. Not only that, the model including all the variables achieved 0.61237 and 0.67157 on the competition's private and public score, respectively. On the other hand, the model that just drops variables according to CMI forward selection algorithm achieves 0.3861 and 0.32604 on the competition's Private and Public Score, respectively. This could mean that there is actually an order of importance among the categorical variables, but that each of them contributes with valuable information for the model to perform well or at least be able to generalize to the test set considered. An important flaw of the method is that the algorithm was used only on categorical variables and thus, it is not considering how the interaction of these categorical variables with continuos ones affects their importance.



## Comparison of models 



<img src="preds_dist_definitive.png" alt="centered image" />


In the plot are shown 4 different models. The initial logistic regression made in the first iteration, the last DNN presented and two LGBM model with different preprocessing, one without categorical information from the test set and one including this information on the variables encoding.

In them we see the confidence of the DNN to make decisions about each sample. Most of the predictions are concentrated at 0 or 1, meanwhile, the rest of the models have more soft Normal-like distributions. Another interesting insight may be that,  it seems that when leaked information from the test set is considered, the confidence of the LGBM model is reduced, this is reflected on the reduced support of the predictions distribution on the last LGBM model compared to the one that does not make use of test set information.


### All that's wrong with the test set

Kaggle user Chris Deotte did some interesting  _[time series analysis](https://www.kaggle.com/cdeotte/time-series-eda-malware-0-64)_ on the data which highlighted several dificulties, and possible mistakes, with the competition:

* The train and test data were not sampled from the same distribution. The train data corresponded to samples taken from August and September 2018, while the test data was mostly sampled from October and November 2018. That is, the competition required to built a time independent model.

* The train data and test data used to compute the public leaderboard score were not random samples, because days with high number of infections were up-sampled in order to have a balanced data set in terms of the target, and therefore there was a correlation between density of the data in time and the target variable. This data leakage was used to achieve high scoring solutions without even using the train data (Chris Deotte presented his _[7-line long code](https://www.kaggle.com/c/microsoft-malware-prediction/discussion/84096)_ which achieves almost 0.7 AUC score).

* Unlike the train and public test data, the private test data was a random sample, and therefore the target followed a different distribution not correlated with the time signature of the samples. For the models that took advantage of the leakage, this resulted in overfitting to the public test set.

In [0]:
### This 7-liner could 'win' the whole competition ###

submit = pd.read_csv('test.csv', usecols=['MachineIdentifier','AvSigVersion'])
submit['HasDetections'] = 0.5
submit['ASV2'] = submit['AvSigVersion'].map(lambda x: np.int(x.split('.')[1]) )
submit['ASV3'] = submit['AvSigVersion'].map(lambda x: np.int(x.split('.')[2]) )
submit.loc[ (submit['ASV2']==281) &amp; (submit['ASV3'] >= 451),'HasDetections'] = 0.0
submit[['MachineIdentifier','HasDetections']].to_csv('WinningSolution.csv', index=False) 

# Conclussions

- Based on our results, the most important features in general are closely related to the version of the software used to protect a given device and its geographical location. There are some difference in the feature ranking outputed by the DNN and LGBM models. The DNN ranking seems to point towards vulnerabilities against social engineered attacks, because of the importance given to the variable "SmartScreen", which is related to the anti-phishing and anti-malware component included in some Microsoft products. On the other hand, LGBM ranking puts software and hardware related features first.

- The successful feature engineering seems to require an in-depth domain knowledge, but if done properly can considerably improve the quality of the models.

- The embedding approach is somehow contrary to feature engineering, as it allows the model to learn its own representation of the features without any strong assumption. In this case it resulted in one of the strongest models, and it clearly showed the need of proper encoding when applying neural networks to categorical variables. 

- For our LGBM analysis, tuning the hyperparameters did not bring that much of a difference into play (AUC score increase of ~0.002), baseline model with default parameters obtained a similar (but lower) score on the model with FE and hyperparameter tuning.

- Winning Kaggle competitions is not easy. It was specially surprising for us to see how competitors tried to engineer hacks to exploit the flaws on the competition rather than truly work to solve the presented problem.

- Building machine learning models is an iterative process. Going back and forth between data analysis and modeling, one process informing the other, showed to be the best approach.

## Further work:

- The DNN could probably achieve better results. At the end of the 30 epochs of training the validation loss was still improving, but we stopped due to computational constraints (Colab stopped lending us GPU). Trying to tune its hyperparameters could also result in a better model.

- Visualizing features on the embedded feature space of the DNN could give us more insight about the variables.

- Making an ensemble of the top models presented may help to improve the predictions.
