## Phase - 2: Predicting Anomalies in Network Traffic (A Binary Classification problem)

Before working on this phase, please practice "Activities 4, 5, and 6" in the 'Neural networks using Tensorflow' crash course (see nn-tf tab). 

The main goal in this phase is to experiment and find what network size is needed to 'overfit' the entire dataset at your hand.

In other words, we want to determine how big architecture we need to overfit the data. 

     The place to start is to use 'logistic regression' model and train for as many epochs as needed to obtain as high accuracy as possible. After training hundreds of epochs if you observe that the accuracy is not increasing then it implies that the number of neurons in your model (only one) may not be sufficient for overfitting. 
      The next step is to grow your model into a multi-layer model and add a few neurons (say only 2) in the input layer. This way your model will have '2 + 1 = 3' neurons in total. 
       
       If your accuracy still does not each a 100% or close to 100% you can continue to increase the number of layers and number of neurons. Once you have obtained 100% accuracy (or around 100%) your experiments for this phase are complete. The results of this experiment also inform us that our final model (in subsequent phases) should be smaller than this model. Small here refers to number of layers and number of neurons in each layer.

[BONUS] You will be eligible to receive up to 2 bonus points if you complete this phase without using the Keras/Tenforflow library, i.e., if you implement your own Python code to build neural network (or logistic regression model) and code a function that serves as an optimizer (for example, gradient descent algorithm) to train your model.

'protocol_type', 'service', 'flag', 'land', 'logged_in', 'is_host_login', 'is_guest_login'

In [59]:
catg_cols = ['protocol_type', 'service', 'flag', 'land', 'logged_in', 'is_host_login', 'is_guest_login']

#### 2.2 Continuous Columns

In [60]:
cont_cols = [ 'duration', 'src_bytes', 'dst_bytes', 'wrong_fragment', 'urgent', 'hot', 'num_failed_logins', 'num_compromised', 'root_shell', 'su_attempted', 'num_root', 'num_file_creations', 'num_shells', 'num_access_files', 'num_outbound_cmds', 'count', 'srv_count', 'serror_rate', 'srv_serror_rate', 'rerror_rate', 'srv_rerror_rate', 'same_srv_rate', 'diff_srv_rate', 'srv_diff_host_rate', 'dst_host_count', 'dst_host_srv_count', 'dst_host_same_srv_rate', 'dst_host_diff_srv_rate', 'dst_host_same_src_port_rate', 'dst_host_srv_diff_host_rate', 'dst_host_serror_rate', 'dst_host_srv_serror_rate', 'dst_host_rerror_rate', 'dst_host_srv_rerror_rate']

#### 2.3 Target Variable

The target variable "label" contains all different types of malware attacks and also the value "normal" (i.e., not an attack) as shown below.

'normal', 'buffer_overflow', 'loadmodule', 'perl', 'neptune', 'smurf', 'guess_passwd', 'pod', 'teardrop', 'portsweep', 'ipsweep', 'land', 'ftp_write', 'back', 'imap', 'satan', 'phf', 'nmap', 'multihop', 'warezmaster', 'warezclient', 'spy', 'rootkit'

All malware attacks are grouped (transformed) to the value "abnormal" to make this problem a binary classification problem instead of a multi-class classification.


In [61]:
target_variable = 'label'

#### 2.4 Data Load

In [62]:
import pandas as pd
df = pd.read_csv("../datasets/kddcup99_csv.csv")

#### 2.5 Dataset size

In [63]:
df.shape

(494020, 42)

494020 records with 41 features and 1 target variable ("label") for prediction

In [64]:
df.head()

Unnamed: 0,duration,protocol_type,service,flag,src_bytes,dst_bytes,land,wrong_fragment,urgent,hot,...,dst_host_srv_count,dst_host_same_srv_rate,dst_host_diff_srv_rate,dst_host_same_src_port_rate,dst_host_srv_diff_host_rate,dst_host_serror_rate,dst_host_srv_serror_rate,dst_host_rerror_rate,dst_host_srv_rerror_rate,label
0,0,tcp,http,SF,181,5450,0,0,0,0,...,9,1.0,0.0,0.11,0.0,0.0,0.0,0.0,0.0,normal
1,0,tcp,http,SF,239,486,0,0,0,0,...,19,1.0,0.0,0.05,0.0,0.0,0.0,0.0,0.0,normal
2,0,tcp,http,SF,235,1337,0,0,0,0,...,29,1.0,0.0,0.03,0.0,0.0,0.0,0.0,0.0,normal
3,0,tcp,http,SF,219,1337,0,0,0,0,...,39,1.0,0.0,0.03,0.0,0.0,0.0,0.0,0.0,normal
4,0,tcp,http,SF,217,2032,0,0,0,0,...,49,1.0,0.0,0.02,0.0,0.0,0.0,0.0,0.0,normal


As seen above, there are various type of malware attacks which can be grouped as "abnormal" to make this problem as binary classification problem

##### 2.6.1 Group all malware attacks as "abnormal"

In [66]:
attack_types = list(df['label'].unique())
attack_types.remove('normal') # remove normal from attack types as we only want malware attacks to convert as abnormal

In [67]:
df['label'] = df['label'].replace(attack_types, 'abnormal')
df.shape

(494020, 42)

In [68]:
df['label'].value_counts()

abnormal    396743
normal       97277
Name: label, dtype: int64

In [71]:
df[catg_cols].dtypes

protocol_type     object
service           object
flag              object
land               int64
logged_in          int64
is_host_login      int64
is_guest_login     int64
dtype: object

As seen from the above datatypes of the categorical columns,the column values are not strings. We need to convert them to string before performing any analysis

##### 2.7.1 Fixing the data types of categorical columns

In [72]:
df['protocol_type'] = df['protocol_type'].astype(str)
df['service'] = df['service'].astype(str)
df['flag'] = df['flag'].astype(str)
df['land'] = df['land'].astype(str)
df['logged_in'] = df['logged_in'].astype(str)
df['is_host_login'] = df['is_host_login'].astype(str)
df['is_guest_login'] = df['is_guest_login'].astype(str)
df[catg_cols].dtypes

protocol_type     object
service           object
flag              object
land              object
logged_in         object
is_host_login     object
is_guest_login    object
dtype: object

In [84]:
df.drop(columns=['is_host_login'], inplace=True)
df.drop(columns=['num_outbound_cmds'], inplace=True)

### 3. Transform Target Binary label to 0 and 1

In [85]:
df['label'] = df['label'].map({'normal': 1, 'abnormal': 0})
df['label'].value_counts()

0    396743
1     97277
Name: label, dtype: int64

### 3. One hot encode categorical columns

In [86]:
def convert_categorical_to_one_hot_encoding(dataset, column_name):
    dummy_values = pd.get_dummies(dataset[column_name])
    
    for category in dummy_values.columns:
        dummy_value_name = f"{column_name}-{category}"
        dataset[dummy_value_name] = dummy_values[category]
    dataset.drop(column_name, axis=1, inplace=True)



In [87]:
for cat_col in catg_cols:
    if cat_col != "is_host_login":
        convert_categorical_to_one_hot_encoding(df, cat_col)
df.shape

(494020, 120)

In [88]:
df.head()

Unnamed: 0,duration,src_bytes,dst_bytes,wrong_fragment,urgent,hot,num_failed_logins,num_compromised,root_shell,su_attempted,...,flag-S2,flag-S3,flag-SF,flag-SH,land-0,land-1,logged_in-0,logged_in-1,is_guest_login-0,is_guest_login-1
0,0,181,5450,0,0,0,0,0,0,0,...,0,0,1,0,1,0,0,1,1,0
1,0,239,486,0,0,0,0,0,0,0,...,0,0,1,0,1,0,0,1,1,0
2,0,235,1337,0,0,0,0,0,0,0,...,0,0,1,0,1,0,0,1,1,0
3,0,219,1337,0,0,0,0,0,0,0,...,0,0,1,0,1,0,0,1,1,0
4,0,217,2032,0,0,0,0,0,0,0,...,0,0,1,0,1,0,0,1,1,0


###### a. Shuffle DataFrame

In [91]:
df = df.sample(frac=1).reset_index(drop=True)

### 3. Data Normalization (scaling numerical features to unit norm)

As seen from the above continous variables distribution in the section 2.6 the scale of some of the features (columns) values are not in same range as others.
Hence the features need to be normalized so that the optimization during model training will happen in a better way and the model will not be sensitive to the features.

In [96]:
cont_cols_new = [each for each in cont_cols if each!='num_outbound_cmds']

In [113]:
df_CONTCOLS_MIN = df[cont_cols_new].min(axis=0)
df_CONTCOLS_MAX = df[cont_cols_new].max(axis=0)

In [114]:
df[cont_cols_new] = (df[cont_cols_new] - df_CONTCOLS_MIN) / (df_CONTCOLS_MAX - df_CONTCOLS_MIN)

In [115]:
df[cont_cols_new].head()

Unnamed: 0,duration,src_bytes,dst_bytes,wrong_fragment,urgent,hot,num_failed_logins,num_compromised,root_shell,su_attempted,...,dst_host_count,dst_host_srv_count,dst_host_same_srv_rate,dst_host_diff_srv_rate,dst_host_same_src_port_rate,dst_host_srv_diff_host_rate,dst_host_serror_rate,dst_host_srv_serror_rate,dst_host_rerror_rate,dst_host_srv_rerror_rate
0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,...,1.0,0.078431,0.08,0.07,0.0,0.0,0.0,0.0,1.0,1.0
1,0.0,1.488371e-06,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,...,1.0,1.0,1.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0
2,0.0,2.855595e-07,0.000125,0.0,0.0,0.0,0.0,0.0,0.0,0.0,...,0.121569,1.0,1.0,0.0,0.03,0.07,0.0,0.0,0.0,0.0
3,0.296593,2.105641e-07,2e-05,0.0,0.0,0.0,0.0,0.0,0.0,0.0,...,1.0,0.003922,0.0,0.67,0.98,0.0,0.0,0.0,0.0,0.0
4,0.0,1.488371e-06,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,...,1.0,1.0,1.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0


In [116]:
df.isna().values.any()

False

In [103]:
x_train_numpy = XTRAIN.to_numpy()
y_train_numpy = YTRAIN.to_numpy()

In [117]:
X_numpy = df.drop(columns=['label']).to_numpy()
Y_numpy = df['label'].to_numpy()

In [119]:
X_numpy.shape

(494020, 119)

In [121]:
Y_numpy.shape

(494020,)

In [122]:
from tensorflow.keras.models import Sequential
from tensorflow.keras.layers import Dense

model = Sequential()
model.add(Dense(1, input_dim = len(X_numpy[0, :]), activation='sigmoid'))

In [123]:
model.compile(loss='binary_crossentropy', optimizer = 'rmsprop', metrics=['accuracy'])
model.fit(x_train_numpy, y_train_numpy, epochs = 256, verbose = 1)

Epoch 1/256
Epoch 2/256
Epoch 3/256
Epoch 4/256
Epoch 5/256
Epoch 6/256
Epoch 7/256
Epoch 8/256
Epoch 9/256
Epoch 10/256
Epoch 11/256
Epoch 12/256
Epoch 13/256
Epoch 14/256
Epoch 15/256
Epoch 16/256
Epoch 17/256
Epoch 18/256
Epoch 19/256
Epoch 20/256
Epoch 21/256
Epoch 22/256
Epoch 23/256
Epoch 24/256
Epoch 25/256
Epoch 26/256
Epoch 27/256
Epoch 28/256
Epoch 29/256
Epoch 30/256
Epoch 31/256
Epoch 32/256
Epoch 33/256
Epoch 34/256
Epoch 35/256
Epoch 36/256
Epoch 37/256
Epoch 38/256
Epoch 39/256
Epoch 40/256
Epoch 41/256
Epoch 42/256
Epoch 43/256
Epoch 44/256
Epoch 45/256
Epoch 46/256
Epoch 47/256
Epoch 48/256
Epoch 49/256
Epoch 50/256
Epoch 51/256
Epoch 52/256
Epoch 53/256
Epoch 54/256
Epoch 55/256
Epoch 56/256
Epoch 57/256
Epoch 58/256
Epoch 59/256
Epoch 60/256
Epoch 61/256
Epoch 62/256
Epoch 63/256
Epoch 64/256
Epoch 65/256
Epoch 66/256
Epoch 67/256
Epoch 68/256
Epoch 69/256
Epoch 70/256
Epoch 71/256
Epoch 72/256
Epoch 73/256
Epoch 74/256
Epoch 75/256
Epoch 76/256
Epoch 77/256


Epoch 78/256
Epoch 79/256
Epoch 80/256
Epoch 81/256
Epoch 82/256
Epoch 83/256
Epoch 84/256
Epoch 85/256
Epoch 86/256
Epoch 87/256
Epoch 88/256
Epoch 89/256
Epoch 90/256
Epoch 91/256
Epoch 92/256
Epoch 93/256
Epoch 94/256
Epoch 95/256
Epoch 96/256
Epoch 97/256
Epoch 98/256
Epoch 99/256
Epoch 100/256
Epoch 101/256
Epoch 102/256
Epoch 103/256
Epoch 104/256
Epoch 105/256
Epoch 106/256
Epoch 107/256
Epoch 108/256
Epoch 109/256
Epoch 110/256
Epoch 111/256
Epoch 112/256
Epoch 113/256
Epoch 114/256
Epoch 115/256
Epoch 116/256
Epoch 117/256
Epoch 118/256
Epoch 119/256
Epoch 120/256
Epoch 121/256
Epoch 122/256
Epoch 123/256
Epoch 124/256
Epoch 125/256
Epoch 126/256
Epoch 127/256
Epoch 128/256
Epoch 129/256
Epoch 130/256
Epoch 131/256
Epoch 132/256
Epoch 133/256
Epoch 134/256
Epoch 135/256
Epoch 136/256
Epoch 137/256
Epoch 138/256
Epoch 139/256
Epoch 140/256
Epoch 141/256
Epoch 142/256
Epoch 143/256
Epoch 144/256
Epoch 145/256
Epoch 146/256
Epoch 147/256
Epoch 148/256
Epoch 149/256
Epoch 150/256


Epoch 154/256
Epoch 155/256
Epoch 156/256
Epoch 157/256
Epoch 158/256
Epoch 159/256
Epoch 160/256
Epoch 161/256
Epoch 162/256
Epoch 163/256
Epoch 164/256
Epoch 165/256
Epoch 166/256
Epoch 167/256
Epoch 168/256
Epoch 169/256
Epoch 170/256
Epoch 171/256
Epoch 172/256
Epoch 173/256
Epoch 174/256
Epoch 175/256
Epoch 176/256
Epoch 177/256
Epoch 178/256
Epoch 179/256
Epoch 180/256
Epoch 181/256
Epoch 182/256
Epoch 183/256
Epoch 184/256
Epoch 185/256
Epoch 186/256
Epoch 187/256
Epoch 188/256
Epoch 189/256
Epoch 190/256
Epoch 191/256
Epoch 192/256
Epoch 193/256
Epoch 194/256
Epoch 195/256
Epoch 196/256
Epoch 197/256
Epoch 198/256
Epoch 199/256
Epoch 200/256
Epoch 201/256
Epoch 202/256
Epoch 203/256
Epoch 204/256
Epoch 205/256
Epoch 206/256
Epoch 207/256
Epoch 208/256
Epoch 209/256
Epoch 210/256
Epoch 211/256
Epoch 212/256
Epoch 213/256
Epoch 214/256
Epoch 215/256
Epoch 216/256
Epoch 217/256
Epoch 218/256
Epoch 219/256
Epoch 220/256
Epoch 221/256
Epoch 222/256
Epoch 223/256
Epoch 224/256
Epoch 

Epoch 229/256
Epoch 230/256
Epoch 231/256
Epoch 232/256
Epoch 233/256
Epoch 234/256
Epoch 235/256
Epoch 236/256
Epoch 237/256
Epoch 238/256
Epoch 239/256
Epoch 240/256
Epoch 241/256
Epoch 242/256
Epoch 243/256
Epoch 244/256
Epoch 245/256
Epoch 246/256
Epoch 247/256
Epoch 248/256
Epoch 249/256
Epoch 250/256
Epoch 251/256
Epoch 252/256
Epoch 253/256
Epoch 254/256
Epoch 255/256
Epoch 256/256


<keras.callbacks.History at 0x24d9cb28100>

In [124]:
model.summary()

Model: "sequential_2"
_________________________________________________________________
Layer (type)                 Output Shape              Param #   
dense_2 (Dense)              (None, 1)                 120       
Total params: 120
Trainable params: 120
Non-trainable params: 0
_________________________________________________________________


### Model : 2. With more layers and neurons so that dataset can overfit

In [126]:
model_2 = Sequential()
model_2.add(Dense(8, input_dim = len(X_numpy[0, :]), activation='relu'))
model_2.add(Dense(4, activation='relu'))
model_2.add(Dense(1, activation='sigmoid'))

In [None]:
model_2.compile(loss='binary_crossentropy', optimizer = 'rmsprop', metrics=['accuracy'])
model_2.fit(x_train_numpy, y_train_numpy, epochs = 32, verbose = 1)

Epoch 1/32
Epoch 2/32
Epoch 3/32
Epoch 4/32
Epoch 5/32
Epoch 6/32
Epoch 7/32
Epoch 8/32
Epoch 9/32
Epoch 10/32
Epoch 11/32
Epoch 12/32
Epoch 13/32
Epoch 14/32
Epoch 15/32
Epoch 16/32
Epoch 17/32
Epoch 18/32
Epoch 19/32
Epoch 20/32
  494/10807 [>.............................] - ETA: 6s - loss: 0.0192 - accuracy: 0.9977

In [110]:
print ('True Validation Data:')
print(y_train_numpy[:10])
prediction = model.predict(x_train_numpy)
print ('Prediction:')
print(prediction[0:10].T)

True Validation Data:
[0 0 0 1 0 1 1 0 0 0]
Prediction:
[[7.0481242e-06 2.2987747e-08 6.7529127e-06 9.7435486e-01 6.7563465e-06
  9.8804760e-01 9.9964744e-01 6.7529127e-06 6.7529127e-06 6.8989330e-06]]
