# Model K-prototypes

This Jupyter notebook is used to:

1. Run K-prototypes.
2. Visualize results.

## 0. Load the data

In [1]:
import pandas as pd
import os

# Format scientific notation from Pandas
pd.set_option('display.float_format', lambda x: '%.5f' % x)

PREFIX_PATH = '/home/sramkova/diploma_thesis_data/cicids2017/attacks'
PREFIX_PATH = PREFIX_PATH + '/' + '/'.join(os.getcwd().split('/')[-2:]) + '/'
INPUT_CSV = PREFIX_PATH + 'final.csv'
print(INPUT_CSV)

data = pd.read_csv(INPUT_CSV, low_memory=False)
selected_df = data.copy()
selected_df.head(5)

/home/sramkova/diploma_thesis_data/cicids2017/attacks/0_tuesday/ftp_patator/final.csv


Unnamed: 0,originated_ip_num,responded_ip_num,connection.time,connection.duration,connection.orig_p,connection.orig_bytes,connection.orig_ip_bytes,connection.orig_pkts,connection.resp_p,connection.resp_bytes,...,r_ip_bytes,connection.resp_pkts.1,protocol,service,conn_state,orig_p_cat,resp_p_cat,attacker_label,victim_label,timestamp
0,0.53453,0.77061,0.00561,0.0,0.75719,0.0,0.0001,0.00022,0.00742,0.0,...,0,0,tcp,none,SH,orig_reg_or_dyn,resp_443,No,No,2017-07-04T13:05:10.09719Z
1,0.53453,0.10058,0.37616,5e-05,0.76752,0.0008,0.00133,0.00239,0.00742,0.00012,...,1915,6,tcp,ssl,SF,orig_reg_or_dyn,resp_443,No,No,2017-07-04T13:16:16.943791Z
2,0.53453,0.23016,0.23842,0.02231,0.76718,0.00198,0.00791,0.02106,0.00742,0.02119,...,290589,160,tcp,ssl,SF,orig_reg_or_dyn,resp_443,No,No,2017-07-04T13:12:09.069054Z
3,0.53453,0.85944,0.10949,0.0,0.00204,0.00078,0.0012,0.00282,0.00218,0.0,...,0,0,udp,dns,S0,orig_well_known,resp_well_known,No,No,2017-07-04T13:08:17.049633Z
4,0.53453,0.23016,0.61636,0.02235,0.76848,0.00198,0.00766,0.02019,0.00742,0.01943,...,266707,152,tcp,ssl,SF,orig_reg_or_dyn,resp_443,No,No,2017-07-04T13:23:29.209443Z


In [2]:
# shuffle 
selected_df = selected_df.sample(frac=1).reset_index(drop=True)
selected_df.head(5)

Unnamed: 0,originated_ip_num,responded_ip_num,connection.time,connection.duration,connection.orig_p,connection.orig_bytes,connection.orig_ip_bytes,connection.orig_pkts,connection.resp_p,connection.resp_bytes,...,r_ip_bytes,connection.resp_pkts.1,protocol,service,conn_state,orig_p_cat,resp_p_cat,attacker_label,victim_label,timestamp
0,0.53453,0.85944,0.99208,0.0,0.73778,0.00387,0.00386,0.00043,0.00134,5e-05,...,686,2,udp,krb,SF,orig_reg_or_dyn,resp_well_known,No,Yes,2017-07-04T13:34:45.35888Z
1,0.53453,0.85944,0.19842,3e-05,0.93073,7e-05,0.00013,0.00043,0.00074,1e-05,...,214,2,udp,dns,SF,orig_reg_or_dyn,resp_53,No,No,2017-07-04T13:10:57.080574Z
2,0.53453,0.77061,0.59712,0.0033,0.05111,0.0,0.0002,0.00087,0.0012,0.0,...,92,2,tcp,none,SF,orig_reg_or_dyn,resp_80,No,No,2017-07-04T13:22:54.589056Z
3,0.53453,0.46095,0.87472,0.0032,0.8218,0.00057,0.00095,0.00174,0.00742,0.00023,...,3271,6,tcp,ssl,RSTR,orig_reg_or_dyn,resp_443,No,No,2017-07-04T13:31:14.15159Z
4,0.0,0.85944,0.35963,0.00466,0.9087,0.00016,0.00084,0.00239,0.00019,1e-05,...,1056,17,tcp,ftp,SF,orig_reg_or_dyn,resp_21,Yes,Yes,2017-07-04T13:15:47.190892Z


In [3]:
for col in selected_df.columns:
    print(col)

originated_ip_num
responded_ip_num
connection.time
connection.duration
connection.orig_p
connection.orig_bytes
connection.orig_ip_bytes
connection.orig_pkts
connection.resp_p
connection.resp_bytes
connection.resp_ip_bytes
connection.resp_pkts
dns_count
ssh_count
http_count
ssl_count
files_count
orig_orig_total
orig_orig_connection.time_mean
orig_orig_connection.duration_mean
orig_orig_connection.orig_pkts_mean
orig_orig_connection.orig_bytes_mean
orig_orig_connection.resp_bytes_mean
orig_orig_connection.resp_pkts_mean
orig_orig_orig_p_well_known_count
orig_orig_orig_p_reg_or_dyn_count
orig_orig_resp_p_21_count
orig_orig_resp_p_22_count
orig_orig_resp_p_53_count
orig_orig_resp_p_80_count
orig_orig_resp_p_123_count
orig_orig_resp_p_443_count
orig_orig_resp_p_3389_count
orig_orig_resp_p_well_known_count
orig_orig_resp_p_reg_count
orig_orig_resp_p_dyn_count
orig_orig_dns_count_mean
orig_orig_ssh_count_mean
orig_orig_http_count_mean
orig_orig_ssl_count_mean
orig_orig_files_count_mean
orig_o

## 1. K-prototypes

(https://towardsdatascience.com/the-k-prototype-as-clustering-algorithm-for-mixed-data-type-categorical-and-numerical-fe7c50538ebb
)

(https://github.com/nicodv/kmodes/blob/master/kmodes/kprototypes.py)

### Parameters of kmodes.kprototypes.KPrototypes: 

```
num_dissim: 
        Dissimilarity function used by the algorithm for numerical variables. 
        (default is euclidian_dissim)
        
cat_dissim: 
        For categorical variables. 
        (default is matching_dissim)
        
init: 
        Initial centroids.
        
gamma: 
        Weighing factor determining relative importance of numerical vs. categorical attributes. 
        (default is None, calculated from data)
        
n_jobs: 
        Number of jobs to use for the computation - each n_init runs in parallel. If -1 all CPUs are used. 
        (default is 1)
```

### Attributes: 

```
cluster_centroids_

labels_:
        Labels of each point (cluster l affiliation)
        
cost_: 
        Sum distance of all points to their respective cluster centroids.

n_iter_:
        The number of iterations the algorithm ran for.

epoch_costs_:
        Cost at each epoch.

gamma:
        The (potentially calculated) weighing factor.
```

In [4]:
import numpy as np
from kmodes.kprototypes import KPrototypes

In [5]:
print('Dimension data: {} rows and {} columns'.format(len(selected_df), len(selected_df.columns)))

Dimension data: 21568 rows and 300 columns


In [6]:
# selected_df.info()

In [7]:
# Inspect the categorical variables
selected_df.select_dtypes('object').nunique()

orig_orig_connection.protocol_mode          3
orig_orig_connection.service_mode           7
orig_orig_connection.conn_state_mode        4
orig_resp_connection.protocol_mode          4
orig_resp_connection.service_mode           6
orig_resp_connection.conn_state_mode        4
resp_orig_connection.protocol_mode          3
resp_orig_connection.service_mode           3
resp_orig_connection.conn_state_mode        3
resp_resp_connection.protocol_mode          3
resp_resp_connection.service_mode           7
resp_resp_connection.conn_state_mode       11
uid                                     21568
originated_ip                              16
responded_ip                             1457
protocol                                    3
service                                    14
conn_state                                 12
orig_p_cat                                  2
resp_p_cat                                  9
attacker_label                              2
victim_label                      

In [8]:
# Numerical
pd.set_option('display.max_columns', None)
selected_df.describe()

Unnamed: 0,originated_ip_num,responded_ip_num,connection.time,connection.duration,connection.orig_p,connection.orig_bytes,connection.orig_ip_bytes,connection.orig_pkts,connection.resp_p,connection.resp_bytes,connection.resp_ip_bytes,connection.resp_pkts,dns_count,ssh_count,http_count,ssl_count,files_count,orig_orig_total,orig_orig_connection.time_mean,orig_orig_connection.duration_mean,orig_orig_connection.orig_pkts_mean,orig_orig_connection.orig_bytes_mean,orig_orig_connection.resp_bytes_mean,orig_orig_connection.resp_pkts_mean,orig_orig_orig_p_well_known_count,orig_orig_orig_p_reg_or_dyn_count,orig_orig_resp_p_21_count,orig_orig_resp_p_22_count,orig_orig_resp_p_53_count,orig_orig_resp_p_80_count,orig_orig_resp_p_123_count,orig_orig_resp_p_443_count,orig_orig_resp_p_3389_count,orig_orig_resp_p_well_known_count,orig_orig_resp_p_reg_count,orig_orig_resp_p_dyn_count,orig_orig_dns_count_mean,orig_orig_ssh_count_mean,orig_orig_http_count_mean,orig_orig_ssl_count_mean,orig_orig_files_count_mean,orig_orig_similar_conns_count,orig_orig_similar_dns_qtype_count,orig_orig_similar_dns_rcode_count,orig_orig_similar_ssh_auth_attempts_count,orig_orig_similar_ssh_host_key_count,orig_orig_similar_http_method_count,orig_orig_similar_http_status_code_count,orig_orig_similar_http_user_agent_count,orig_orig_similar_ssl_version_count,orig_orig_similar_ssl_cipher_count,orig_orig_similar_ssl_curve_count,orig_orig_similar_ssl_validation_status_count,orig_orig_similar_files_source_count,orig_orig_similar_file_md5_count,orig_resp_total,orig_resp_connection.time_mean,orig_resp_connection.duration_mean,orig_resp_connection.orig_pkts_mean,orig_resp_connection.orig_bytes_mean,orig_resp_connection.resp_bytes_mean,orig_resp_connection.resp_pkts_mean,orig_resp_orig_p_well_known_count,orig_resp_orig_p_reg_or_dyn_count,orig_resp_resp_p_21_count,orig_resp_resp_p_22_count,orig_resp_resp_p_53_count,orig_resp_resp_p_80_count,orig_resp_resp_p_123_count,orig_resp_resp_p_443_count,orig_resp_resp_p_3389_count,orig_resp_resp_p_well_known_count,orig_resp_resp_p_reg_count,orig_resp_resp_p_dyn_count,orig_resp_dns_count_mean,orig_resp_ssh_count_mean,orig_resp_http_count_mean,orig_resp_ssl_count_mean,orig_resp_files_count_mean,orig_resp_similar_conns_count,orig_resp_similar_dns_qtype_count,orig_resp_similar_dns_rcode_count,orig_resp_similar_ssh_auth_attempts_count,orig_resp_similar_ssh_host_key_count,orig_resp_similar_http_method_count,orig_resp_similar_http_status_code_count,orig_resp_similar_http_user_agent_count,orig_resp_similar_ssl_version_count,orig_resp_similar_ssl_cipher_count,orig_resp_similar_ssl_curve_count,orig_resp_similar_ssl_validation_status_count,orig_resp_similar_files_source_count,orig_resp_similar_file_md5_count,resp_orig_total,resp_orig_connection.time_mean,resp_orig_connection.duration_mean,resp_orig_connection.orig_pkts_mean,resp_orig_connection.orig_bytes_mean,resp_orig_connection.resp_bytes_mean,resp_orig_connection.resp_pkts_mean,resp_orig_orig_p_well_known_count,resp_orig_orig_p_reg_or_dyn_count,resp_orig_resp_p_21_count,resp_orig_resp_p_22_count,resp_orig_resp_p_53_count,resp_orig_resp_p_80_count,resp_orig_resp_p_123_count,resp_orig_resp_p_443_count,resp_orig_resp_p_3389_count,resp_orig_resp_p_well_known_count,resp_orig_resp_p_reg_count,resp_orig_resp_p_dyn_count,resp_orig_dns_count_mean,resp_orig_ssh_count_mean,resp_orig_http_count_mean,resp_orig_ssl_count_mean,resp_orig_files_count_mean,resp_orig_similar_conns_count,resp_orig_similar_dns_qtype_count,resp_orig_similar_dns_rcode_count,resp_orig_similar_ssh_auth_attempts_count,resp_orig_similar_ssh_host_key_count,resp_orig_similar_http_method_count,resp_orig_similar_http_status_code_count,resp_orig_similar_http_user_agent_count,resp_orig_similar_ssl_version_count,resp_orig_similar_ssl_cipher_count,resp_orig_similar_ssl_curve_count,resp_orig_similar_ssl_validation_status_count,resp_orig_similar_files_source_count,resp_orig_similar_file_md5_count,resp_resp_total,resp_resp_connection.time_mean,resp_resp_connection.duration_mean,resp_resp_connection.orig_pkts_mean,resp_resp_connection.orig_bytes_mean,resp_resp_connection.resp_bytes_mean,resp_resp_connection.resp_pkts_mean,resp_resp_orig_p_well_known_count,resp_resp_orig_p_reg_or_dyn_count,resp_resp_resp_p_21_count,resp_resp_resp_p_22_count,resp_resp_resp_p_53_count,resp_resp_resp_p_80_count,resp_resp_resp_p_123_count,resp_resp_resp_p_443_count,resp_resp_resp_p_3389_count,resp_resp_resp_p_well_known_count,resp_resp_resp_p_reg_count,resp_resp_resp_p_dyn_count,resp_resp_dns_count_mean,resp_resp_ssh_count_mean,resp_resp_http_count_mean,resp_resp_ssl_count_mean,resp_resp_files_count_mean,resp_resp_similar_conns_count,resp_resp_similar_dns_qtype_count,resp_resp_similar_dns_rcode_count,resp_resp_similar_ssh_auth_attempts_count,resp_resp_similar_ssh_host_key_count,resp_resp_similar_http_method_count,resp_resp_similar_http_status_code_count,resp_resp_similar_http_user_agent_count,resp_resp_similar_ssl_version_count,resp_resp_similar_ssl_cipher_count,resp_resp_similar_ssl_curve_count,resp_resp_similar_ssl_validation_status_count,resp_resp_similar_files_source_count,resp_resp_similar_file_md5_count,orig_p_cat_orig_reg_or_dyn,orig_p_cat_orig_well_known,resp_p_cat_resp_123,resp_p_cat_resp_21,resp_p_cat_resp_22,resp_p_cat_resp_443,resp_p_cat_resp_53,resp_p_cat_resp_80,resp_p_cat_resp_dyn,resp_p_cat_resp_reg,resp_p_cat_resp_well_known,connection.proto_icmp,connection.proto_tcp,connection.proto_udp,connection.service_dce_rpc,connection.service_dns,connection.service_ftp,connection.service_ftp-data,"connection.service_gssapi,ntlm,smb","connection.service_gssapi,smb,dce_rpc","connection.service_gssapi,smb,krb",connection.service_http,connection.service_krb,connection.service_krb_tcp,connection.service_none,connection.service_ntp,connection.service_ssh,connection.service_ssl,connection.conn_state_OTH,connection.conn_state_REJ,connection.conn_state_RSTO,connection.conn_state_RSTR,connection.conn_state_RSTRH,connection.conn_state_S0,connection.conn_state_S1,connection.conn_state_S2,connection.conn_state_S3,connection.conn_state_SF,connection.conn_state_SH,connection.conn_state_SHR,orig_orig_connection.protocol_mode_icmp,orig_orig_connection.protocol_mode_tcp,orig_orig_connection.protocol_mode_udp,orig_orig_connection.service_mode_dce_rpc,orig_orig_connection.service_mode_dns,orig_orig_connection.service_mode_ftp,orig_orig_connection.service_mode_none,orig_orig_connection.service_mode_ntp,orig_orig_connection.service_mode_ssh,orig_orig_connection.service_mode_ssl,orig_orig_connection.conn_state_mode_OTH,orig_orig_connection.conn_state_mode_S0,orig_orig_connection.conn_state_mode_SF,orig_orig_connection.conn_state_mode_SH,orig_resp_connection.protocol_mode_-,orig_resp_connection.protocol_mode_icmp,orig_resp_connection.protocol_mode_tcp,orig_resp_connection.protocol_mode_udp,orig_resp_connection.service_mode_-,orig_resp_connection.service_mode_dns,orig_resp_connection.service_mode_ftp,orig_resp_connection.service_mode_http,orig_resp_connection.service_mode_none,orig_resp_connection.service_mode_ssh,orig_resp_connection.conn_state_mode_-,orig_resp_connection.conn_state_mode_OTH,orig_resp_connection.conn_state_mode_S0,orig_resp_connection.conn_state_mode_SF,resp_orig_connection.protocol_mode_-,resp_orig_connection.protocol_mode_icmp,resp_orig_connection.protocol_mode_udp,resp_orig_connection.service_mode_-,resp_orig_connection.service_mode_dns,resp_orig_connection.service_mode_none,resp_orig_connection.conn_state_mode_-,resp_orig_connection.conn_state_mode_OTH,resp_orig_connection.conn_state_mode_SF,resp_resp_connection.protocol_mode_icmp,resp_resp_connection.protocol_mode_tcp,resp_resp_connection.protocol_mode_udp,resp_resp_connection.service_mode_dns,resp_resp_connection.service_mode_ftp,resp_resp_connection.service_mode_http,resp_resp_connection.service_mode_none,resp_resp_connection.service_mode_ntp,resp_resp_connection.service_mode_ssh,resp_resp_connection.service_mode_ssl,resp_resp_connection.conn_state_mode_OTH,resp_resp_connection.conn_state_mode_REJ,resp_resp_connection.conn_state_mode_RSTO,resp_resp_connection.conn_state_mode_RSTR,resp_resp_connection.conn_state_mode_S0,resp_resp_connection.conn_state_mode_S1,resp_resp_connection.conn_state_mode_S2,resp_resp_connection.conn_state_mode_S3,resp_resp_connection.conn_state_mode_SF,resp_resp_connection.conn_state_mode_SH,resp_resp_connection.conn_state_mode_SHR,connection.time.1,duration,o_port,o_bytes,o_ip_bytes,connection.orig_pkts.1,r_port,r_bytes,r_ip_bytes,connection.resp_pkts.1
count,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0,21568.0
mean,0.50931,0.736,0.43839,0.00928,0.73425,0.00079,0.00128,0.00203,0.00312,0.00075,0.00077,0.00138,0.61387,0.00362,0.0542,0.19047,0.01647,0.43468,0.43544,0.2157,0.14426,0.21039,0.06363,0.11624,0.20304,0.42575,0.03929,0.29606,0.3034,0.22199,0.18727,0.2441,0.0,0.20956,0.15218,0.05292,0.61774,0.01496,0.22924,0.35219,0.37633,0.03318,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.13347,0.43831,0.02529,0.0087,0.01261,0.00034,0.00606,0.14368,0.1332,0.00667,0.00861,0.13127,0.00018,0.13992,6e-05,0.0,0.07699,0.11827,0.03531,0.21151,0.00657,5e-05,5e-05,0.0007,0.01872,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.28751,0.43825,0.02225,0.0486,0.03586,0.00437,0.04163,0.05684,0.28717,0.0,9e-05,0.28658,0.00011,0.00634,0.01518,0.0,0.14226,0.05,0.0,0.45443,9e-05,0.00021,0.00356,0.00181,0.00586,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.33049,0.43818,0.00928,0.00261,0.0011,0.00091,0.0017,0.28354,0.33068,0.04642,0.03346,0.32106,0.02232,0.27008,0.0303,0.0,0.1592,0.19833,0.07496,0.61432,0.00639,0.05418,0.19067,0.05032,0.03017,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.9662,0.0338,0.02902,0.0478,0.00362,0.21643,0.60924,0.07864,0.00046,0.0026,0.01219,9e-05,0.35349,0.64642,0.00042,0.61429,0.0478,0.00065,9e-05,0.00046,0.00042,0.05406,0.00116,0.00051,0.05708,0.02902,0.00357,0.19047,0.00236,0.00158,0.00686,0.01484,0.00019,0.00802,0.007,5e-05,0.0006,0.94724,0.01034,0.00093,9e-05,0.14095,0.85896,0.00056,0.90347,0.0472,0.03032,0.00223,0.00023,0.016,9e-05,5e-05,0.99981,5e-05,0.76423,0.00774,0.01595,0.21207,0.76423,0.21217,0.00825,5e-05,0.00779,0.00751,0.76423,0.00774,5e-05,0.22798,0.53667,0.00065,0.46268,0.53667,0.46268,0.00065,0.53667,0.00065,0.46268,9e-05,0.35117,0.64874,0.62259,0.05147,0.06945,0.03542,0.02601,0.00334,0.19172,0.00158,0.00158,0.00501,0.01284,0.00802,0.00617,9e-05,0.00023,0.95382,0.01062,5e-05,1499174288.9351,16.62516,48116.65991,654.08007,1088.49935,9.33221,191.95183,9971.8202,10509.65356,11.01377
std,0.11341,0.23925,0.29346,0.02891,0.27208,0.00981,0.011,0.01295,0.02304,0.01241,0.0124,0.01266,0.48687,0.06003,0.22642,0.39268,0.04572,0.2673,0.29366,0.13512,0.11412,0.15845,0.09776,0.105,0.3198,0.26798,0.17819,0.28821,0.25895,0.22101,0.32515,0.26956,0.0,0.18508,0.26808,0.14306,0.24871,0.04015,0.24097,0.2508,0.27799,0.10917,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.2663,0.29279,0.09769,0.02788,0.04544,0.00685,0.02199,0.27514,0.26595,0.07446,0.07149,0.26475,0.00826,0.27583,0.00718,0.0,0.17199,0.24313,0.15245,0.40266,0.07007,0.00681,0.00681,0.01126,0.06314,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.35938,0.28533,0.10965,0.11275,0.10745,0.01119,0.07404,0.0674,0.35921,0.0,0.00963,0.35903,0.00855,0.0317,0.03007,0.0,0.19455,0.15009,0.0,0.49061,0.00902,0.00932,0.01498,0.01122,0.03353,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.2925,0.29169,0.02376,0.01481,0.00984,0.01233,0.01276,0.32377,0.29216,0.20155,0.14208,0.2981,0.10198,0.32965,0.08728,0.0,0.22004,0.25034,0.21349,0.47541,0.05244,0.19067,0.3832,0.10956,0.10001,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.18072,0.18072,0.16788,0.21335,0.06003,0.41182,0.48793,0.26917,0.02153,0.05089,0.10975,0.00963,0.47806,0.47809,0.02042,0.48677,0.21335,0.02547,0.00963,0.02153,0.02042,0.22614,0.03403,0.02258,0.23199,0.16788,0.05964,0.39268,0.04857,0.03967,0.08255,0.1209,0.01362,0.0892,0.08338,0.00681,0.02454,0.22357,0.10116,0.03044,0.00963,0.34798,0.34807,0.02358,0.29533,0.21207,0.17148,0.04712,0.01522,0.12546,0.00963,0.00681,0.01362,0.00681,0.42449,0.08765,0.12528,0.40879,0.42449,0.40885,0.09047,0.00681,0.08791,0.08634,0.42449,0.08765,0.00681,0.41954,0.49866,0.02547,0.49862,0.49866,0.49862,0.02547,0.49866,0.02547,0.49862,0.00963,0.47735,0.47738,0.48475,0.22095,0.25423,0.18485,0.15917,0.05768,0.39366,0.03967,0.03967,0.07059,0.1126,0.0892,0.07829,0.00963,0.01522,0.20988,0.1025,0.00681,528.11062,51.77373,17829.15816,8158.28966,9324.34038,59.66536,1344.48775,165341.36567,170302.67065,101.18627
min,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1499173500.0012,0.0,3.0,0.0,0.0,0.0,10.0,0.0,0.0,0.0
25%,0.53453,0.77061,0.17921,1e-05,0.6892,7e-05,0.00013,0.00043,0.00074,1e-05,1e-05,0.00013,0.0,0.0,0.0,0.0,0.0,0.22097,0.14988,0.11711,0.11494,0.03887,0.00122,0.07934,0.01942,0.21931,0.0,0.0,0.11059,0.0,0.0,0.00706,0.0,0.08696,0.0,0.0,0.53235,0.0,0.0,0.00521,0.00541,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.17908,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.17874,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.00497,0.17906,0.00014,0.00016,9e-05,1e-05,0.00016,0.0,0.0055,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,0.0,0.0,1.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,1.0,0.0,0.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,1499173822.50547,0.0234,45165.0,57.0,106.0,2.0,53.0,117.0,164.0,1.0
50%,0.53453,0.85944,0.37603,3e-05,0.8188,0.0001,0.00017,0.00043,0.00074,1e-05,2e-05,0.00025,1.0,0.0,0.0,0.0,0.0,0.34738,0.36437,0.25674,0.14698,0.20672,0.04017,0.10864,0.02913,0.33224,0.0,0.33333,0.20619,0.2126,0.0102,0.18079,0.0,0.13043,0.0,0.0,0.57228,0.00802,0.17134,0.45712,0.37428,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.3756,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.3814,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.33052,0.37003,0.00023,0.00047,0.00019,2e-05,0.00035,0.0,0.33283,0.0,0.0,0.33451,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.97553,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,0.0,0.0,1.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,1.0,0.0,0.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,0.0,1.0,0.0,0.0,1.0,0.0,0.0,1.0,0.0,0.0,0.0,0.0,1.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,1499174176.71365,0.06105,53657.5,80.0,140.0,2.0,53.0,190.0,266.0,2.0
75%,0.53453,0.85944,0.67348,0.00303,0.92406,0.00041,0.00084,0.00217,0.00194,4e-05,8e-05,0.001,1.0,0.0,0.0,0.0,0.0,0.66479,0.68184,0.31605,0.17748,0.29283,0.07362,0.14452,0.20631,0.64995,0.00149,0.66667,0.51136,0.33858,0.18367,0.31356,0.0,0.26087,0.11111,0.0,0.65422,0.01928,0.30826,0.56843,0.61254,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.67273,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.66214,0.6729,0.00509,0.06407,0.03593,0.00748,0.0646,0.10714,0.66214,0.0,0.0,0.65933,0.0,0.0,0.01724,0.0,0.25,0.0,0.0,0.99663,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.56262,0.65232,0.00461,0.00313,0.00062,0.00012,0.00154,0.6,0.56022,0.0,0.0,0.54696,0.0,0.61538,0.0,0.0,0.27027,0.33333,0.0,0.98923,0.0,0.0,0.0,0.00081,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,1.0,1.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,0.0,0.0,1.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,1.0,0.0,0.0,0.0,1.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,0.0,1.0,0.0,1.0,1.0,1.0,0.0,1.0,0.0,1.0,0.0,1.0,1.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,1499174712.00652,5.42542,60555.0,345.25,708.0,10.0,123.0,498.0,1056.0,8.0
max,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,0.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,0.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,0.0,1.0,1.0,1.0,1.0,1.0,0.0,1.0,1.0,0.0,1.0,1.0,1.0,1.0,1.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,0.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1499175299.61299,1790.89309,65531.0,831950.0,847675.0,4606.0,58362.0,13321749.0,13737489.0,7995.0


In [9]:
# Columns names as constant lists for easier usage:

# columns that contain values of the current main connection
CONN_IDS_COLS = ['connection.uid', 'originated_ip', 'responded_ip']

CONN_NUMERICAL_COLS = ['connection.time', 
                       'connection.duration', 
                       # originator details
                       'connection.orig_p', 
                       'connection.orig_bytes', 
                       #'connection.orig_ip_bytes', 
                       'connection.orig_pkts', 
                       # responder details
                       'connection.resp_p', 
                       'connection.resp_bytes', 
                       #'connection.resp_ip_bytes', 
                       'connection.resp_pkts']

CONN_CATEGORICAL_COLS = ['connection.proto', 
                         'connection.service', 
                         'connection.conn_state']

CONN_APP_STATS = ['dns_count', 'ssh_count', 'http_count', 'ssl_count', 'files_count']

# originator originated neighbrouhood columns:
ORIG_ORIG_NUMERICAL_COLS = ['orig_orig_total', 
                            'orig_orig_connection.time_mean', 
                            'orig_orig_connection.duration_mean',
                            #'orig_orig_connection.orig_p_mean', 
                            'orig_orig_connection.orig_pkts_mean',
                            'orig_orig_connection.orig_bytes_mean',
                            #'orig_orig_connection.resp_p_mean', 
                            'orig_orig_connection.resp_bytes_mean',
                            'orig_orig_connection.resp_pkts_mean']
                            
ORIG_ORIG_CATEGORICAL_COLS = ['orig_orig_connection.protocol_mode', 
                              'orig_orig_connection.service_mode', 
                              'orig_orig_connection.conn_state_mode']

ORIG_ORIG_PORTS_COLS = ['orig_orig_orig_p_well_known_count', 
                        'orig_orig_orig_p_reg_or_dyn_count', 
                        'orig_orig_resp_p_21_count', 
                        'orig_orig_resp_p_22_count',
                        'orig_orig_resp_p_53_count', 
                        'orig_orig_resp_p_80_count', 
                        'orig_orig_resp_p_123_count', 
                        'orig_orig_resp_p_443_count', 
                        'orig_orig_resp_p_3389_count',
                        'orig_orig_resp_p_well_known_count', 
                        'orig_orig_resp_p_reg_count', 
                        'orig_orig_resp_p_dyn_count']

ORIG_ORIG_APP_STATS_COLS = ['orig_orig_dns_count_mean', 
                            'orig_orig_ssh_count_mean', 
                            'orig_orig_http_count_mean', 
                            'orig_orig_ssl_count_mean', 
                            'orig_orig_files_count_mean']

ORIG_ORIG_SIMILAR_COLS = ['orig_orig_similar_conns_count',
                          'orig_orig_similar_dns_qtype_count', 
                          'orig_orig_similar_dns_rcode_count', 
                          'orig_orig_similar_ssh_auth_attempts_count', 
                          'orig_orig_similar_ssh_host_key_count', 
                          'orig_orig_similar_http_method_count',
                          'orig_orig_similar_http_status_code_count', 
                          'orig_orig_similar_http_user_agent_count',
                          'orig_orig_similar_ssl_version_count', 
                          'orig_orig_similar_ssl_cipher_count', 
                          'orig_orig_similar_ssl_curve_count',
                          'orig_orig_similar_ssl_validation_status_count', 
                          'orig_orig_similar_files_source_count', 
                          'orig_orig_similar_file_md5_count']

# originator responded neighbrouhood columns:
ORIG_RESP_NUMERICAL_COLS = ['orig_resp_total', 
                            'orig_resp_connection.time_mean', 
                            'orig_resp_connection.duration_mean',
                            #'orig_resp_connection.orig_p_mean', 
                            'orig_resp_connection.orig_pkts_mean',
                            'orig_resp_connection.orig_bytes_mean',
                            #'orig_resp_connection.resp_p_mean', 
                            'orig_resp_connection.resp_bytes_mean',
                            'orig_resp_connection.resp_pkts_mean']
                            
ORIG_RESP_CATEGORICAL_COLS = ['orig_resp_connection.protocol_mode', 
                              'orig_resp_connection.service_mode', 
                              'orig_resp_connection.conn_state_mode']

ORIG_RESP_PORTS_COLS = ['orig_resp_orig_p_well_known_count', 
                        'orig_resp_orig_p_reg_or_dyn_count', 
                        'orig_resp_resp_p_21_count', 
                        'orig_resp_resp_p_22_count',
                        'orig_resp_resp_p_53_count', 
                        'orig_resp_resp_p_80_count', 
                        'orig_resp_resp_p_123_count', 
                        'orig_resp_resp_p_443_count', 
                        'orig_resp_resp_p_3389_count',
                        'orig_resp_resp_p_well_known_count', 
                        'orig_resp_resp_p_reg_count', 
                        'orig_resp_resp_p_dyn_count']

ORIG_RESP_APP_STATS_COLS = ['orig_resp_dns_count_mean', 
                            'orig_resp_ssh_count_mean', 
                            'orig_resp_http_count_mean', 
                            'orig_resp_ssl_count_mean', 
                            'orig_resp_files_count_mean']

ORIG_RESP_SIMILAR_COLS = ['orig_resp_similar_conns_count',
                          'orig_resp_similar_dns_qtype_count', 
                          'orig_resp_similar_dns_rcode_count', 
                          'orig_resp_similar_ssh_auth_attempts_count', 
                          'orig_resp_similar_ssh_host_key_count', 
                          'orig_resp_similar_http_method_count',
                          'orig_resp_similar_http_status_code_count', 
                          'orig_resp_similar_http_user_agent_count',
                          'orig_resp_similar_ssl_version_count', 
                          'orig_resp_similar_ssl_cipher_count', 
                          'orig_resp_similar_ssl_curve_count',
                          'orig_resp_similar_ssl_validation_status_count', 
                          'orig_resp_similar_files_source_count', 
                          'orig_resp_similar_file_md5_count']

# responder originated neighbrouhood columns:
RESP_ORIG_NUMERICAL_COLS = ['resp_orig_total', 
                            'resp_orig_connection.time_mean', 
                            'resp_orig_connection.duration_mean',
                            #'resp_orig_connection.orig_p_mean', 
                            'resp_orig_connection.orig_pkts_mean',
                            'resp_orig_connection.orig_bytes_mean',
                            #'resp_orig_connection.resp_p_mean', 
                            'resp_orig_connection.resp_bytes_mean',
                            'resp_orig_connection.resp_pkts_mean']
                            
RESP_ORIG_CATEGORICAL_COLS = ['resp_orig_connection.protocol_mode', 
                              'resp_orig_connection.service_mode', 
                              'resp_orig_connection.conn_state_mode']

RESP_ORIG_PORTS_COLS = ['resp_orig_orig_p_well_known_count', 
                        'resp_orig_orig_p_reg_or_dyn_count', 
                        'resp_orig_resp_p_21_count', 
                        'resp_orig_resp_p_22_count',
                        'resp_orig_resp_p_53_count', 
                        'resp_orig_resp_p_80_count', 
                        'resp_orig_resp_p_123_count', 
                        'resp_orig_resp_p_443_count', 
                        'resp_orig_resp_p_3389_count',
                        'resp_orig_resp_p_well_known_count', 
                        'resp_orig_resp_p_reg_count', 
                        'resp_orig_resp_p_dyn_count']

RESP_ORIG_APP_STATS_COLS = ['resp_orig_dns_count_mean', 
                            'resp_orig_ssh_count_mean', 
                            'resp_orig_http_count_mean', 
                            'resp_orig_ssl_count_mean', 
                            'resp_orig_files_count_mean']

RESP_ORIG_SIMILAR_COLS = ['resp_orig_similar_conns_count',
                          'resp_orig_similar_dns_qtype_count', 
                          'resp_orig_similar_dns_rcode_count', 
                          'resp_orig_similar_ssh_auth_attempts_count', 
                          'resp_orig_similar_ssh_host_key_count', 
                          'resp_orig_similar_http_method_count',
                          'resp_orig_similar_http_status_code_count', 
                          'resp_orig_similar_http_user_agent_count',
                          'resp_orig_similar_ssl_version_count', 
                          'resp_orig_similar_ssl_cipher_count', 
                          'resp_orig_similar_ssl_curve_count',
                          'resp_orig_similar_ssl_validation_status_count', 
                          'resp_orig_similar_files_source_count', 
                          'resp_orig_similar_file_md5_count']

# responder responded neighbrouhood columns:
RESP_RESP_NUMERICAL_COLS = ['resp_resp_total', 
                            'resp_resp_connection.time_mean', 
                            'resp_resp_connection.duration_mean',
                            #'resp_resp_connection.orig_p_mean', 
                            'resp_resp_connection.orig_pkts_mean',
                            'resp_resp_connection.orig_bytes_mean',
                            #'resp_resp_connection.resp_p_mean', 
                            'resp_resp_connection.resp_bytes_mean',
                            'resp_resp_connection.resp_pkts_mean']
                            
RESP_RESP_CATEGORICAL_COLS = ['resp_resp_connection.protocol_mode', 
                              'resp_resp_connection.service_mode', 
                              'resp_resp_connection.conn_state_mode']

RESP_RESP_PORTS_COLS = ['resp_resp_orig_p_well_known_count', 
                        'resp_resp_orig_p_reg_or_dyn_count', 
                        'resp_resp_resp_p_21_count', 
                        'resp_resp_resp_p_22_count',
                        'resp_resp_resp_p_53_count', 
                        'resp_resp_resp_p_80_count', 
                        'resp_resp_resp_p_123_count', 
                        'resp_resp_resp_p_443_count', 
                        'resp_resp_resp_p_3389_count',
                        'resp_resp_resp_p_well_known_count', 
                        'resp_resp_resp_p_reg_count', 
                        'resp_resp_resp_p_dyn_count']

RESP_RESP_APP_STATS_COLS = ['resp_resp_dns_count_mean', 
                            'resp_resp_ssh_count_mean', 
                            'resp_resp_http_count_mean', 
                            'resp_resp_ssl_count_mean', 
                            'resp_resp_files_count_mean']

RESP_RESP_SIMILAR_COLS = ['resp_resp_similar_conns_count',
                          'resp_resp_similar_dns_qtype_count', 
                          'resp_resp_similar_dns_rcode_count', 
                          'resp_resp_similar_ssh_auth_attempts_count', 
                          'resp_resp_similar_ssh_host_key_count', 
                          'resp_resp_similar_http_method_count',
                          'resp_resp_similar_http_status_code_count', 
                          'resp_resp_similar_http_user_agent_count',
                          'resp_resp_similar_ssl_version_count', 
                          'resp_resp_similar_ssl_cipher_count', 
                          'resp_resp_similar_ssl_curve_count',
                          'resp_resp_similar_ssl_validation_status_count', 
                          'resp_resp_similar_files_source_count', 
                          'resp_resp_similar_file_md5_count']

# categorical
OHE_ORIG_P_CAT_COLS = ['orig_p_cat_orig_reg_or_dyn', 
                       'orig_p_cat_orig_well_known']

OHE_RESP_P_CAT_COLS = ['resp_p_cat_resp_123', 
                       'resp_p_cat_resp_21', 
                       'resp_p_cat_resp_22',
                       'resp_p_cat_resp_443', 
                       'resp_p_cat_resp_53',
                       'resp_p_cat_resp_80', 
                       'resp_p_cat_resp_dyn', 
                       'resp_p_cat_resp_reg',
                       'resp_p_cat_resp_well_known']

BACKUP_COLS = ['attacker_label', 'victim_label', 'connection.ts']

In [10]:
def load_col_names(list_name, file_path):
    f = open(file_path, 'r')
    for ohe_col in f:
        list_name.append(ohe_col.strip())
    f.close()
    print(list_name)

In [11]:
OHE_PROTO_CAT_COLS = []
OHE_SERVICE_CAT_COLS = []
OHE_CONN_STATE_CAT_COLS = []
ORIG_ORIG_OHE_CAT_COLS = []
ORIG_RESP_OHE_CAT_COLS = []
RESP_ORIG_OHE_CAT_COLS = []
RESP_RESP_OHE_CAT_COLS = []

load_col_names(OHE_PROTO_CAT_COLS,  PREFIX_PATH + 'ohe_proto_cat_cols.txt')
load_col_names(OHE_SERVICE_CAT_COLS,  PREFIX_PATH + 'ohe_service_cat_cols.txt')
load_col_names(OHE_CONN_STATE_CAT_COLS,  PREFIX_PATH + 'ohe_conn_state_cat_cols.txt')
load_col_names(ORIG_ORIG_OHE_CAT_COLS,  PREFIX_PATH + 'orig_orig_categorical_cols.txt')
load_col_names(ORIG_RESP_OHE_CAT_COLS,  PREFIX_PATH + 'orig_resp_categorical_cols.txt')
load_col_names(RESP_ORIG_OHE_CAT_COLS,  PREFIX_PATH + 'resp_orig_categorical_cols.txt')
load_col_names(RESP_RESP_OHE_CAT_COLS,  PREFIX_PATH + 'resp_resp_categorical_cols.txt')

['connection.proto_icmp', 'connection.proto_tcp', 'connection.proto_udp']
['connection.service_dce_rpc', 'connection.service_dns', 'connection.service_ftp', 'connection.service_ftp-data', 'connection.service_gssapi,ntlm,smb', 'connection.service_gssapi,smb,dce_rpc', 'connection.service_gssapi,smb,krb', 'connection.service_http', 'connection.service_krb', 'connection.service_krb_tcp', 'connection.service_none', 'connection.service_ntp', 'connection.service_ssh', 'connection.service_ssl']
['connection.conn_state_OTH', 'connection.conn_state_REJ', 'connection.conn_state_RSTO', 'connection.conn_state_RSTR', 'connection.conn_state_RSTRH', 'connection.conn_state_S0', 'connection.conn_state_S1', 'connection.conn_state_S2', 'connection.conn_state_S3', 'connection.conn_state_SF', 'connection.conn_state_SH', 'connection.conn_state_SHR']
['connection.conn_state_OTH', 'connection.conn_state_REJ', 'connection.conn_state_RSTO', 'connection.conn_state_RSTR', 'connection.conn_state_RSTRH', 'connection

In [12]:
df = selected_df.filter(CONN_NUMERICAL_COLS + 
                        # categorical
                        ['orig_p_cat', 
                         'resp_p_cat',
                         'protocol',
                         'service', 
                         'conn_state'] + 
                        CONN_APP_STATS + 
                        
                        # originator neighbourhood
                        ORIG_ORIG_NUMERICAL_COLS + 
                        ORIG_ORIG_PORTS_COLS + 
                        ORIG_ORIG_APP_STATS_COLS + 
                        ORIG_ORIG_SIMILAR_COLS + 
                        # originator categorical neighbourhood 
                        ORIG_ORIG_CATEGORICAL_COLS + 
                        
                        # originator neighbourhood
                        ORIG_RESP_NUMERICAL_COLS + 
                        ORIG_RESP_PORTS_COLS + 
                        ORIG_RESP_APP_STATS_COLS + 
                        ORIG_RESP_SIMILAR_COLS + 
                        # originator categorical neighbourhood 
                        ORIG_RESP_CATEGORICAL_COLS + 
                        
                        # originator neighbourhood
                        RESP_ORIG_NUMERICAL_COLS + 
                        RESP_ORIG_PORTS_COLS + 
                        RESP_ORIG_APP_STATS_COLS + 
                        RESP_ORIG_SIMILAR_COLS + 
                        # originator categorical neighbourhood 
                        RESP_ORIG_CATEGORICAL_COLS + 
                        
                        # originator neighbourhood
                        RESP_RESP_NUMERICAL_COLS + 
                        RESP_RESP_PORTS_COLS + 
                        RESP_RESP_APP_STATS_COLS + 
                        RESP_RESP_SIMILAR_COLS + 
                        # originator categorical neighbourhood 
                        RESP_RESP_CATEGORICAL_COLS, axis=1)

In [13]:
df.head()

Unnamed: 0,connection.time,connection.duration,connection.orig_p,connection.orig_bytes,connection.orig_pkts,connection.resp_p,connection.resp_bytes,connection.resp_pkts,orig_p_cat,resp_p_cat,protocol,service,conn_state,dns_count,ssh_count,http_count,ssl_count,files_count,orig_orig_total,orig_orig_connection.time_mean,orig_orig_connection.duration_mean,orig_orig_connection.orig_pkts_mean,orig_orig_connection.orig_bytes_mean,orig_orig_connection.resp_bytes_mean,orig_orig_connection.resp_pkts_mean,orig_orig_orig_p_well_known_count,orig_orig_orig_p_reg_or_dyn_count,orig_orig_resp_p_21_count,orig_orig_resp_p_22_count,orig_orig_resp_p_53_count,orig_orig_resp_p_80_count,orig_orig_resp_p_123_count,orig_orig_resp_p_443_count,orig_orig_resp_p_3389_count,orig_orig_resp_p_well_known_count,orig_orig_resp_p_reg_count,orig_orig_resp_p_dyn_count,orig_orig_dns_count_mean,orig_orig_ssh_count_mean,orig_orig_http_count_mean,orig_orig_ssl_count_mean,orig_orig_files_count_mean,orig_orig_similar_conns_count,orig_orig_similar_dns_qtype_count,orig_orig_similar_dns_rcode_count,orig_orig_similar_ssh_auth_attempts_count,orig_orig_similar_ssh_host_key_count,orig_orig_similar_http_method_count,orig_orig_similar_http_status_code_count,orig_orig_similar_http_user_agent_count,orig_orig_similar_ssl_version_count,orig_orig_similar_ssl_cipher_count,orig_orig_similar_ssl_curve_count,orig_orig_similar_ssl_validation_status_count,orig_orig_similar_files_source_count,orig_orig_similar_file_md5_count,orig_orig_connection.protocol_mode,orig_orig_connection.service_mode,orig_orig_connection.conn_state_mode,orig_resp_total,orig_resp_connection.time_mean,orig_resp_connection.duration_mean,orig_resp_connection.orig_pkts_mean,orig_resp_connection.orig_bytes_mean,orig_resp_connection.resp_bytes_mean,orig_resp_connection.resp_pkts_mean,orig_resp_orig_p_well_known_count,orig_resp_orig_p_reg_or_dyn_count,orig_resp_resp_p_21_count,orig_resp_resp_p_22_count,orig_resp_resp_p_53_count,orig_resp_resp_p_80_count,orig_resp_resp_p_123_count,orig_resp_resp_p_443_count,orig_resp_resp_p_3389_count,orig_resp_resp_p_well_known_count,orig_resp_resp_p_reg_count,orig_resp_resp_p_dyn_count,orig_resp_dns_count_mean,orig_resp_ssh_count_mean,orig_resp_http_count_mean,orig_resp_ssl_count_mean,orig_resp_files_count_mean,orig_resp_similar_conns_count,orig_resp_similar_dns_qtype_count,orig_resp_similar_dns_rcode_count,orig_resp_similar_ssh_auth_attempts_count,orig_resp_similar_ssh_host_key_count,orig_resp_similar_http_method_count,orig_resp_similar_http_status_code_count,orig_resp_similar_http_user_agent_count,orig_resp_similar_ssl_version_count,orig_resp_similar_ssl_cipher_count,orig_resp_similar_ssl_curve_count,orig_resp_similar_ssl_validation_status_count,orig_resp_similar_files_source_count,orig_resp_similar_file_md5_count,orig_resp_connection.protocol_mode,orig_resp_connection.service_mode,orig_resp_connection.conn_state_mode,resp_orig_total,resp_orig_connection.time_mean,resp_orig_connection.duration_mean,resp_orig_connection.orig_pkts_mean,resp_orig_connection.orig_bytes_mean,resp_orig_connection.resp_bytes_mean,resp_orig_connection.resp_pkts_mean,resp_orig_orig_p_well_known_count,resp_orig_orig_p_reg_or_dyn_count,resp_orig_resp_p_21_count,resp_orig_resp_p_22_count,resp_orig_resp_p_53_count,resp_orig_resp_p_80_count,resp_orig_resp_p_123_count,resp_orig_resp_p_443_count,resp_orig_resp_p_3389_count,resp_orig_resp_p_well_known_count,resp_orig_resp_p_reg_count,resp_orig_resp_p_dyn_count,resp_orig_dns_count_mean,resp_orig_ssh_count_mean,resp_orig_http_count_mean,resp_orig_ssl_count_mean,resp_orig_files_count_mean,resp_orig_similar_conns_count,resp_orig_similar_dns_qtype_count,resp_orig_similar_dns_rcode_count,resp_orig_similar_ssh_auth_attempts_count,resp_orig_similar_ssh_host_key_count,resp_orig_similar_http_method_count,resp_orig_similar_http_status_code_count,resp_orig_similar_http_user_agent_count,resp_orig_similar_ssl_version_count,resp_orig_similar_ssl_cipher_count,resp_orig_similar_ssl_curve_count,resp_orig_similar_ssl_validation_status_count,resp_orig_similar_files_source_count,resp_orig_similar_file_md5_count,resp_orig_connection.protocol_mode,resp_orig_connection.service_mode,resp_orig_connection.conn_state_mode,resp_resp_total,resp_resp_connection.time_mean,resp_resp_connection.duration_mean,resp_resp_connection.orig_pkts_mean,resp_resp_connection.orig_bytes_mean,resp_resp_connection.resp_bytes_mean,resp_resp_connection.resp_pkts_mean,resp_resp_orig_p_well_known_count,resp_resp_orig_p_reg_or_dyn_count,resp_resp_resp_p_21_count,resp_resp_resp_p_22_count,resp_resp_resp_p_53_count,resp_resp_resp_p_80_count,resp_resp_resp_p_123_count,resp_resp_resp_p_443_count,resp_resp_resp_p_3389_count,resp_resp_resp_p_well_known_count,resp_resp_resp_p_reg_count,resp_resp_resp_p_dyn_count,resp_resp_dns_count_mean,resp_resp_ssh_count_mean,resp_resp_http_count_mean,resp_resp_ssl_count_mean,resp_resp_files_count_mean,resp_resp_similar_conns_count,resp_resp_similar_dns_qtype_count,resp_resp_similar_dns_rcode_count,resp_resp_similar_ssh_auth_attempts_count,resp_resp_similar_ssh_host_key_count,resp_resp_similar_http_method_count,resp_resp_similar_http_status_code_count,resp_resp_similar_http_user_agent_count,resp_resp_similar_ssl_version_count,resp_resp_similar_ssl_cipher_count,resp_resp_similar_ssl_curve_count,resp_resp_similar_ssl_validation_status_count,resp_resp_similar_files_source_count,resp_resp_similar_file_md5_count,resp_resp_connection.protocol_mode,resp_resp_connection.service_mode,resp_resp_connection.conn_state_mode
0,0.99208,0.0,0.73778,0.00387,0.00043,0.00134,5e-05,0.00025,orig_reg_or_dyn,resp_well_known,udp,krb,SF,0.0,0.0,0.0,0.0,0.0,0.04073,1.0,3e-05,0.03676,0.10227,0.00214,0.02768,0.00971,0.04077,0.0,0.0,0.03468,0.0,0.0,0.00141,0.0,0.52174,0.11111,0.0,0.84091,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,udp,dns,SF,0.00546,0.96419,0.09267,0.24798,0.26025,0.00808,0.18825,0.26667,0.0035,0.0,0.375,0.0,0.0,0.0,0.0,0.0,0.13514,0.0,0.0,0.36633,0.88636,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,tcp,ssh,SF,0.28732,0.91013,0.00384,0.06851,0.04776,0.00952,0.06587,0.07143,0.28679,0.0,0.0,0.28444,0.0,0.0,0.06897,0.0,0.16667,0.5,0.0,0.99186,0.0,0.0,0.03136,0.0153,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,udp,dns,SF,0.28231,0.95642,0.00013,0.00052,0.00025,3e-05,0.00038,0.53333,0.28036,0.0,0.0,0.26921,0.0,0.38462,0.0,0.0,0.67568,0.33333,0.25,0.942,0.0,0.0,0.0,0.0002,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,udp,dns,SF
1,0.19842,3e-05,0.93073,7e-05,0.00043,0.00074,1e-05,0.00025,orig_reg_or_dyn,resp_53,udp,dns,SF,1.0,0.0,0.0,0.0,0.0,0.83801,0.12947,0.22982,0.12452,0.23242,0.03702,0.09226,0.01942,0.83833,0.0,0.66667,0.51031,0.44094,0.0102,0.82345,0.0,0.08696,0.0,0.0,0.60804,0.00893,0.18068,0.59449,0.6203,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,udp,dns,SF,0.0,0.19842,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,-,-,-,0.9986,0.18665,0.00494,0.06211,0.03433,0.00736,0.06449,0.10714,0.99859,0.0,0.0,0.99859,0.0,0.0,0.0,0.0,0.25,0.0,0.0,0.99953,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,udp,dns,SF,0.8663,0.18455,0.00021,0.00049,0.0002,2e-05,0.00035,0.66667,0.86657,0.0,0.0,0.85937,0.0,0.69231,0.0,0.0,0.54054,0.66667,0.0,0.98108,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,udp,dns,SF
2,0.59712,0.0033,0.05111,0.0,0.00087,0.0012,0.0,0.00025,orig_reg_or_dyn,resp_80,tcp,none,SF,0.0,0.0,0.0,0.0,0.0,0.38717,0.60732,0.25674,0.13896,0.17317,0.05968,0.11284,0.00971,0.38754,0.0,0.33333,0.24836,0.27953,0.0102,0.31356,0.0,0.08696,0.0,0.0,0.6401,0.00966,0.25885,0.46498,0.69863,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,udp,dns,SF,0.0,0.59712,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,-,-,-,0.0,0.59712,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,-,-,-,0.00845,0.62214,0.04303,0.00395,0.00118,0.00013,0.00168,0.0,0.009,0.0,0.0,0.0,0.30357,0.0,0.02326,0.0,0.0,0.0,0.0,0.0,0.0,0.55556,0.05556,0.35797,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,tcp,http,SF
3,0.87472,0.0032,0.8218,0.00057,0.00174,0.00742,0.00023,0.00075,orig_reg_or_dyn,resp_443,tcp,ssl,RSTR,0.0,0.0,0.0,1.0,0.07407,0.04401,0.84139,0.18483,0.10142,0.16398,0.0117,0.07062,0.00971,0.04405,0.00149,0.33333,0.0328,0.00787,0.0102,0.0226,0.0,0.08696,0.0,0.33333,0.73684,0.08421,0.08847,0.32964,0.21998,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,udp,dns,SF,0.0,0.87472,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,-,-,-,0.0,0.87472,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,-,-,-,0.0005,0.87471,0.02998,0.00376,0.00161,0.00039,0.00162,0.0,0.001,0.0,0.0,0.0,0.0,0.0,0.04651,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.0,0.22609,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,tcp,ssl,RSTO
4,0.35963,0.00466,0.9087,0.00016,0.00239,0.00019,1e-05,0.00213,orig_reg_or_dyn,resp_21,tcp,ftp,SF,0.0,0.0,0.0,0.0,0.0,0.29494,0.34263,0.11674,0.17445,0.03877,0.00122,0.18105,0.0,0.29569,0.94179,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,tcp,ftp,SF,0.0,0.35963,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,-,-,-,0.06411,0.42015,0.30084,0.27733,0.23586,0.01998,0.22379,0.03571,0.06373,0.0,0.0,0.05717,0.0,0.04348,0.03448,0.0,0.91667,0.5,0.0,0.89051,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,udp,dns,SF,0.14165,0.35946,0.00464,0.00348,0.00045,3e-05,0.0027,0.2,0.14143,0.97445,0.5,0.0,0.0,0.0,0.0,0.0,0.21622,0.33333,0.25,0.01748,0.04995,0.0,0.0,0.00119,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,tcp,ftp,SF


In [14]:
df.columns

Index(['connection.time', 'connection.duration', 'connection.orig_p',
       'connection.orig_bytes', 'connection.orig_pkts', 'connection.resp_p',
       'connection.resp_bytes', 'connection.resp_pkts', 'orig_p_cat',
       'resp_p_cat',
       ...
       'resp_resp_similar_http_user_agent_count',
       'resp_resp_similar_ssl_version_count',
       'resp_resp_similar_ssl_cipher_count',
       'resp_resp_similar_ssl_curve_count',
       'resp_resp_similar_ssl_validation_status_count',
       'resp_resp_similar_files_source_count',
       'resp_resp_similar_file_md5_count',
       'resp_resp_connection.protocol_mode',
       'resp_resp_connection.service_mode',
       'resp_resp_connection.conn_state_mode'],
      dtype='object', length=182)

In [15]:
# Get the position of categorical columns
cat_cols_i_list = [df.columns.get_loc(col) for col in list(df.select_dtypes('object').columns)]
print('Categorical columns         : {}'.format(list(df.select_dtypes('object').columns)))
print('Categorical columns indexes : {}'.format(cat_cols_i_list))

Categorical columns         : ['orig_p_cat', 'resp_p_cat', 'protocol', 'service', 'conn_state', 'orig_orig_connection.protocol_mode', 'orig_orig_connection.service_mode', 'orig_orig_connection.conn_state_mode', 'orig_resp_connection.protocol_mode', 'orig_resp_connection.service_mode', 'orig_resp_connection.conn_state_mode', 'resp_orig_connection.protocol_mode', 'resp_orig_connection.service_mode', 'resp_orig_connection.conn_state_mode', 'resp_resp_connection.protocol_mode', 'resp_resp_connection.service_mode', 'resp_resp_connection.conn_state_mode']
Categorical columns indexes : [8, 9, 10, 11, 12, 56, 57, 58, 97, 98, 99, 138, 139, 140, 179, 180, 181]


In [16]:
# Convert dataframe to matrix
df_matrix = df.to_numpy()
df_matrix

array([[0.9920793433754314, 5.567054808877647e-07, 0.7377762178000244,
        ..., 'udp', 'dns', 'SF'],
       [0.1984202227135451, 2.5947389158837222e-05, 0.9307319008668052,
        ..., 'udp', 'dns', 'SF'],
       [0.5971220362746952, 0.0033046232778701, 0.0511079233304847, ...,
        'tcp', 'http', 'SF'],
       ...,
       [0.8720174788862864, 9.157442213032775e-08, 0.8769381027957515,
        ..., 'udp', 'dns', 'SF'],
       [0.7602886705929931, 1.3185041645132414e-05, 0.4706385056769625,
        ..., 'udp', 'dns', 'SF'],
       [0.394536492982623, 1.2396049825155744e-07, 0.5237150531070688,
        ..., 'udp', 'dns', 'SF']], dtype=object)

In [None]:
from datetime import datetime

# Choose optimal K using Elbow method
cost = []
print_info = []
computed_clusters = []

print('Start at ' + datetime.now().strftime("%H:%M:%S") + '.')
#for cluster in range(1, 15):
for cluster in range(1, 8):
    try:
        kprototype = KPrototypes(n_jobs=-1, n_clusters=cluster, init='Huang', random_state=0)
        kprototype.fit_predict(X=df_matrix, categorical=cat_cols_i_list)
        computed_clusters.append(kprototype)
        cost.append(kprototype.cost_)
        print_str = 'Cluster initiation: {:2} ({}), gamma: {}'.format(cluster, 
                                                                      datetime.now().strftime("%H:%M:%S"), 
                                                                      kprototype.gamma)
        print_info.append(print_str)
        print(print_str)
    except:
        break
print('Done at ' + datetime.now().strftime("%H:%M:%S") + '.')

Start at 00:03:54.
Cluster initiation:  1 (00:04:13), gamma: 0.11306507183821783
Cluster initiation:  2 (00:04:43), gamma: 0.11306507183821783
Cluster initiation:  3 (00:05:18), gamma: 0.11306507183821783
Cluster initiation:  4 (00:06:18), gamma: 0.11306507183821783


In [None]:
print_info

In [None]:
cost

In [None]:
#df_cost = pd.DataFrame({'Cluster': range(1, 15), 'Cost': cost})
df_cost = pd.DataFrame({'Cluster': range(1, len(computed_clusters) + 1), 'Cost': cost})

In [None]:
df_cost

In [None]:
# Import module for data visualization
from plotnine import *
import plotnine

plotnine.options.figure_size = (8, 4.8)
(
    ggplot(data = df_cost)+
    geom_line(aes(x = 'Cluster',
                  y = 'Cost'))+
    geom_point(aes(x = 'Cluster',
                   y = 'Cost'))+
    geom_label(aes(x = 'Cluster',
                   y = 'Cost',
                   label = 'Cluster'),
               size = 10,
               nudge_y = 1000) +
    labs(title = 'Optimal number of clusters k (using the Elbow Method)')+
    xlab('number of clusters')+
    ylab('cost')+
    theme_minimal()
)

In [None]:
# Fit the cluster
OPTIMAL_K = 4

kprototype = computed_clusters[OPTIMAL_K]
#kprototype = computed_clusters[0]

In [None]:
# Cluster centorid
kprototype.cluster_centroids_

In [None]:
# Check the iteration of the clusters created
kprototype.n_iter_

In [None]:
# Check the cost of the clusters created
kprototype.cost_

In [None]:
# df.drop('Cluster Labels', axis=1, inplace=True)
# df.drop('cluster', axis=1, inplace=True)
# df.head()

In [None]:
# Add cluster labels to original dataframe
df['cluster'] = kprototype.labels_
df['cluster_cat'] = df['cluster']

# (groupby works only on category type)
df['cluster_cat'] = df['cluster_cat'].astype('category')

In [None]:
df.head()

In [None]:
df.columns

In [None]:
df['cluster'].value_counts()

## 2. Results

In [None]:
# Cluster interpretation
# (using average for numerical, mode for categorical attributes)

#df.rename(columns = {'cluster':'Total'}, inplace = True)
df.groupby('cluster_cat').agg(
    {
        'cluster':'count',
        'protocol': lambda x: x.value_counts().index[0],
        'service': lambda x: x.value_counts().index[0],
        'conn_state': lambda x: x.value_counts().index[0],
        'orig_p_cat' : lambda x: x.value_counts().index[0],
        'resp_p_cat': lambda x: x.value_counts().index[0],
        'connection.time': 'mean',
        'connection.duration': 'mean',
        'connection.orig_bytes': 'mean', 
        #'connection.orig_ip_bytes': 'mean',
        'connection.orig_pkts': 'mean',
        'connection.resp_bytes': 'mean',
        #'connection.resp_ip_bytes': 'mean',
        'connection.resp_pkts': 'mean',
        'dns_count': 'mean',
        'ssh_count': 'mean',
        'http_count': 'mean',
        'ssl_count': 'mean',
        'files_count': 'mean'
        
    }
).reset_index()

In [None]:
df.groupby('cluster_cat').agg(
    {
        'cluster':'count',
        # responder neighbourhood
        'orig_orig_total': 'mean', 
        'orig_orig_connection.protocol_mode': lambda x: x.value_counts().index[0],
        'orig_orig_connection.service_mode': lambda x: x.value_counts().index[0],
        'orig_orig_connection.conn_state_mode': lambda x: x.value_counts().index[0],
        'orig_orig_connection.time_mean': 'mean',
        'orig_orig_connection.duration_mean': 'mean', 
        'orig_orig_connection.orig_bytes_mean': 'mean', 
        'orig_orig_connection.orig_pkts_mean': 'mean',
        'orig_orig_connection.resp_bytes_mean': 'mean',
        'orig_orig_connection.resp_pkts_mean': 'mean'
#         'orig_connection.time_median': 'mean',
#         'orig_connection.duration_median': 'mean', 
#         'orig_connection.orig_bytes_median': 'mean', 
#         'orig_connection.orig_pkts_median': 'mean',
#         'orig_connection.resp_bytes_median': 'mean',
#         'orig_connection.resp_pkts_median': 'mean'
    }
).reset_index()

In [None]:
pd.DataFrame(kprototype.cluster_centroids_)

In [None]:
centroids = pd.DataFrame(kprototype.cluster_centroids_, columns = [CONN_NUMERICAL_COLS + 
                                                                    # categorical
                                                                    ['orig_p_cat', 
                                                                     'resp_p_cat',
                                                                     'protocol',
                                                                     'service', 
                                                                     'conn_state'] + 
                                                                    CONN_APP_STATS + 

                                                                    # originator neighbourhood
                                                                    ORIG_ORIG_NUMERICAL_COLS + 
                                                                    ORIG_ORIG_PORTS_COLS + 
                                                                    ORIG_ORIG_APP_STATS_COLS + 
                                                                    ORIG_ORIG_SIMILAR_COLS + 
                                                                    # originator categorical neighbourhood 
                                                                    ORIG_ORIG_CATEGORICAL_COLS + 

                                                                    # originator neighbourhood
                                                                    ORIG_RESP_NUMERICAL_COLS + 
                                                                    ORIG_RESP_PORTS_COLS + 
                                                                    ORIG_RESP_APP_STATS_COLS + 
                                                                    ORIG_RESP_SIMILAR_COLS + 
                                                                    # originator categorical neighbourhood 
                                                                    ORIG_RESP_CATEGORICAL_COLS + 

                                                                    # originator neighbourhood
                                                                    RESP_ORIG_NUMERICAL_COLS + 
                                                                    RESP_ORIG_PORTS_COLS + 
                                                                    RESP_ORIG_APP_STATS_COLS + 
                                                                    RESP_ORIG_SIMILAR_COLS + 
                                                                    # originator categorical neighbourhood 
                                                                    RESP_ORIG_CATEGORICAL_COLS + 

                                                                    # originator neighbourhood
                                                                    RESP_RESP_NUMERICAL_COLS + 
                                                                    RESP_RESP_PORTS_COLS + 
                                                                    RESP_RESP_APP_STATS_COLS + 
                                                                    RESP_RESP_SIMILAR_COLS + 
                                                                    # originator categorical neighbourhood 
                                                                    RESP_RESP_CATEGORICAL_COLS])

# https://stackoverflow.com/questions/51148457/how-to-find-the-set-of-influential-features-in-clusters/53081779#53081779
centroids

In [None]:
from sklearn.decomposition import PCA

data_num_cols = selected_df.filter(CONN_NUMERICAL_COLS + 
                                   # categorical
                                   OHE_ORIG_P_CAT_COLS + 
                                   OHE_RESP_P_CAT_COLS + 
                                   OHE_PROTO_CAT_COLS + 
                                   OHE_SERVICE_CAT_COLS + 
                                   OHE_CONN_STATE_CAT_COLS + 
                                   
                                   CONN_APP_STATS + 
                                   
                                   # originator neighbourhood
                                   ORIG_ORIG_NUMERICAL_COLS + 
                                   ORIG_ORIG_PORTS_COLS + 
                                   ORIG_ORIG_APP_STATS_COLS + 
                                   ORIG_ORIG_SIMILAR_COLS + 
                                   # originator categorical neighbourhood 
                                   ORIG_ORIG_OHE_CAT_COLS + 
                                   
                                   # originator neighbourhood
                                   ORIG_RESP_NUMERICAL_COLS + 
                                   ORIG_RESP_PORTS_COLS + 
                                   ORIG_RESP_APP_STATS_COLS + 
                                   ORIG_RESP_SIMILAR_COLS + 
                                   # originator categorical neighbourhood 
                                   ORIG_RESP_OHE_CAT_COLS + 
                                   
                                   # originator neighbourhood
                                   RESP_ORIG_NUMERICAL_COLS + 
                                   RESP_ORIG_PORTS_COLS + 
                                   RESP_ORIG_APP_STATS_COLS + 
                                   RESP_ORIG_SIMILAR_COLS + 
                                   # originator categorical neighbourhood 
                                   RESP_ORIG_OHE_CAT_COLS + 
                                   
                                   # originator neighbourhood
                                   RESP_RESP_NUMERICAL_COLS + 
                                   RESP_RESP_PORTS_COLS + 
                                   RESP_RESP_APP_STATS_COLS + 
                                   RESP_RESP_SIMILAR_COLS + 
                                   # originator categorical neighbourhood 
                                   RESP_RESP_OHE_CAT_COLS, axis=1)
n_components = len(data_num_cols.columns)
whiten = False
random_state = 2018
pca = PCA(n_components=n_components, whiten=whiten, random_state=random_state)

In [None]:
pca_X = pca.fit_transform(data_num_cols)
pca_X = pd.DataFrame(data=pca_X)

print(f"Variance Explained by all {n_components} principal components: {sum(pca.explained_variance_ratio_)}")

In [None]:
importanceOfPrincipalComponents = pd.DataFrame(data=pca.explained_variance_ratio_)
importanceOfPrincipalComponents = importanceOfPrincipalComponents.T

n_components = [150, 10, 7, 5, 2]

for n in n_components:
    print('Variance Captured by First {:3} Principal Components: {}'.format(n, importanceOfPrincipalComponents.loc[:,0:n+1].sum(axis=1).values))
print('Variance Captured by the First Principal Component:  {}'.format(importanceOfPrincipalComponents.loc[:,0:1].sum(axis=1).values))

In [None]:
variance_ratios = pca.explained_variance_ratio_
df_cols = df.columns

for i in range(len(variance_ratios)):
    if round(variance_ratios[i], 8) > 0:
        print('Variance of {:42}: {:.8f}'.format(df_cols[i], variance_ratios[i]))

In [None]:
pca_X['cluster'] = kprototype.labels_
pca_X

In [None]:
import matplotlib.pyplot as plt
import matplotlib.cm as mcm
import numpy as np

pca_X_array = np.array(pca_X)
# plt.rcParams["figure.figsize"] = (5.0,5.0) # https://stackoverflow.com/questions/332289/how-do-you-change-the-size-of-figures-drawn-with-matplotlib

# colors = ['blue', 'lightblue', 'green', 'lightgreen', 'red', 'lightred', 'cyan', 'lightcyan', 'magenta', 'lightmagenta', 'yellow', 'lightyellow']
colors = mcm.rainbow(np.linspace(0, 1, OPTIMAL_K + 1))

# plot the clusters
for i in range(OPTIMAL_K + 1):   
    plt.scatter(
        pca_X_array[kprototype.labels_ == i, 0], pca_X_array[kprototype.labels_ == i, 1],
        s=50, c=[colors[i]], # warning if not array
        marker='o', edgecolor='black',
        label='cluster ' + str(i)
    )

plt.legend(scatterpoints=1)
plt.grid()
plt.show()

In [None]:
# https://jakevdp.github.io/PythonDataScienceHandbook/04.12-three-dimensional-plotting.html

from mpl_toolkits import mplot3d

%matplotlib inline
import numpy as np
import matplotlib.pyplot as plt

def subplot_3d_viz(fig, azim, elev, col_i):
    ax = fig.add_subplot(1, 3, col_i, projection='3d')

    ax.set_xlabel('x')
    ax.set_ylabel('y')
    ax.set_zlabel('z')

    ax.azim = azim  # default -60
    ax.elev = elev  # default 30

    for i in pca_X['cluster'].unique(): 
        ax.scatter(pca_X_array[kprototype.labels_ == i, 0], 
                   pca_X_array[kprototype.labels_ == i, 1], 
                   pca_X_array[kprototype.labels_ == i, 2], 
                   c=[colors[i]],
                   edgecolor='black',
                   label='cluster ' + str(i));

In [None]:
# azims = [_ for _ in range(-360, 360, 120)]
# print(azims)

azims = [-60, 0, 60]
elevs = [0, 60, 240]

fig = plt.figure(figsize=(17,19))
fig.tight_layout()

for i in range(len(azims)):
    subplot_3d_viz(fig, azims[i], 30, i+1)

plt.show()

fig = plt.figure(figsize=(17,19))
fig.tight_layout()

for i in range(len(elevs)):
    subplot_3d_viz(fig, -60, elevs[i], i+1)

plt.show()

In [None]:
INTERPRETATION_COLS = ['uid', 
                       'originated_ip_num', 'originated_ip', 
                       'responded_ip_num', 'responded_ip', 
                       'timestamp', 'connection.time', 
                       'duration', 'connection.duration',
                       'protocol', 'service', 'conn_state',
                       'connection.orig_p', 'o_port', 'orig_p_cat', 'connection.orig_bytes', 'o_bytes', 'connection.orig_pkts', 'connection.orig_pkts.1', #'o_ip_bytes', 
                       'connection.resp_p', 'r_port', 'resp_p_cat', 'connection.resp_bytes', 'r_bytes', 'connection.resp_pkts', 'connection.resp_pkts.1', #'r_ip_bytes',
                       'dns_count', 'ssh_count', 'http_count', 'ssl_count', 'files_count', 
                       'attacker_label', 'victim_label']

In [None]:
# join dfs
labels_df = selected_df[INTERPRETATION_COLS]

result = pd.concat([pca_X, labels_df], axis=1)
result

In [None]:
import os.path
from datetime import date

print(PREFIX_PATH + 'kprototype_backup_' + date.today().strftime("%d_%m") + '_' + str(OPTIMAL_K) +  '.csv')
if not os.path.isfile(PREFIX_PATH + 'kprototype_backup_' + date.today().strftime("%d_%m") + '_' + str(OPTIMAL_K) +  '.csv'):
    result.to_csv(PREFIX_PATH + 'kprototype_backup_' + date.today().strftime("%d_%m") + '_' + str(OPTIMAL_K) +  '.csv', index=False, header=True)
    df.to_csv(PREFIX_PATH + 'kprototype_df_backup_' + date.today().strftime("%d_%m") + '_' + str(OPTIMAL_K) + '.csv', index=False, header=True)
    print('Wrote to new files.')
else:
    print('File already exists.')

In [None]:
def print_df_func(df, col, func):
    if func == 'count':
        print(df[col].value_counts())
        print('')
    elif func == 'mean':
        col_mean = df[col].mean()
        print(str(col) + ' mean = ' + str(col_mean))
    elif func == 'median':
        col_median = df[col].median()
        print(str(col) + ' median = ' + str(col_median))
    elif func == 'min':
        col_min = df[col].min()
        print(str(col) + ' min = ' + str(col_min))
    elif func == 'max':
        col_max = df[col].max()
        print(str(col) + ' max = ' + str(col_max))
        print('')

In [None]:
plt.rcParams["figure.figsize"] = (10,7)

In [None]:
for i in range(OPTIMAL_K + 1):
    result_cluster = result.loc[result['cluster'] == i]
    nok_conns = result_cluster.loc[(result_cluster['attacker_label'] == 'Yes') & (result_cluster['victim_label'] == 'Yes')]
    ok_conns = result_cluster.loc[(result_cluster['attacker_label'] == 'No') | ((result_cluster['attacker_label'] == 'Yes') & (result_cluster['victim_label'] != 'Yes'))]
      
    plt.scatter(
        ok_conns[0], ok_conns[1],
        s=50, c='green',
        marker='o', edgecolor='black',
        label='Other conns'
    )
    
    plt.scatter(
        nok_conns[0], nok_conns[1],
        s=50, c='red',
        marker='o', edgecolor='black',
        label='Conns with attacker'
    )
    
#     plt.scatter(
#         kprototype.cluster_centroids_[i][0], kprototype.cluster_centroids_[i][1],
#         s=50, c='orange',
#         marker='o', edgecolor='black',
#     )
    
    plt.legend(scatterpoints=1)
    plt.title('Cluster ' + str(i))
    plt.grid()
    plt.show()
    
    print('Total num of conns: ' + str(result_cluster.shape[0]) + '\n')
    
    
    print('Attacker conns ratio:')
    print_df_func(result_cluster, 'attacker_label', 'count')
    
    print('IPs:')
    print_df_func(result_cluster, 'originated_ip', 'count')
    print_df_func(result_cluster, 'responded_ip', 'count')

    if len(nok_conns) > 0:
        print('Cluster ' + str(i) + ' NOK sample connections:')
        samples = nok_conns.sample(15 if len(nok_conns) >= 15 else len(nok_conns))
        samples = samples.filter(INTERPRETATION_COLS[1:], axis=1)
        display(samples)
    
    if len(ok_conns) > 0:
        print('Cluster ' + str(i) + ' OK sample connections:')
        samples = ok_conns.sample(15 if len(ok_conns) >= 15 else len(ok_conns))
        samples = samples.filter(INTERPRETATION_COLS[1:], axis=1)
        display(samples)
        
    print('Protocol:')
    print_df_func(result_cluster, 'protocol', 'count')
    
    print('Service:')
    print_df_func(result_cluster, 'service', 'count')
    
    print('Orig_p_cat:')
    print_df_func(result_cluster, 'orig_p_cat', 'count')
    
    print('Resp_p_cat:')
    print_df_func(result_cluster, 'resp_p_cat', 'count')
    
    print('  ================================================  \n')
    

## Interpretation

Parallel coordinates plots.

In [None]:
features_df = labels_df[['originated_ip_num', 
                     'responded_ip_num', 
                     'connection.time', 
                     'connection.duration', 
                     'connection.orig_p', 'connection.resp_p', 
                     'connection.orig_bytes', 'connection.resp_bytes', 
                     'connection.orig_pkts', 'connection.resp_pkts', 
                     'dns_count', 'ssh_count', 'http_count', 'ssl_count', 'files_count']]

coord_vis_df = pd.concat([features_df, pca_X['cluster']], axis=1)
coord_vis_df = coord_vis_df #.sample(100)

In [None]:
import pandas as pd

clusters = pca_X['cluster'].unique()

for i in range(len(clusters)):
    plt.rcParams["figure.figsize"] = (28,7)
    pd.plotting.parallel_coordinates(coord_vis_df.loc[coord_vis_df['cluster'] == clusters[i]], 'cluster', color=colors[i])
    plt.show()

With dominant neighbourhood:

In [None]:
INTERPRETATION_COLS = ['uid', 
                       'originated_ip_num', 'originated_ip', 
                       'responded_ip_num', 'responded_ip', 
                       'timestamp', 'connection.time', 
                       'duration', 'connection.duration',
                       'protocol', 'service', 'conn_state',
                       'connection.orig_p', 'o_port', 'orig_p_cat', 'connection.orig_bytes', 'o_bytes', 'connection.orig_pkts', 'connection.orig_pkts.1', #'o_ip_bytes', 
                       'connection.resp_p', 'r_port', 'resp_p_cat', 'connection.resp_bytes', 'r_bytes', 'connection.resp_pkts', 'connection.resp_pkts.1', #'r_ip_bytes',
                       'dns_count', 'ssh_count', 'http_count', 'ssl_count', 'files_count', 
                       'orig_orig_total', 
                            'orig_orig_connection.time_mean', 
                            'orig_orig_connection.duration_mean',
                            'orig_orig_connection.orig_pkts_mean',
                            'orig_orig_connection.orig_bytes_mean',
                            'orig_orig_connection.resp_bytes_mean',
                            'orig_orig_connection.resp_pkts_mean',
                       'attacker_label', 'victim_label']

labels_df = selected_df[INTERPRETATION_COLS]

result = pd.concat([pca_X, labels_df], axis=1)

features_df = labels_df[['originated_ip_num', 
                     'responded_ip_num', 
                     'connection.time', 
                     'connection.duration', 
                     #'connection.orig_p', 'connection.resp_p', 
                     'connection.orig_bytes', 'connection.resp_bytes', 
                     'connection.orig_pkts', 'connection.resp_pkts', 
                        'orig_orig_total', 
                            'orig_orig_connection.time_mean', 
                            'orig_orig_connection.duration_mean',
                            'orig_orig_connection.orig_bytes_mean',
                            'orig_orig_connection.resp_bytes_mean',
                            'orig_orig_connection.orig_pkts_mean',
                            'orig_orig_connection.resp_pkts_mean']]

coord_vis_df = pd.concat([features_df, pca_X['cluster']], axis=1)
coord_vis_df = coord_vis_df #.sample(100)

clusters = pca_X['cluster'].unique()

for i in range(len(clusters)):
    plt.rcParams["figure.figsize"] = (55,7)
    pd.plotting.parallel_coordinates(coord_vis_df.loc[coord_vis_df['cluster'] == clusters[i]], 'cluster', color=colors[i])
    plt.show()