# Time Series Anomaly Detection

In [9]:
#module imports
import wrangle as w

# from __future__ import division
import itertools
import warnings
warnings.filterwarnings("ignore")
import matplotlib.pyplot as plt
import matplotlib.dates as mdates
import numpy as np
import pandas as pd
import math
from sklearn import metrics
from random import randint
from matplotlib import style
import seaborn as sns
from sklearn.cluster import DBSCAN
from sklearn.preprocessing import MinMaxScaler
from scipy.stats import entropy

%matplotlib inline

# This is to make sure matplotlib doesn't throw the following error:
# The next line fixes "TypeError: float() argument must be a string or a number, not 'Timestamp' matplotlib"
pd.plotting.register_matplotlib_converters()

## Acquire

In [2]:
df = w.acquire_logs()
df.head()

Unnamed: 0,date,time,name,program_id,cohort_id,user_id,path,ip,start_date,end_date
0,2018-01-26,09:55:03,Hampton,1,8.0,1,/,97.105.19.61,2015-09-22,2016-02-06
1,2018-01-26,09:56:02,Hampton,1,8.0,1,java-ii,97.105.19.61,2015-09-22,2016-02-06
2,2018-01-26,09:56:05,Hampton,1,8.0,1,java-ii/object-oriented-programming,97.105.19.61,2015-09-22,2016-02-06
3,2018-01-26,09:56:06,Hampton,1,8.0,1,slides/object_oriented_programming,97.105.19.61,2015-09-22,2016-02-06
4,2018-01-26,09:56:24,Teddy,2,22.0,2,javascript-i/conditionals,97.105.19.61,2018-01-08,2018-05-17


In [3]:
df.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 847330 entries, 0 to 847329
Data columns (total 10 columns):
 #   Column      Non-Null Count   Dtype  
---  ------      --------------   -----  
 0   date        847330 non-null  object 
 1   time        847330 non-null  object 
 2   name        847330 non-null  object 
 3   program_id  847330 non-null  int64  
 4   cohort_id   847330 non-null  float64
 5   user_id     847330 non-null  int64  
 6   path        847329 non-null  object 
 7   ip          847330 non-null  object 
 8   start_date  847330 non-null  object 
 9   end_date    847330 non-null  object 
dtypes: float64(1), int64(2), object(7)
memory usage: 64.6+ MB


In [4]:
df.shape

(847330, 10)

## Prepare

In [None]:
#change time/date from object to datetime
df.index = pd.to_datetime(df.date + " " + df.time)

In [None]:
df.head()

In [None]:
#drop date and time columns
df.drop(columns=['date', 'time'], inplace=True)

In [None]:
df.head()

In [None]:
#add day of week and month columns for exploration
df['day_of_week'] = df.index.day_name()
df['month'] = df.index.month_name()

In [None]:
# Replace program_id values with names of program
df['program_id'] = df.program_id.replace({1: 'full stack php', 2: 'full stack java', 3:'data science', 4:'front end' })

In [None]:
df.head()

In [None]:
df.program_id.value_counts()

In [None]:
def prepare_logs():
    '''
    This function will acquire the dataset from acquire_logs
    and prepare for exploration by:
    - reformatting date/time columns and merging them
    - resetting date/time as index
    - adding weekday and month columns
    - renaming columns
    '''
    # Grabs dataframe from mysql and assigns it to a variable
    df = w.acquire_logs()
    # Reformat date and time
    df.index = pd.to_datetime(df.date + " " + df.time)
    #drop date and time columns
    df.drop(columns=['date', 'time'], inplace=True)
    # Replace program_id values with names of program
    df['program_id'] = df.program_id.replace({1: 'full stack php', 2: 'full stack java', 3:'data science', 4:'front end' })
    #add day of week and month columns for exploration
    df['day_of_week'] = df.index.day_name()
    df['month'] = df.index.month_name()

    return df

In [None]:
import wrangle as w

In [6]:
df = w.prepare_logs()

In [8]:
df.head()

Unnamed: 0,name,program_id,cohort_id,user_id,path,ip,start_date,end_date,day_of_week,month
2018-01-26 09:55:03,Hampton,full stack php,8.0,1,/,97.105.19.61,2015-09-22,2016-02-06,Friday,January
2018-01-26 09:56:02,Hampton,full stack php,8.0,1,java-ii,97.105.19.61,2015-09-22,2016-02-06,Friday,January
2018-01-26 09:56:05,Hampton,full stack php,8.0,1,java-ii/object-oriented-programming,97.105.19.61,2015-09-22,2016-02-06,Friday,January
2018-01-26 09:56:06,Hampton,full stack php,8.0,1,slides/object_oriented_programming,97.105.19.61,2015-09-22,2016-02-06,Friday,January
2018-01-26 09:56:24,Teddy,full stack java,22.0,2,javascript-i/conditionals,97.105.19.61,2018-01-08,2018-05-17,Friday,January


## Explore

In [10]:
#create dataframe out of value counts and reset index
ip_counts = pd.DataFrame(df.ip.value_counts()).reset_index()

In [11]:
#check out the dataframe
ip_counts.head()

Unnamed: 0,index,ip
0,97.105.19.58,268648
1,97.105.19.61,60530
2,192.171.117.210,9124
3,71.150.217.33,6791
4,76.185.145.231,4754


In [12]:
#rename the columns of value counts data frame
ip_counts.columns=['ip', 'event_count']

In [14]:
#get the number of ip addresses seen
ip_counts.groupby(['event_count']).count()

Unnamed: 0_level_0,ip
event_count,Unnamed: 1_level_1
1,763
2,528
3,460
4,351
5,259
...,...
4754,1
6791,1
9124,1
60530,1


In [15]:
#find the ip addresses that only occur once
#filter where event_count = 1
ip_counts[ip_counts['event_count']==1]

Unnamed: 0,ip,event_count
4437,76.214.156.188,1
4438,173.239.232.157,1
4439,174.207.15.199,1
4440,107.77.217.216,1
4441,174.207.25.208,1
...,...,...
5195,173.127.91.200,1
5196,107.77.201.52,1
5197,104.184.220.38,1
5198,189.166.150.196,1


In [16]:
#find the entropy
#0 indicates no uncertainty
entropy(ip_counts.event_count)

4.925957589143282

In [18]:
df.head()

Unnamed: 0,name,program_id,cohort_id,user_id,path,ip,start_date,end_date,day_of_week,month
2018-01-26 09:55:03,Hampton,full stack php,8.0,1,/,97.105.19.61,2015-09-22,2016-02-06,Friday,January
2018-01-26 09:56:02,Hampton,full stack php,8.0,1,java-ii,97.105.19.61,2015-09-22,2016-02-06,Friday,January
2018-01-26 09:56:05,Hampton,full stack php,8.0,1,java-ii/object-oriented-programming,97.105.19.61,2015-09-22,2016-02-06,Friday,January
2018-01-26 09:56:06,Hampton,full stack php,8.0,1,slides/object_oriented_programming,97.105.19.61,2015-09-22,2016-02-06,Friday,January
2018-01-26 09:56:24,Teddy,full stack java,22.0,2,javascript-i/conditionals,97.105.19.61,2018-01-08,2018-05-17,Friday,January


In [19]:
#check for nulls
df.isna().sum()

name           0
program_id     0
cohort_id      0
user_id        0
path           1
ip             0
start_date     0
end_date       0
day_of_week    0
month          0
dtype: int64

In [20]:
# fill missing values for path with no path
df = df.fillna(value='no path')

# summary stats of the size
df.describe()

Unnamed: 0,cohort_id,user_id
count,847330.0,847330.0
mean,48.501049,456.707344
std,32.795482,250.734201
min,1.0,1.0
25%,28.0,263.0
50%,33.0,476.0
75%,57.0,648.0
max,139.0,981.0
