# **Data cleaning**

### Objectives
- Clean the `.csv` raw data from Kaggle. Data cleaning is necessary for data visualization and for machine learning model training.

### Inputs
- This file cleans the `.csv` file `Train_data.scv`, located in the `data/raw` folder.

### Outputs
- The file will be saved after the cleaning process in the `data/cleaned` folder. This cleaned data will be further used in data visualization, statistical analysis, machine learning models and the dashboard.

## Load the libraries and the data
We will need pandas for data manipulation and matplotlib for simple visualizations

In [43]:
import pandas as pd
import matplotlib.pyplot as plt

Let's load the file as `df`:

In [44]:
df = pd.read_csv("../data/raw/Train_data.csv")
print(df.shape)
df.head()

(25192, 42)


Unnamed: 0,duration,protocol_type,service,flag,src_bytes,dst_bytes,land,wrong_fragment,urgent,hot,...,dst_host_srv_count,dst_host_same_srv_rate,dst_host_diff_srv_rate,dst_host_same_src_port_rate,dst_host_srv_diff_host_rate,dst_host_serror_rate,dst_host_srv_serror_rate,dst_host_rerror_rate,dst_host_srv_rerror_rate,class
0,0,tcp,ftp_data,SF,491,0,0,0,0,0,...,25,0.17,0.03,0.17,0.0,0.0,0.0,0.05,0.0,normal
1,0,udp,other,SF,146,0,0,0,0,0,...,1,0.0,0.6,0.88,0.0,0.0,0.0,0.0,0.0,normal
2,0,tcp,private,S0,0,0,0,0,0,0,...,26,0.1,0.05,0.0,0.0,1.0,1.0,0.0,0.0,anomaly
3,0,tcp,http,SF,232,8153,0,0,0,0,...,255,1.0,0.0,0.03,0.04,0.03,0.01,0.0,0.01,normal
4,0,tcp,http,SF,199,420,0,0,0,0,...,255,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,normal


## Data cleaning

### Check for uniqueness
Here I will check whether all rows are unique:

In [45]:
print(f"Number of duplicates: {df.duplicated().sum()}")

Number of duplicates: 0


Since there is no unique ID for each intrusion the only thing it means is that 57 intrusions in the test set have the same features. THerefore we will leave them as they are because this might mean that these are intrusions who just happen to have the same set of features.

### Check for null values
Here we will check whether all columns are filled:

In [46]:
df.isnull().sum()

duration                       0
protocol_type                  0
service                        0
flag                           0
src_bytes                      0
dst_bytes                      0
land                           0
wrong_fragment                 0
urgent                         0
hot                            0
num_failed_logins              0
logged_in                      0
num_compromised                0
root_shell                     0
su_attempted                   0
num_root                       0
num_file_creations             0
num_shells                     0
num_access_files               0
num_outbound_cmds              0
is_host_login                  0
is_guest_login                 0
count                          0
srv_count                      0
serror_rate                    0
srv_serror_rate                0
rerror_rate                    0
srv_rerror_rate                0
same_srv_rate                  0
diff_srv_rate                  0
srv_diff_h

As you can see there are no null values in any category.

### Check for data types and unique categories
First let's see the data info for both tables to confirm they have the same features:

In [47]:
df.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 25192 entries, 0 to 25191
Data columns (total 42 columns):
 #   Column                       Non-Null Count  Dtype  
---  ------                       --------------  -----  
 0   duration                     25192 non-null  int64  
 1   protocol_type                25192 non-null  object 
 2   service                      25192 non-null  object 
 3   flag                         25192 non-null  object 
 4   src_bytes                    25192 non-null  int64  
 5   dst_bytes                    25192 non-null  int64  
 6   land                         25192 non-null  int64  
 7   wrong_fragment               25192 non-null  int64  
 8   urgent                       25192 non-null  int64  
 9   hot                          25192 non-null  int64  
 10  num_failed_logins            25192 non-null  int64  
 11  logged_in                    25192 non-null  int64  
 12  num_compromised              25192 non-null  int64  
 13  root_shell      

As you can see, here is very little categorical data (`object`), with most features having `int64` type.

let's look at all the possible values in the object column:

In [48]:
categories = ['protocol_type', 'service', 'flag', 'class']

print("Object columns:\n")
for col in categories:
    print(f"{col}: {df[col].unique()}\n")

Object columns:

protocol_type: ['tcp' 'udp' 'icmp']

service: ['ftp_data' 'other' 'private' 'http' 'remote_job' 'name' 'netbios_ns'
 'eco_i' 'mtp' 'telnet' 'finger' 'domain_u' 'supdup' 'uucp_path' 'Z39_50'
 'smtp' 'csnet_ns' 'uucp' 'netbios_dgm' 'urp_i' 'auth' 'domain' 'ftp'
 'bgp' 'ldap' 'ecr_i' 'gopher' 'vmnet' 'systat' 'http_443' 'efs' 'whois'
 'imap4' 'iso_tsap' 'echo' 'klogin' 'link' 'sunrpc' 'login' 'kshell'
 'sql_net' 'time' 'hostnames' 'exec' 'ntp_u' 'discard' 'nntp' 'courier'
 'ctf' 'ssh' 'daytime' 'shell' 'netstat' 'pop_3' 'nnsp' 'IRC' 'pop_2'
 'printer' 'tim_i' 'pm_dump' 'red_i' 'netbios_ssn' 'rje' 'X11' 'urh_i'
 'http_8001']

flag: ['SF' 'S0' 'REJ' 'RSTR' 'SH' 'RSTO' 'S1' 'RSTOS0' 'S3' 'S2' 'OTH']

class: ['normal' 'anomaly']



Furthermore we will check whether there are any quasi-categorical values which have a data type `int64` but have few unique values. We suspect that there might be some binary values for instance.

In [49]:
cols_with_few_uniques = []

# Search for int64 columns with less 10 or less unique values
# assuming your DataFrame is called df
cols_with_few_uniques = []
cols_with_many_uniques = []

for col in df.select_dtypes(include='int64').columns:
    unique_count = df[col].nunique()
    if unique_count <= 10:
        cols_with_few_uniques.append((col, unique_count))
    else:
        cols_with_many_uniques.append((col, unique_count))

# Print the results
if cols_with_few_uniques:
    print("Integer columns with 10 or fewer unique values:")
    for col, unique_count in cols_with_few_uniques:
        print(f" - {col}: {unique_count} unique values: {df[col].unique()}")
else:
    print("No int64 columns with 10 or fewer unique values found.")

Integer columns with 10 or fewer unique values:
 - land: 2 unique values: [0 1]
 - wrong_fragment: 3 unique values: [0 3 1]
 - urgent: 2 unique values: [0 1]
 - num_failed_logins: 5 unique values: [0 2 1 3 4]
 - logged_in: 2 unique values: [0 1]
 - root_shell: 2 unique values: [0 1]
 - su_attempted: 3 unique values: [0 1 2]
 - num_shells: 2 unique values: [0 1]
 - num_access_files: 7 unique values: [0 1 2 3 5 4 8]
 - num_outbound_cmds: 1 unique values: [0]
 - is_host_login: 1 unique values: [0]
 - is_guest_login: 2 unique values: [0 1]


In summary we can group our columns into four types:

In [50]:
# Also next to the numerical category there is a number of unique values
print("Continuous (float64):")
print(list(df.select_dtypes(include='float64').columns))
print('\n')

print("Categorical:")
print(list(df.select_dtypes(include='object').columns))
print('\n')

print("Whole numbers (int64):")
print(cols_with_many_uniques)
print('\n')

print("Numerical categories (int64):")
print(cols_with_few_uniques)
print('\n')

Continuous (float64):
['serror_rate', 'srv_serror_rate', 'rerror_rate', 'srv_rerror_rate', 'same_srv_rate', 'diff_srv_rate', 'srv_diff_host_rate', 'dst_host_same_srv_rate', 'dst_host_diff_srv_rate', 'dst_host_same_src_port_rate', 'dst_host_srv_diff_host_rate', 'dst_host_serror_rate', 'dst_host_srv_serror_rate', 'dst_host_rerror_rate', 'dst_host_srv_rerror_rate']


Categorical:
['protocol_type', 'service', 'flag', 'class']


Whole numbers (int64):
[('duration', 758), ('src_bytes', 1665), ('dst_bytes', 3922), ('hot', 22), ('num_compromised', 28), ('num_root', 28), ('num_file_creations', 20), ('count', 466), ('srv_count', 414), ('dst_host_count', 256), ('dst_host_srv_count', 256)]


Numerical categories (int64):
[('land', 2), ('wrong_fragment', 3), ('urgent', 2), ('num_failed_logins', 5), ('logged_in', 2), ('root_shell', 2), ('su_attempted', 3), ('num_shells', 2), ('num_access_files', 7), ('num_outbound_cmds', 1), ('is_host_login', 1), ('is_guest_login', 2)]




### Get rid of the superfluous columns