# Appraise H2020 Dataset Analysis

* **Author:** Patrik Goldschmidt (igoldschmidt@fit.vut.cz)
* **Project:** Network Intrusion Datasets: A Survey, Limitations, and Recommendations
* **Date:** 2024

Data Source: https://www.kaggle.com/datasets/ittibydgoszcz/appraise-h2020-real-labelled-netflow-dataset

In [1]:
import pandas as pd
import numpy as np
import matplotlib.pyplot as plt
import os

pd.set_option('display.max_columns', None)

In [2]:
DATAPATH = '/data/disk2/appraise_h2020/APPRAISE_NETFLOW.csv'

In [3]:
data = pd.read_csv(DATAPATH)

In [4]:
data.info(verbose=True, show_counts=True)

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 15116160 entries, 0 to 15116159
Data columns (total 19 columns):
 #   Column            Non-Null Count     Dtype 
---  ------            --------------     ----- 
 0   FLOW_ID           15116160 non-null  int64 
 1   IPV4_SRC_ADDR     15116160 non-null  object
 2   IPV4_DST_ADDR     15116160 non-null  object
 3   IN_PKTS           15116160 non-null  int64 
 4   IN_BYTES          15116160 non-null  int64 
 5   OUT_PKTS          15116160 non-null  int64 
 6   OUT_BYTES         15116160 non-null  int64 
 7   FIRST_SWITCHED    15116160 non-null  int64 
 8   LAST_SWITCHED     15116160 non-null  int64 
 9   L4_SRC_PORT       15116160 non-null  int64 
 10  L4_DST_PORT       15116160 non-null  int64 
 11  TCP_FLAGS         15116160 non-null  int64 
 12  PROTOCOL          15116160 non-null  int64 
 13  PROTOCOL_MAP      15116160 non-null  object
 14  TOTAL_FLOWS_EXP   15116160 non-null  int64 
 15  L7_PROTO          15116160 non-null  int64 
 16

In [5]:
# Show me the capture length
len(data)

15116160

In [6]:
data.head(10)

Unnamed: 0,FLOW_ID,IPV4_SRC_ADDR,IPV4_DST_ADDR,IN_PKTS,IN_BYTES,OUT_PKTS,OUT_BYTES,FIRST_SWITCHED,LAST_SWITCHED,L4_SRC_PORT,L4_DST_PORT,TCP_FLAGS,PROTOCOL,PROTOCOL_MAP,TOTAL_FLOWS_EXP,L7_PROTO,L7_PROTO_NAME,ANOMALY_CATEGORY,ANOMALY
0,1,89.159.255.164,5.9.222.138,604,27180,614,29994,1674045983,1674045985,47808,47808,0,17,udp,1,0,Unknown,-,0
1,2,189.5.173.17,80.19.141.188,506,23082,510,23424,1674045983,1674045985,502,4872,24,6,tcp,2,44,Modbus,-,0
2,3,80.158.159.207,86.190.158.122,24,1704,0,0,1674045983,1674045985,47808,47808,0,17,udp,3,0,Unknown,-,0
3,4,102.81.138.56,135.44.76.80,284,23034,284,26004,1674045983,1674045985,61765,51807,24,6,tcp,4,0,Unknown,-,0
4,5,96.41.79.140,62.185.7.85,4,160,2,144,1674045983,1674045985,50264,3028,16,6,tcp,5,0,Unknown,-,0
5,6,89.159.255.164,78.55.181.74,108,4860,108,5244,1674045983,1674045985,47808,47808,0,17,udp,6,0,Unknown,-,0
6,7,89.159.255.164,108.30.58.143,40,1800,46,2460,1674045983,1674045985,47808,47808,0,17,udp,7,0,Unknown,-,0
7,8,89.159.255.164,80.31.202.103,40,1800,40,2040,1674045983,1674045985,47808,47808,0,17,udp,8,0,Unknown,-,0
8,9,212.15.170.48,8.249.67.106,10,680,0,0,1674045983,1674045983,51053,1947,0,17,udp,9,0,Unknown,-,0
9,10,212.15.170.48,198.196.184.15,10,680,0,0,1674045983,1674045983,51052,1947,0,17,udp,10,0,Unknown,-,0


In [7]:
data.describe()

Unnamed: 0,FLOW_ID,IN_PKTS,IN_BYTES,OUT_PKTS,OUT_BYTES,FIRST_SWITCHED,LAST_SWITCHED,L4_SRC_PORT,L4_DST_PORT,TCP_FLAGS,PROTOCOL,TOTAL_FLOWS_EXP,L7_PROTO,ANOMALY
count,15116160.0,15116160.0,15116160.0,15116160.0,15116160.0,15116160.0,15116160.0,15116160.0,15116160.0,15116160.0,15116160.0,15116160.0,15116160.0,15116160.0
mean,1878046.0,418.0791,22342.24,398.2113,37346.82,1677748000.0,1677748000.0,42860.9,15972.56,4.983905,12.28084,1878046.0,27.11377,0.2851502
std,1287713.0,2603.594,240582.2,2694.006,1159702.0,1999248.0,1999248.0,19464.33,21391.44,14.85487,7.364417,1287713.0,68.68301,0.451486
min,1.0,1.0,37.0,0.0,0.0,1674046000.0,1674046000.0,0.0,0.0,0.0,1.0,1.0,0.0,0.0
25%,811575.8,2.0,96.0,0.0,0.0,1676678000.0,1676678000.0,37201.0,966.0,0.0,6.0,811575.8,0.0,0.0
50%,1600526.0,11.0,748.0,0.0,0.0,1677689000.0,1677689000.0,47808.0,1980.0,0.0,17.0,1600526.0,0.0,0.0
75%,2848495.0,26.0,2442.0,2.0,264.0,1679498000.0,1679498000.0,56308.0,47808.0,2.0,17.0,2848495.0,5.0,1.0
max,4707889.0,150486.0,225482700.0,350542.0,518427300.0,1681269000.0,1681270000.0,65535.0,65534.0,222.0,89.0,4707889.0,293.0,1.0


In [8]:
# Show me heavy-hitters. Are IPs Anonymized?
data['IPV4_SRC_ADDR'].value_counts().head(10)

IPV4_SRC_ADDR
106.21.55.11       3701351
89.159.255.164     1446634
121.45.142.225     1354638
212.15.170.48      1289247
119.173.142.158    1112587
12.0.230.98         618916
136.94.240.213      552315
68.203.156.78       502394
116.171.108.189     247417
80.158.159.207      152585
Name: count, dtype: int64

In [9]:
# The number of unique source IPs
data['IPV4_SRC_ADDR'].nunique()

1830

In [10]:
data['IPV4_DST_ADDR'].value_counts()

IPV4_DST_ADDR
198.196.184.15     3179373
8.249.67.106       1616433
85.245.12.32       1287200
62.185.7.85         986556
109.14.115.188      580684
                    ...   
112.199.232.102          1
50.82.116.129            1
222.50.104.48            1
139.182.234.158          1
145.49.58.155            1
Name: count, Length: 8115, dtype: int64

In [11]:
# Ports distribution
data['L4_DST_PORT'].value_counts()

L4_DST_PORT
47808    3480716
1947     2888392
443       891793
80        684146
53        630687
          ...   
58214          1
58176          1
58133          1
58117          1
52424          1
Name: count, Length: 19199, dtype: int64

In [12]:
# Protocol distribution
data['PROTOCOL'].value_counts()

PROTOCOL
17    8171585
6     6837490
89      59658
1       27608
2       14096
58       5723
Name: count, dtype: int64

In [13]:
# L7 protocols
data['L7_PROTO_NAME'].value_counts().head(10)

L7_PROTO_NAME
Unknown          11168145
HTTP               613127
TLS.AmazonAWS      438195
DNS                308039
DHCPV6             239274
TLS                220371
MDNS               208461
Modbus             178205
TLS.Azure          144317
NetBIOS.SMBv1      129083
Name: count, dtype: int64

In [14]:
# Label distribution
data['ANOMALY'].value_counts()

ANOMALY
0    10805784
1     4310376
Name: count, dtype: int64

In [15]:
data['ANOMALY_CATEGORY'].value_counts()

ANOMALY_CATEGORY
-                 10805784
Reconnaissance     3805827
DDoS                502394
BruteForce            2155
Name: count, dtype: int64

## Capture Duration Estimation

In [16]:
# Determine dataset timestamps
start = data['FIRST_SWITCHED'].sort_values().iloc[0]
end   = data['LAST_SWITCHED'].sort_values(ascending=False).iloc[0]
span = end - start

print(f'{start} | {end} || dur: {span}')

1674045983 | 1681269543 || dur: 7223560


In [17]:
pd.Timedelta(seconds=span)

Timedelta('83 days 14:32:40')

**Start date:** GMT: Wednesday 18. January 2023 12:46:23

**End date:** GMT: Wednesday 12. April 2023 3:19:03

**Dur**: 83 days, 14 hours, 32 minutes and 40 seconds

Source: https://www.epochconverter.com/

In [18]:
tstamps = data['LAST_SWITCHED'].sort_values(ascending=False)
tstamps = pd.to_datetime(tstamps, unit='s', origin='unix')
tstamps.head()

15116158   2023-04-12 03:19:03
15116156   2023-04-12 03:19:03
15116153   2023-04-12 03:18:58
15116159   2023-04-12 03:18:55
15116131   2023-04-12 03:18:30
Name: LAST_SWITCHED, dtype: datetime64[ns]

In [19]:
# Measure capture duration and continousness
def measure_real_capture_dur(data: pd.Series, gap_max_secs: int = 300) -> float:
    """Computes total timespan of the capture. Expects iterable containing timestamps objects sorted in a descending manner"""
    total_dur = pd.Timedelta(seconds=0)
    current_dur = pd.Timedelta(seconds=0)
    cont_durations = []
    last_tstamp = data.iloc[0]
    contiguous = True

    # Iterate through the dataframe to find out gaps
    for cur_tstamp in data:
        dur_gap = last_tstamp - cur_tstamp

        if dur_gap <= pd.Timedelta(seconds=gap_max_secs):
            total_dur += dur_gap
            current_dur += dur_gap
        else:
            cont_durations.append(current_dur)
            current_dur = pd.Timedelta(seconds=0)

            if contiguous:
                contiguous = False

        last_tstamp = cur_tstamp

    # Log the final continuous block and sort them via their length
    cont_durations.append(current_dur)
    cont_durations.sort(reverse=True)

    return total_dur, contiguous, cont_durations

In [20]:
measure_real_capture_dur(tstamps, span * 0.01)

(Timedelta('72 days 12:01:12'),
 False,
 [Timedelta('27 days 13:35:16'),
  Timedelta('22 days 17:42:10'),
  Timedelta('22 days 04:43:46')])

In [21]:
# Measure with more realistic maximum gap size - i.e, 1 hour
measure_real_capture_dur(tstamps, 3600)

(Timedelta('72 days 12:01:12'),
 False,
 [Timedelta('27 days 13:35:16'),
  Timedelta('22 days 17:42:10'),
  Timedelta('22 days 04:43:46')])

In [22]:
# Interesting, what if we consider the max gap to be 5 minutes
measure_real_capture_dur(tstamps, 300)

(Timedelta('72 days 11:49:02'),
 False,
 [Timedelta('22 days 17:42:10'),
  Timedelta('22 days 04:43:46'),
  Timedelta('16 days 20:00:20'),
  Timedelta('10 days 17:22:46')])

As seen, the capture is rather continuous - consisting of three/four blocks of data with length over 10 days (two 20+ days), which is more than most continuous datasets offer. Nevertheless, since we need to look at the data as a whole, we consider the data discountinous, although its continuity patters are very plausible.