Combining heuristics
A different cyber analyst tells you that during certain types of attack, the infected source computer sends small bits of traffic, to avoid detection. This makes you wonder whether it would be better to create a combined heuristic that simultaneously looks for large numbers of ports and small packet sizes. Does this improve performance over the simple port heuristic? As with the last exercise, you have X_train, X_test, y_train and y_test in memory. The sample code also helps you reproduce the outcome of the port heuristic, pred_port. You also have numpy as np and accuracy_score() preloaded.
This exercise is part of the course
Designing Machine Learning Workflows in Python
Exercise instructions
- The column
average_packetcomputes the average packet size over all flows observed from a single source. Take the mean of those values for bad sources only on the training set. - Now construct a new rule which flags as positive all sources whose average traffic is less than the value above.
- Combine the rules so that both heuristics have to simultaneously apply, using an appropriate arithmetic operation.
- Report the accuracy of the combined heuristic.
Hands-on interactive exercise
Have a go at this exercise by completing this sample code.
# Compute the mean of average_packet for bad sources
avg_bad_packet = np.mean(____[____]['average_packet'])
# Label as positive if average_packet is lower than that
pred_packet = ____[____] < avg_bad_packet
# Find indices where pred_port and pred_packet both True
pred_port = X_test['unique_ports'] > avg_bad_ports
pred_both = pred_packet ____ pred_port
# Ports only produced an accuracy of 0.919. Is this better?
print(accuracy_score(____, ____))