<a href="https://colab.research.google.com/github/24NAVEENOS12/Development-of-Interactive-Cyber-Threat-Visualization-Dashboard/blob/main/SQL_Cyber_Threat_Analysis.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# **SQL Task â€“ Cyber Threat Data Analysis**

In [3]:
import sqlite3

# Create an in-memory SQLite database connection
conn = sqlite3.connect(':memory:')

# Write the DataFrame to a SQLite table
df.to_sql('cybersecurity_incidents', conn, index=False, if_exists='replace')

print("SQLite database created and DataFrame loaded into 'cybersecurity_incidents' table.")


SQLite database created and DataFrame loaded into 'cybersecurity_incidents' table.


In [1]:
import pandas as pd
import numpy as np
import random
from datetime import datetime, timedelta

# Define lists for categorical data to ensure consistency
attack_types = ['Phishing', 'Malware', 'Ransomware', 'DDoS', 'Insider Threat', 'SQL Injection', 'XSS', 'Brute Force', 'Zero-day Exploit', 'Man-in-the-Middle']
attack_vectors = ['Email', 'Network Vulnerability', 'Web Application', 'Physical Access', 'Cloud Misconfiguration', 'IoT Device']
severities = ['Low', 'Medium', 'High', 'Critical']
source_countries = ['USA', 'China', 'Russia', 'North Korea', 'Iran', 'Germany', 'UK', 'India', 'Brazil', 'Canada']
target_countries = ['USA', 'Canada', 'UK', 'Germany', 'France', 'Australia', 'Japan', 'South Korea']
operating_systems = ['Windows Server 2019', 'Windows 10', 'Linux (Ubuntu)', 'Linux (RedHat)', 'macOS', 'Android', 'iOS']
device_types = ['Workstation', 'Server', 'Medical Device', 'IoT Sensor', 'Network Router', 'Cloud Instance', 'Database Server']
target_systems = ['Electronic Health Records (EHR)', 'Billing System', 'Patient Monitoring', 'Radiology PACS', 'Laboratory Information System (LIS)', 'Network Infrastructure']
protocols = ['HTTP', 'HTTPS', 'FTP', 'SFTP', 'SSH', 'RDP', 'DICOM', 'HL7']
ports = ['80', '443', '21', '22', '3389', '1433', '25', '53', '445']
statuses = ['Detected', 'Mitigated', 'Ongoing', 'Containment', 'Eradicated', 'Recovered']
detected_by_options = ['SIEM', 'IDS/IPS', 'Firewall', 'Antivirus', 'User Report', 'Threat Intelligence', 'Security Team']
impact_levels = ['Data Breach', 'System Downtime', 'Financial Loss', 'Reputational Damage', 'Operational Disruption', 'Patient Care Interruption']
mitigation_actions = ['Isolate System', 'Patch Vulnerability', 'Block IP', 'Reset Passwords', 'Restore from Backup', 'Incident Response Plan Executed', 'Forensic Investigation']

# Number of records
num_records = 350 # More than 300

# Generate data
data = {
    'incident_id': [f'INC{i:05d}' for i in range(1, num_records + 1)],
    'timestamp': [
        (datetime.now() - timedelta(days=random.randint(0, 365), hours=random.randint(0, 23), minutes=random.randint(0, 59)))
        .strftime('%Y-%m-%d %H:%M:%S') for _ in range(num_records)
    ],
    'attack_type': random.choices(attack_types, k=num_records),
    'attack_vector': random.choices(attack_vectors, k=num_records),
    'severity': random.choices(severities, weights=[0.4, 0.3, 0.2, 0.1], k=num_records),
    'source_country': random.choices(source_countries, k=num_records),
    'target_country': random.choices(target_countries, k=num_records),
    'source_ip': [f'{random.randint(1, 254)}.{random.randint(0, 254)}.{random.randint(0, 254)}.{random.randint(1, 254)}' for _ in range(num_records)],
    'device_affected': random.choices(device_types, k=num_records),
    'operating_system': random.choices(operating_systems, k=num_records),
    'target_system': random.choices(target_systems, k=num_records),
    'protocol': random.choices(protocols, k=num_records),
    'port': random.choices(ports, k=num_records),
    'status': random.choices(statuses, k=num_records),
    'detected_by': random.choices(detected_by_options, k=num_records),
    'impact_level': random.choices(impact_levels, k=num_records),
    'mitigation_action': random.choices(mitigation_actions, k=num_records),
}

# Create DataFrame
df = pd.DataFrame(data)

# Ensure realism for certain columns
# For example, if attack_type is Ransomware, impact_level is likely System Downtime or Data Breach
for i in range(num_records):
    if df.loc[i, 'attack_type'] == 'Ransomware':
        df.loc[i, 'impact_level'] = random.choice(['System Downtime', 'Data Breach', 'Operational Disruption'])
        df.loc[i, 'mitigation_action'] = random.choice(['Restore from Backup', 'Incident Response Plan Executed'])
        df.loc[i, 'severity'] = random.choice(['High', 'Critical'])
    elif df.loc[i, 'attack_type'] == 'Phishing':
        df.loc[i, 'attack_vector'] = 'Email'
        df.loc[i, 'impact_level'] = random.choice(['Data Breach', 'Reputational Damage'])

# Output the CSV content
csv_output = df.to_csv(index=False)
print(csv_output)


incident_id,timestamp,attack_type,attack_vector,severity,source_country,target_country,source_ip,device_affected,operating_system,target_system,protocol,port,status,detected_by,impact_level,mitigation_action
INC00001,2025-05-15 06:26:07,Zero-day Exploit,Cloud Misconfiguration,Medium,USA,Canada,191.106.12.7,Cloud Instance,Linux (Ubuntu),Network Infrastructure,SSH,3389,Containment,SIEM,System Downtime,Isolate System
INC00002,2025-05-19 14:26:07,Malware,Network Vulnerability,High,India,USA,189.127.107.218,Workstation,macOS,Laboratory Information System (LIS),HTTPS,80,Eradicated,Security Team,Data Breach,Isolate System
INC00003,2025-07-07 09:03:07,Ransomware,Web Application,High,USA,Canada,178.70.35.23,IoT Sensor,Android,Radiology PACS,HTTPS,1433,Mitigated,Threat Intelligence,Operational Disruption,Restore from Backup
INC00004,2025-11-09 07:09:07,XSS,Email,High,India,France,187.67.137.215,Server,Linux (Ubuntu),Billing System,SSH,25,Mitigated,User Report,Patient Care Interruption,Incident R

In [4]:
# Function to run SQL queries and display results
def run_sql_query(query):
    return pd.read_sql_query(query, conn)

# Verify by querying the table
query = "SELECT * FROM cybersecurity_incidents LIMIT 5;"
result_df = run_sql_query(query)
display(result_df)


Unnamed: 0,incident_id,timestamp,attack_type,attack_vector,severity,source_country,target_country,source_ip,device_affected,operating_system,target_system,protocol,port,status,detected_by,impact_level,mitigation_action
0,INC00001,2025-05-15 06:26:07,Zero-day Exploit,Cloud Misconfiguration,Medium,USA,Canada,191.106.12.7,Cloud Instance,Linux (Ubuntu),Network Infrastructure,SSH,3389,Containment,SIEM,System Downtime,Isolate System
1,INC00002,2025-05-19 14:26:07,Malware,Network Vulnerability,High,India,USA,189.127.107.218,Workstation,macOS,Laboratory Information System (LIS),HTTPS,80,Eradicated,Security Team,Data Breach,Isolate System
2,INC00003,2025-07-07 09:03:07,Ransomware,Web Application,High,USA,Canada,178.70.35.23,IoT Sensor,Android,Radiology PACS,HTTPS,1433,Mitigated,Threat Intelligence,Operational Disruption,Restore from Backup
3,INC00004,2025-11-09 07:09:07,XSS,Email,High,India,France,187.67.137.215,Server,Linux (Ubuntu),Billing System,SSH,25,Mitigated,User Report,Patient Care Interruption,Incident Response Plan Executed
4,INC00005,2025-04-28 04:44:07,DDoS,Network Vulnerability,High,North Korea,Germany,215.220.182.119,Workstation,Windows Server 2019,Electronic Health Records (EHR),SSH,21,Detected,Threat Intelligence,Operational Disruption,Restore from Backup


**Show the first 10 rows of the dataframe**

In [2]:
display(df.head(10))

Unnamed: 0,incident_id,timestamp,attack_type,attack_vector,severity,source_country,target_country,source_ip,device_affected,operating_system,target_system,protocol,port,status,detected_by,impact_level,mitigation_action
0,INC00001,2025-05-15 06:26:07,Zero-day Exploit,Cloud Misconfiguration,Medium,USA,Canada,191.106.12.7,Cloud Instance,Linux (Ubuntu),Network Infrastructure,SSH,3389,Containment,SIEM,System Downtime,Isolate System
1,INC00002,2025-05-19 14:26:07,Malware,Network Vulnerability,High,India,USA,189.127.107.218,Workstation,macOS,Laboratory Information System (LIS),HTTPS,80,Eradicated,Security Team,Data Breach,Isolate System
2,INC00003,2025-07-07 09:03:07,Ransomware,Web Application,High,USA,Canada,178.70.35.23,IoT Sensor,Android,Radiology PACS,HTTPS,1433,Mitigated,Threat Intelligence,Operational Disruption,Restore from Backup
3,INC00004,2025-11-09 07:09:07,XSS,Email,High,India,France,187.67.137.215,Server,Linux (Ubuntu),Billing System,SSH,25,Mitigated,User Report,Patient Care Interruption,Incident Response Plan Executed
4,INC00005,2025-04-28 04:44:07,DDoS,Network Vulnerability,High,North Korea,Germany,215.220.182.119,Workstation,Windows Server 2019,Electronic Health Records (EHR),SSH,21,Detected,Threat Intelligence,Operational Disruption,Restore from Backup
5,INC00006,2025-01-06 00:43:07,DDoS,Cloud Misconfiguration,Low,Brazil,France,208.238.16.212,IoT Sensor,Linux (Ubuntu),Laboratory Information System (LIS),RDP,53,Mitigated,SIEM,Data Breach,Block IP
6,INC00007,2025-05-03 15:58:07,Zero-day Exploit,IoT Device,Low,China,Canada,95.64.16.8,Cloud Instance,Android,Patient Monitoring,FTP,3389,Detected,Security Team,Patient Care Interruption,Isolate System
7,INC00008,2025-03-11 21:10:07,Phishing,Email,Low,Russia,Australia,207.118.234.149,IoT Sensor,Linux (Ubuntu),Network Infrastructure,SFTP,3389,Containment,Security Team,Reputational Damage,Restore from Backup
8,INC00009,2025-02-18 15:02:07,Malware,IoT Device,Low,India,Japan,244.144.48.47,Server,Windows 10,Radiology PACS,HL7,3389,Eradicated,Antivirus,Operational Disruption,Patch Vulnerability
9,INC00010,2025-06-15 04:19:07,Malware,IoT Device,Low,China,USA,25.49.144.15,Database Server,Android,Billing System,HL7,443,Eradicated,Security Team,Patient Care Interruption,Incident Response Plan Executed


**Count the occurrences of each attack type**

In [6]:
query = """SELECT attack_type, COUNT(*) AS occurrence_count FROM cybersecurity_incidents GROUP BY attack_type ORDER BY occurrence_count DESC;"""
result_df = run_sql_query(query)
display(result_df)

Unnamed: 0,attack_type,occurrence_count
0,XSS,50
1,Brute Force,45
2,Man-in-the-Middle,41
3,Malware,38
4,Zero-day Exploit,35
5,Insider Threat,34
6,Phishing,29
7,Ransomware,28
8,SQL Injection,27
9,DDoS,23


**Analyze the number of cyber attacks based on severity levels.**

In [7]:
query = """SELECT severity, COUNT(*) AS attack_count FROM cybersecurity_incidents GROUP BY severity ORDER BY attack_count DESC;"""
result_df = run_sql_query(query)
display(result_df)

Unnamed: 0,severity,attack_count
0,Medium,112
1,Low,112
2,High,79
3,Critical,47


**Retrieve all cyber attacks classified as Low severity.**

In [11]:
query = """SELECT * FROM cybersecurity_incidents WHERE severity = 'Low';"""
result_df = run_sql_query(query)
display(result_df)

Unnamed: 0,incident_id,timestamp,attack_type,attack_vector,severity,source_country,target_country,source_ip,device_affected,operating_system,target_system,protocol,port,status,detected_by,impact_level,mitigation_action
0,INC00006,2025-01-06 00:43:07,DDoS,Cloud Misconfiguration,Low,Brazil,France,208.238.16.212,IoT Sensor,Linux (Ubuntu),Laboratory Information System (LIS),RDP,53,Mitigated,SIEM,Data Breach,Block IP
1,INC00007,2025-05-03 15:58:07,Zero-day Exploit,IoT Device,Low,China,Canada,95.64.16.8,Cloud Instance,Android,Patient Monitoring,FTP,3389,Detected,Security Team,Patient Care Interruption,Isolate System
2,INC00008,2025-03-11 21:10:07,Phishing,Email,Low,Russia,Australia,207.118.234.149,IoT Sensor,Linux (Ubuntu),Network Infrastructure,SFTP,3389,Containment,Security Team,Reputational Damage,Restore from Backup
3,INC00009,2025-02-18 15:02:07,Malware,IoT Device,Low,India,Japan,244.144.48.47,Server,Windows 10,Radiology PACS,HL7,3389,Eradicated,Antivirus,Operational Disruption,Patch Vulnerability
4,INC00010,2025-06-15 04:19:07,Malware,IoT Device,Low,China,USA,25.49.144.15,Database Server,Android,Billing System,HL7,443,Eradicated,Security Team,Patient Care Interruption,Incident Response Plan Executed
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
107,INC00339,2025-04-17 23:53:07,Insider Threat,Physical Access,Low,Russia,Japan,192.124.238.4,Cloud Instance,Windows Server 2019,Electronic Health Records (EHR),SFTP,53,Recovered,Threat Intelligence,System Downtime,Restore from Backup
108,INC00340,2025-10-31 19:19:07,Brute Force,IoT Device,Low,North Korea,USA,64.53.204.135,Workstation,Linux (RedHat),Patient Monitoring,SSH,1433,Recovered,Firewall,Operational Disruption,Restore from Backup
109,INC00342,2025-10-29 06:44:07,SQL Injection,Physical Access,Low,India,Japan,184.245.119.7,Server,macOS,Billing System,DICOM,25,Ongoing,Firewall,System Downtime,Patch Vulnerability
110,INC00343,2025-12-22 01:07:07,Brute Force,Cloud Misconfiguration,Low,Canada,UK,14.171.209.240,Network Router,Linux (Ubuntu),Electronic Health Records (EHR),HL7,21,Containment,Antivirus,Patient Care Interruption,Block IP


**Analyze cyber attacks based on source country.**

In [8]:
query = """SELECT source_country, COUNT(*) AS attack_count FROM cybersecurity_incidents GROUP BY source_country ORDER BY attack_count DESC;"""
result_df = run_sql_query(query)
display(result_df)

Unnamed: 0,source_country,attack_count
0,Brazil,45
1,China,44
2,Germany,40
3,Canada,40
4,UK,35
5,North Korea,34
6,USA,31
7,Iran,28
8,Russia,27
9,India,26


**Identify the most frequently affected devices in cyber attacks.**

In [9]:
query = """SELECT device_affected, COUNT(*) AS attack_count FROM cybersecurity_incidents GROUP BY device_affected ORDER BY attack_count DESC;"""
result_df = run_sql_query(query)
display(result_df)

Unnamed: 0,device_affected,attack_count
0,Workstation,70
1,IoT Sensor,54
2,Network Router,53
3,Cloud Instance,50
4,Database Server,48
5,Server,44
6,Medical Device,31


**Analyze the number of successful versus blocked cyber attacks.**

In [10]:
query = """SELECT status, COUNT(*) AS attack_count FROM cybersecurity_incidents GROUP BY status ORDER BY attack_count DESC;"""
result_df = run_sql_query(query)
display(result_df)

Unnamed: 0,status,attack_count
0,Mitigated,69
1,Eradicated,60
2,Detected,60
3,Ongoing,56
4,Containment,54
5,Recovered,51
