In [1]:
import sqlite3
import pandas as pd


In [2]:
# Load CSV
df = pd.read_csv("downloads/cybersecurity_threat_dataset.csv")

# Create SQLite database
conn = sqlite3.connect("cyber_threats.db")

# Load DataFrame into SQL table
df.to_sql("cyber_threats", conn, if_exists="replace", index=False)

print("Dataset loaded into SQLite database.")


Dataset loaded into SQLite database.


In [3]:
query = "SELECT * FROM cyber_threats LIMIT 5;"
pd.read_sql(query, conn)

Unnamed: 0,incident_id,timestamp,attack_type,attack_vector,severity,source_country,target_country,source_ip,device_affected,operating_system,target_system,protocol,port,status,detected_by,impact_level,mitigation_action
0,INC0001,2026-01-05 00:27:05,Malware,USB,Low,Australia,Brazil,171.127.95.117,Firewall,Windows,Cloud VM,TCP,25,Blocked,SIEM,Low,Patch Applied
1,INC0002,2025-12-26 05:18:05,Malware,Email,Critical,China,Germany,194.146.3.19,Mobile,macOS,Database,HTTPS,443,Failed,IDS,Severe,Patch Applied
2,INC0003,2025-12-12 20:46:05,DDoS,USB,Low,Australia,India,156.224.186.234,Server,iOS,Database,TCP,25,Successful,IPS,Severe,System Isolated
3,INC0004,2025-12-28 00:37:05,DDoS,Web,High,China,Australia,110.16.33.198,Router,Android,IoT Device,UDP,80,Mitigated,IDS,Severe,User Alerted
4,INC0005,2026-01-02 09:14:05,Ransomware,Email,Low,Australia,UK,193.118.71.152,Desktop,iOS,Application Server,HTTP,8080,Failed,SIEM,Critical,System Isolated


In [4]:
query = "SELECT * FROM cyber_threats;"
pd.read_sql(query, conn).head()

Unnamed: 0,incident_id,timestamp,attack_type,attack_vector,severity,source_country,target_country,source_ip,device_affected,operating_system,target_system,protocol,port,status,detected_by,impact_level,mitigation_action
0,INC0001,2026-01-05 00:27:05,Malware,USB,Low,Australia,Brazil,171.127.95.117,Firewall,Windows,Cloud VM,TCP,25,Blocked,SIEM,Low,Patch Applied
1,INC0002,2025-12-26 05:18:05,Malware,Email,Critical,China,Germany,194.146.3.19,Mobile,macOS,Database,HTTPS,443,Failed,IDS,Severe,Patch Applied
2,INC0003,2025-12-12 20:46:05,DDoS,USB,Low,Australia,India,156.224.186.234,Server,iOS,Database,TCP,25,Successful,IPS,Severe,System Isolated
3,INC0004,2025-12-28 00:37:05,DDoS,Web,High,China,Australia,110.16.33.198,Router,Android,IoT Device,UDP,80,Mitigated,IDS,Severe,User Alerted
4,INC0005,2026-01-02 09:14:05,Ransomware,Email,Low,Australia,UK,193.118.71.152,Desktop,iOS,Application Server,HTTP,8080,Failed,SIEM,Critical,System Isolated


In [5]:
query = "SELECT COUNT(*) AS total_attacks FROM cyber_threats;"
pd.read_sql(query, conn)

Unnamed: 0,total_attacks
0,320


In [6]:
query = """
SELECT attack_type, COUNT(*) AS attack_count
FROM cyber_threats
GROUP BY attack_type
ORDER BY attack_count DESC;
"""
pd.read_sql(query, conn)

Unnamed: 0,attack_type,attack_count
0,Malware,61
1,Ransomware,58
2,Phishing,58
3,DDoS,56
4,Brute Force,45
5,SQL Injection,42


In [7]:
query = """
SELECT severity, COUNT(*) AS count
FROM cyber_threats
GROUP BY severity;
"""
pd.read_sql(query, conn)

Unnamed: 0,severity,count
0,Critical,82
1,High,77
2,Low,67
3,Medium,94


In [8]:
query = """
SELECT *
FROM cyber_threats
WHERE severity = 'High';
"""
pd.read_sql(query, conn).head()

Unnamed: 0,incident_id,timestamp,attack_type,attack_vector,severity,source_country,target_country,source_ip,device_affected,operating_system,target_system,protocol,port,status,detected_by,impact_level,mitigation_action
0,INC0004,2025-12-28 00:37:05,DDoS,Web,High,China,Australia,110.16.33.198,Router,Android,IoT Device,UDP,80,Mitigated,IDS,Severe,User Alerted
1,INC0009,2025-12-03 13:16:05,Malware,Web,High,Germany,Brazil,97.215.135.150,Server,iOS,Web Server,HTTP,8080,Failed,SIEM,Moderate,System Isolated
2,INC0014,2025-12-25 22:18:05,Ransomware,Network,High,China,Australia,29.57.224.36,Server,Android,Cloud VM,TCP,443,Successful,Firewall,Severe,System Isolated
3,INC0015,2026-01-02 20:42:05,Malware,Email,High,China,Australia,74.86.120.179,Router,macOS,Web Server,HTTP,80,Blocked,Antivirus,Critical,Traffic Filtered
4,INC0017,2026-01-04 04:48:05,Ransomware,Cloud,High,France,UK,164.137.70.142,Server,macOS,Application Server,HTTP,21,Mitigated,IPS,Moderate,IP Blocked


In [9]:
query = """
SELECT source_country, COUNT(*) AS total_attacks
FROM cyber_threats
GROUP BY source_country
ORDER BY total_attacks DESC;
"""
pd.read_sql(query, conn)

Unnamed: 0,source_country,total_attacks
0,France,45
1,China,43
2,Germany,39
3,Russia,36
4,India,36
5,Australia,35
6,USA,33
7,Brazil,27
8,UK,26


In [10]:
query = """
SELECT device_affected, COUNT(*) AS attack_count
FROM cyber_threats
GROUP BY device_affected
ORDER BY attack_count DESC;
"""
pd.read_sql(query, conn)

Unnamed: 0,device_affected,attack_count
0,Router,65
1,Server,60
2,Mobile,52
3,Laptop,50
4,Firewall,48
5,Desktop,45


In [11]:
query = """
SELECT status, COUNT(*) AS count
FROM cyber_threats
GROUP BY status;
"""
pd.read_sql(query, conn)

Unnamed: 0,status,count
0,Blocked,75
1,Failed,84
2,Mitigated,89
3,Successful,72


In [12]:
query = """
SELECT target_system, COUNT(*) AS count
FROM cyber_threats
GROUP BY target_system
ORDER BY count DESC
LIMIT 10;
"""
pd.read_sql(query, conn)

Unnamed: 0,target_system,count
0,Web Server,75
1,Database,67
2,Cloud VM,62
3,Application Server,62
4,IoT Device,54


In [13]:
query = """
SELECT AVG(impact_level) AS avg_impact
FROM cyber_threats;
"""
pd.read_sql(query, conn)

Unnamed: 0,avg_impact
0,0.0


In [14]:

query = "PRAGMA table_info(cyber_threats);"
pd.read_sql(query, conn)

Unnamed: 0,cid,name,type,notnull,dflt_value,pk
0,0,incident_id,TEXT,0,,0
1,1,timestamp,TEXT,0,,0
2,2,attack_type,TEXT,0,,0
3,3,attack_vector,TEXT,0,,0
4,4,severity,TEXT,0,,0
5,5,source_country,TEXT,0,,0
6,6,target_country,TEXT,0,,0
7,7,source_ip,TEXT,0,,0
8,8,device_affected,TEXT,0,,0
9,9,operating_system,TEXT,0,,0


In [15]:
query = "SELECT DISTINCT impact_level FROM cyber_threats;"
pd.read_sql(query, conn)

Unnamed: 0,impact_level
0,Low
1,Severe
2,Critical
3,Moderate


In [16]:
impact_mapping = {
    "Low": 1,
    "Medium": 2,
    "High": 3,
    "Critical": 4
}

df['impact_level_numeric'] = df['impact_level'].map(impact_mapping)

In [17]:
df.to_sql("cyber_threats", conn, if_exists="replace", index=False)


320

In [18]:
query = """
SELECT AVG(impact_level_numeric) AS avg_impact
FROM cyber_threats;
"""
pd.read_sql(query, conn)


Unnamed: 0,avg_impact
0,2.30814


In [19]:
query = """
SELECT attack_type, AVG(impact_level_numeric) AS avg_impact
FROM cyber_threats
GROUP BY attack_type
HAVING AVG(impact_level_numeric) > (
    SELECT AVG(impact_level_numeric) FROM cyber_threats
);
"""
pd.read_sql(query, conn)

Unnamed: 0,attack_type,avg_impact
0,DDoS,2.457143
1,Malware,2.390244
2,Phishing,2.5
3,Ransomware,2.434783


In [20]:
query = """
SELECT attack_type, COUNT(*) AS total_attacks
FROM cyber_threats
GROUP BY attack_type
ORDER BY total_attacks DESC
LIMIT 5;
"""
pd.read_sql(query, conn)

Unnamed: 0,attack_type,total_attacks
0,Malware,61
1,Ransomware,58
2,Phishing,58
3,DDoS,56
4,Brute Force,45


In [21]:
query = """
SELECT source_country, COUNT(*) AS high_severity_attacks
FROM cyber_threats
WHERE severity = 'High'
GROUP BY source_country
ORDER BY high_severity_attacks DESC;
"""
pd.read_sql(query, conn)

Unnamed: 0,source_country,high_severity_attacks
0,France,11
1,Russia,10
2,China,10
3,USA,9
4,UK,9
5,India,8
6,Germany,7
7,Australia,7
8,Brazil,6


In [22]:
query = """
SELECT device_affected, attack_type, COUNT(*) AS attack_count
FROM cyber_threats
GROUP BY device_affected, attack_type
ORDER BY attack_count DESC;
"""
pd.read_sql(query, conn)

Unnamed: 0,device_affected,attack_type,attack_count
0,Router,Malware,14
1,Desktop,Ransomware,12
2,Mobile,Malware,12
3,Router,DDoS,12
4,Server,Brute Force,12
5,Firewall,Phishing,11
6,Firewall,Ransomware,11
7,Mobile,Brute Force,11
8,Router,Phishing,11
9,Router,SQL Injection,11


In [23]:
query = """
SELECT detected_by, COUNT(*) AS detected_attacks
FROM cyber_threats
GROUP BY detected_by
ORDER BY detected_attacks DESC;
"""
pd.read_sql(query, conn)

Unnamed: 0,detected_by,detected_attacks
0,SIEM,68
1,IDS,67
2,Firewall,63
3,IPS,61
4,Antivirus,61


In [24]:
query = """
SELECT attack_type, ROUND(AVG(impact_level_numeric), 2) AS avg_impact
FROM cyber_threats
GROUP BY attack_type
ORDER BY avg_impact DESC;
"""
pd.read_sql(query, conn)

Unnamed: 0,attack_type,avg_impact
0,Phishing,2.5
1,DDoS,2.46
2,Ransomware,2.43
3,Malware,2.39
4,Brute Force,2.0
5,SQL Injection,1.88


In [25]:
query = """
SELECT operating_system, COUNT(*) AS total_attacks
FROM cyber_threats
GROUP BY operating_system
ORDER BY total_attacks DESC;
"""
pd.read_sql(query, conn)

Unnamed: 0,operating_system,total_attacks
0,Windows,72
1,macOS,70
2,Android,64
3,iOS,62
4,Linux,52


In [26]:
query = """
SELECT status, COUNT(*) AS count
FROM cyber_threats
GROUP BY status;
"""
pd.read_sql(query, conn)

Unnamed: 0,status,count
0,Blocked,75
1,Failed,84
2,Mitigated,89
3,Successful,72
