In [1]:
!pip install --upgrade openpyxl

Collecting openpyxl
  Using cached openpyxl-3.1.5-py2.py3-none-any.whl.metadata (2.5 kB)
Using cached openpyxl-3.1.5-py2.py3-none-any.whl (250 kB)
Installing collected packages: openpyxl
  Attempting uninstall: openpyxl
    Found existing installation: openpyxl 3.0.10
    Uninstalling openpyxl-3.0.10:
      Successfully uninstalled openpyxl-3.0.10
Successfully installed openpyxl-3.1.5




In [2]:
import openpyxl
print(openpyxl.__version__)  # Should output ≥3.1.0

3.1.5


## . Technologies and Libraries Used

1. **Python 3 (Anaconda 2024.--)**

   * Chosen for mature data‐analysis ecosystem, ease of scripting, and widespread adoption.

2. **Pandas (v2.x)**

   * Used for tabular data loading, cleaning, and enrichment.
   * Why: intuitive DataFrame API and Excel/CSV I/O support.

3. **GeoIP2 (MaxMind GeoLite2 City database)**

   * To convert raw IP addresses into country, city, latitude/longitude, time zone, and network CIDR.
   * Why: locally hosted, free tier GeoLite2 database, high accuracy for city and subnet.

4. **NetworkX (v3.x)**

   * Constructed and manipulated the device–user–subnet graph.
   * Why: simple Python API for creating nodes/edges, graph traversal (BFS/DFS), and subgraph extraction.

5. **PyVis (v0.3.x)**

   * Generated the interactive HTML network (“fraud\_network.html”) with force-directed Barnes–Hut layout.
   * Why: easy conversion from a NetworkX graph into an interactive browser view; hover tooltips are built-in.

6. **GeoLite2-City.mmdb** (local, downloaded from MaxMind)

   * Backing database for GeoIP2 lookups.
   * Why: no API key required, no external calls, simple local file.

7. **Standard Libraries**

   * `ipaddress` (to compute fallback /24 or /64 subnets when GeoIP2 lacked network info).
   * `datetime` and `logging` (for timestamps and process logs).

# Data Enrichment (Step 1)
* **Input:** `BANK_NET_DATA.xlsx` containing one row per (device\_id, identity, bank, device\_fingerprint, gpu\_vendor, screen, os, browser, ips).
* **Goal:** Add the following new columns:

  * `ip_country`, `ip_city`, `ip_latitude`, `ip_longitude`, `ip_timezone`, `ip_network` (CIDR).
  * `ua_os`, `ua_os_version`, `ua_browser`, `ua_browser_version`, `ua_is_mobile`.

In [7]:
import pandas
import geoip2.database
import ipaddress
from user_agents import parse as ua_parse
import pandas as pd
import numpy as np

In [8]:
# import pandas
# import geoip2.database
# import ipaddress
# from user_agents import parse as ua_parse
# import pandas as pd

df = pd.read_excel("BANK_NET_DATA.xlsx")

# Initialize GeoIP database reader
GEOIP_DB_PATH = "GeoLite2-City.mmdb"
reader = geoip2.database.Reader(GEOIP_DB_PATH)

# IP enrichment columns
df["ip_country"] = None
df["ip_city"] = None
df["ip_latitude"] = None
df["ip_longitude"] = None
df["ip_timezone"] = None
df["ip_network"] = None  

# UA columns " split from existing 'os' and 'browser' "
df["ua_os"] = None
df["ua_os_version"] = None
df["ua_browser"] = None
df["ua_browser_version"] = None
df["ua_is_mobile"] = None

# Enrich a single IP string
def enrich_ip(ip_str):
    try:
        ip = ip_str.split(",")[0].strip()
        resp = reader.city(ip)
        # country
        country = resp.country.name or ""
        # city
        city = resp.city.name or ""
        # Coordinates
        lat = resp.location.latitude
        lon = resp.location.longitude
        # Time zone
        tz = resp.location.time_zone or ""

        # attempt to get network (CIDR) from resp.traits.network
        # if not availabel, fallbak to /24 for IPv4 and /64 for IPv6
        network = ""
        try:
            if resp.traits.network:
                network = str(resp.traits.network)
            else:
                # fallbak: /24 for IPv4 and /64 for IPv6
                if ":" in ip:
                    net = ipaddress.ip_network(ip + "/64", strict=False)
                else:
                    net = ipaddress.ip_network(ip + "/24", strict=False)
                network = str(net)
        except Exception:
            network = ""
        return country, city, lat, lon, tz, network
    
    except Exception:
        return "", "", "", "", "", ""

# Loop over rows to enrich
for idx, row in df.iterrows():
    # enrich IP fields
    ip_field = row.get("ips", "")
    if ip_field:
        country, city, lat, lon, tz, network = enrich_ip(ip_field)
        df.at[idx, "ip_country"] = country
        df.at[idx, "ip_city"] = city
        df.at[idx, "ip_latitude"] = lat
        df.at[idx, "ip_longitude"] = lon
        df.at[idx, "ip_timezone"] = tz
        df.at[idx, "ip_network"] = network
    
    # split existing 'os' columns into ua_os / ua_os_version
    raw_os = row.get("os", "").strip()
    if raw_os:
        if " " in raw_os:
            parts = raw_os.split(" ", 1)
            df.at[idx, "ua_os"] = parts[0]
            df.at[idx, "ua_os_version"] = parts[1]
        else:
            df.at[idx, "ua_os"] = raw_os
            df.at[idx, "ua_os_version"] = ""
    
    # split existing 'browser' columns into ua_browser / ua_browser_version
    raw_browser = row.get("browser", "").strip()
    if raw_browser:
        if "/" in raw_browser:
            name, ver = raw_browser.split("/", 1)
            df.at[idx, "ua_browser"] = name
            df.at[idx, "ua_browser_version"] = ver
        elif " " in raw_browser:
            parts = raw_browser.split(" ", 1)
            df.at[idx, "ua_browser"] = parts[0]
            df.at[idx, "ua_browser_version"] = parts[1]
        else:
            df.at[idx, "ua_browser"] = raw_browser
            df.at[idx, "ua_browser_version"] = ""

df.to_csv("enriched_data.csv", index=False)

In [9]:
enriched_df = pd.read_csv("enriched_data.csv", dtype=str)
enriched_df.head()

Unnamed: 0,device_id,identity,bank,device_fingerprint,gpu_renderers,screen,os,browser,ips,ip_country,ip_city,ip_latitude,ip_longitude,ip_timezone,ip_network,ua_os,ua_os_version,ua_browser,ua_browser_version,ua_is_mobile
0,00993a56-f44b-448d-9d33-78c16f0be636,37294473,Bank1,b48af28979-116c56e539-9b9e431e93-87a831f69f,Intel(R) Iris(TM) Plus Graphics 655,"(1440, 900, 24)",Mac OS X 10.15.1,Chrome 78.0.3904,185.97.201.89,Russia,St Petersburg,59.9417,30.3096,Europe/Moscow,185.97.200.0/22,Mac,OS X 10.15.1,Chrome,78.0.3904,
1,02591b70-e8f5-4299-901c-e78b2b79b526,-,Bank2,6413e837d3-987e3415d7-902dcc5844-27c94f86d9,Apple GPU,"(896, 414, 32)",iOS 12.4.1,Mobile Safari 12.1.2,"64.52.83.86,154.160.9.113,64.52.83.10",United States,,37.751,-97.822,America/Chicago,64.52.82.0/23,iOS,12.4.1,Mobile,Safari 12.1.2,
2,02591b70-e8f5-4299-901c-e78b2b79b526,2577384,Bank2,6413e837d3-987e3415d7-902dcc5844-27c94f86d9,Apple GPU,"(896, 414, 32)",iOS 12.4.1,Mobile Safari 12.1.2,154.160.10.201,Ghana,Accra,5.5545,-0.1902,Africa/Accra,154.160.0.0/20,iOS,12.4.1,Mobile,Safari 12.1.2,
3,02591b70-e8f5-4299-901c-e78b2b79b526,2577384,Bank2,6413e837d3-987e3415d7-902dcc5844-27c94f86d9,Apple GPU,"(896, 414, 32)",iOS 12.4.1,Mobile Safari 12.1.2,"64.52.83.148,64.52.83.232,154.160.9.113",United States,,37.751,-97.822,America/Chicago,64.52.82.0/23,iOS,12.4.1,Mobile,Safari 12.1.2,
4,07e5a1d3-572d-4d5c-b7df-f903c9533fa7,37294473,Bank1,b48af28979-116c56e539-9b9e431e93-87a831f69f,Intel(R) Iris(TM) Plus Graphics 655,"(1440, 900, 24)",Mac OS X 10.15.1,Chrome 78.0.3904,217.66.159.132,Russia,St Petersburg,59.9417,30.3096,Europe/Moscow,217.66.158.0/23,Mac,OS X 10.15.1,Chrome,78.0.3904,


# Linking Fraud Entities (Step 2)
* `linked_accounts_devices.csv` containing only rows that are in the same “component” as either compromised seed (via device\_fingerprint, ip\_network, or ua\_sig).

In [10]:
# define the compromised seeds
compromised_device = "91b12379-8098-457f-a2ad-a94d767797c2"
compromised_identity = "0007f265568f1abc1da791e852877df2047b3af9"

enriched_df.fillna("", inplace=True)

seen_devices = set()
seen_identities = set()
seen_fingerprints = set()
seen_networks = set()
seen_ua_signatures = set()

# initialize with the known compromised seeds
seen_devices.add(compromised_device)
seen_identities.add(compromised_identity)

# help function to build a "UA signature" string
def build_ua_sig(row):
    return f"{row['ua_os']}_{row['ua_os_version']}|{row['ua_browser']}_{row['ua_browser_version']}|Mobile={row['ua_is_mobile']}"

# flage to track when we have exhausted all new links
new_link_found = True

while new_link_found:
    new_link_found = False
    
    # go through each row see if it matches any of the seen fields
    for idx, row in enriched_df.iterrows():
        dev_id = row["device_id"]
        ident = row["identity"]
        fingerprint = row.get("ip_network", "")
        ua_sig = build_ua_sig(row)
        
        # If this row “touches” any previously seen dimension, mark all its fields as seen
        if ((dev_id in seen_devices) or (ident in seen_identities) or (fingerprint in seen_fingerprints and fingerprint != "") or (network in seen_networks and network != "") or (ua_sig in seen_ua_signatures and ua_sig != "")):
            # add each linking field to its respective set
            if dev_id not in seen_devices:
                seen_devices.add(dev_id)
                new_link_found = True
            if ident not in seen_identities:
                seen_identities.add(ident)
                new_link_found = True
            if fingerprint and fingerprint not in seen_fingerprints:
                seen_fingerprints.add(fingerprint)
                new_link_found = True
            if network and network not in seen_networks:
                seen_networks.add(network)
                new_link_found = True
            if ua_sig and ua_sig not in seen_ua_signatures:
                seen_ua_signatures.add(ua_sig)
                new_link_found = True

mask = (enriched_df["device_id"].isin(seen_devices)) | enriched_df["identity"].isin(seen_identities)
linked_rows = enriched_df[mask].copy()

linked_rows.to_csv("linked_accounts_devices.csv", index=False)
print(f"Total linked devices: {len(seen_devices)}")
print(f"Total linked identities: {len(seen_identities)}")

Total linked devices: 169
Total linked identities: 333


# Visualization (Step 3)

In [11]:
import networkx as nx
from pyvis.network import Network

def device_node(dev_id):
    return f"DEV:{dev_id}"

def user_node(uid):
    return f"USR:{uid}"

def build_interactive_fraud_network(linked_csv_path="linked_accounts_devices.csv",output_html_path="fraud_network.html",height="800px",width="100%",bgcolor="#ffffff",font_color="black"):
    # load linked accounts/devices dataset
    df = pd.read_csv(linked_csv_path, dtype=str).fillna("")
    
    # NetwokX Graph
    G = nx.Graph()
    
    # add nodes and edges: each row links a device to a user identity
    for _, row in df.iterrows():
        dev = row["device_id"]
        uid = row["identity"]

        G.add_node(device_node(dev), label=dev, type="device")
        G.add_node(user_node(uid), label=uid, type="user")
        G.add_edge(device_node(dev), user_node(uid), relation="logged_in")
    
    # Create a PyVis Network for interactive visualization
    net = Network(
        height=height,
        width=width,
        bgcolor=bgcolor,
        font_color=font_color,
        notebook=False, 
        directed=False
    )
    net.barnes_hut(gravity=-8000, central_gravity=0.3, spring_length=100, spring_strength=0.05)
    
    # transfer nodes from NetworkX to PyVis
    for node_id, attrs in G.nodes(data=True):
        is_device = attrs["type"] == "device"
        _, identifier = node_id.split(":", 1)

        # Locate the first matching row in df for this device or user
        if is_device:
            match_row = df.loc[df["device_id"] == identifier].iloc[0]
        else:
            match_row = df.loc[df["identity"] == identifier].iloc[0]

        ip_country = match_row.get("ip_country", "")
        ip_city = match_row.get("ip_city", "")
        ua_os = match_row.get("ua_os", "")
        ua_os_ver = match_row.get("ua_os_version", "")
        ua_browser = match_row.get("ua_browser","")
        ua_browser_ver = match_row.get("ua_browser_version", "")

           # Build a tidy tooltip string with each item on its own line preceded by a dash
        if is_device:
            title_text = (
                f"- Device ID: {identifier}\n"
                f"- IP Country: {ip_country}\n"
                f"- IP City: {ip_city}\n"
                f"- OS: {ua_os} {ua_os_ver}\n"
                f"- Browser: {ua_browser} {ua_browser_ver}"
            )
            net.add_node(
                node_id,
                label=attrs["label"],
                color="#FF7070",
                shape="square",
                title=title_text
            )
        else:
            title_text = (
                f"- User Identity: {identifier}\n"
                f"- IP Country: {ip_country}\n"
                f"- IP City: {ip_city}\n"
                f"- OS: {ua_os} {ua_os_ver}\n"
                f"- Browser: {ua_browser} {ua_browser_ver}"
            )
            net.add_node(
                node_id,
                label=attrs["label"],
                color="#70C1FF",
                shape="dot",
                title=title_text
            )

    # transfer edges
    for src, tgt, attrs in G.edges(data=True):
        net.add_edge(src, tgt, title=attrs.get("relation", ""))
    
    # save the interactive HTML 
    net.write_html(output_html_path)

if __name__ == "__main":
    CSV_PATH = "linked_accounts_devices.csv"
    HTML_OUTPUT = "fraud_network.html"

    build_interactive_fraud_network(
        linked_csv_path=CSV_PATH,
        output_html_path=HTML_OUTPUT
    )

# Generate fraud analysis report

In [12]:
import pandas as pd
import networkx as nx
import logging
from datetime import datetime


COMPROMISED_DEVICE = "91b12379-8098-457f-a2ad-a94d767797c2"
COMPROMISED_USER = "0007f265568f1abc1da791e852877df2047b3af9"
REPORT_TXT = "fraud_analysis_report.txt"


def generate_report(enriched_df, G, G_sub):
    """Generate analytical report with key findings"""
    total_devices = len([n for n in G.nodes if n.startswith("DEV:")])
    total_users = len([n for n in G.nodes if n.startswith("USR:")])
    total_subnets = len([n for n in G.nodes if n.startswith("NET:")])

    comp_dev_connections = len([n for n in G_sub.nodes if n.startswith("USR:")])
    comp_user_connections = len([n for n in G_sub.nodes if n.startswith("DEV:")])

    profile_counts = enriched_df['device_profile'].value_counts()
    top_profiles = profile_counts.head(3).to_dict()

    subnet_counts = enriched_df['ip_subnet'].value_counts()
    top_subnets = subnet_counts.head(3).to_dict()

    # Find bank of the compromised user
    comp_user_bank = enriched_df.loc[
        enriched_df['identity'] == COMPROMISED_USER, 'bank'
    ].values
    comp_user_bank = comp_user_bank[0] if len(comp_user_bank) > 0 else 'Unknown'

    report = f"""Cross-Bank Fraud Analysis Report
Date: {datetime.now().strftime('%Y-%m-%d')}

I. Analysis Overview
--------------------
This report details the findings from an investigation into cross-bank fraud activities 
centered around a compromised device ({COMPROMISED_DEVICE[:10]}...) and user account 
({COMPROMISED_USER[:10]}...). The analysis involved:

1. Data enrichment of IP and User Agent information
2. Network graph construction of device-user relationships
3. Identification of connected fraudulent entities
4. Visualization of the fraud network

Key Statistics:
- Total devices analyzed: {total_devices}
- Total user accounts: {total_users}
- Total IP subnets: {total_subnets}
- Accounts linked to compromised device: {comp_dev_connections}
- Devices linked to compromised account: {comp_user_connections}

II. Key Findings
----------------
A. Compromised Account Details:
   - Bank: {comp_user_bank}
   - Associated devices: {comp_user_connections}

B. Fraud Connection Patterns:
   - The fraud network spans {len(G_sub.nodes)} entities ({len([n for n in G_sub.nodes if n.startswith("DEV:")])} devices, {len([n for n in G_sub.nodes if n.startswith("USR:")])} users, {len([n for n in G_sub.nodes if n.startswith("NET:")])} subnets)
   - Connections were established through:
        * Direct device-user usage
        * Shared device fingerprints
        * Identical device profiles
        * Common IP subnets

C. Device Profile Analysis:
   The most common device profiles in the fraud network:
       1. {list(top_profiles.keys())[0]} ({list(top_profiles.values())[0]} occurrences)
       2. {list(top_profiles.keys())[1]} ({list(top_profiles.values())[1]} occurrences)
       3. {list(top_profiles.keys())[2]} ({list(top_profiles.values())[2]} occurrences)

D. Location Analysis:
   The most frequently used IP subnets:
       1. {list(top_subnets.keys())[0]} ({list(top_subnets.values())[0]} devices)
       2. {list(top_subnets.keys())[1]} ({list(top_subnets.values())[1]} devices)
       3. {list(top_subnets.keys())[2]} ({list(top_subnets.values())[2]} devices)

III. Recommendations
--------------------
1. Immediate blocking of high-risk subnets:
   - {list(top_subnets.keys())[0]}
   - {list(top_subnets.keys())[1]}

2. Enhanced monitoring for devices matching common profiles:
   - Profile: {list(top_profiles.keys())[0]}
   - Profile: {list(top_profiles.keys())[1]}

3. Cross-bank coordination for accounts:
   - {COMPROMISED_USER[:10]}... (Bank {comp_user_bank})

IV. Visual Evidence
-------------------
The fraud network visualization shows:
   - the Red squares: Device nodes (each DEV:<device_id>) With Country, City, OS and Browser
   - the blue circles: User nodes (each USR:<identity>) With Country, City, OS and Browser
   - An edge between a square and a circle indicates a “logged_in” relation (i.e., that device accessed that user account)

See attached fraud_network.html for interactive visualization.

Conclusion
----------
The analysis revealed a coordinated fraud operation using {len([n for n in G_sub.nodes if n.startswith("DEV:")])} devices across {len(set([G.nodes[n].get('bank', '') for n in G_sub.nodes if n.startswith("DEV:")]))} banks. 
The operation shows sophisticated use of device spoofing techniques and IP rotation.
"""
    # Write out the report file
    with open(REPORT_TXT, 'w', encoding='utf-8') as f:
        f.write(report)

    logging.info(f"Analysis report saved: {REPORT_TXT}")
    return report

enriched_df = pd.read_csv("enriched_data.csv", dtype=str).fillna("")

# Determine which columns we can use in "device_profile"
profile_components = []
for col in ["ua_os", "ua_browser", "gpu_vendor", "screen"]:
    if col in enriched_df.columns:
        profile_components.append(col)

# Build device_profile by concatenating present columns, separated by "_"
def make_device_profile(row):
    parts = []
    for comp in profile_components:
        val = row.get(comp, "").strip()
        if val:
            parts.append(val)
    return "_".join(parts) if parts else "UNKNOWN"


In [13]:
# if none of those exist, at minimum use "identity" as a fallback
if not profile_components:
    profile_components = ["identity"]

enriched_df["device_profile"] = enriched_df.apply(make_device_profile, axis=1)

# Determine ip_subnet column name (allow either "ip_network" or "ip_subnet")
if "ip_network" in enriched_df.columns:
    enriched_df["ip_subnet"] = enriched_df["ip_network"]
elif "ip_subnet" not in  enriched_df.columns:
    # if neither exists, create an empty ip_subnet column
    enriched_df["ip_subnet"] = ""

G = nx.Graph()

# add all device nodes and user nodes with bank as a node attribute
for _, row in enriched_df.iterrows():
    dev = row["device_id"]
    usr = row["identity"]
    bank = row["bank"] if "bank" in row and row["bank"] else ""

    # Prefix with “DEV:” or “USR:” so the function’s filters (startswith) work
    G.add_node(f"DEV{dev}", type="device", bank=bank)
    G.add_node(f"USR:{usr}", type="user", bank=bank)
    # Connect device→user if they appear on the same row
    G.add_edge(f"DEV:{dev}", f"USR:{usr}", relation="logged_in")

# add IP‐subnet nodes (prefix “NET:”) and connect devices to their subnets
for _, row in enriched_df.iterrows():
    dev = row["device_id"]
    subnet = row["ip_subnet"]
    if subnet:
        G.add_node(f"NET:{subnet}", type="subnet")
        G.add_edge(f"DEV:{dev}", f"NET:{subnet}", relation="uses_subnet")

seed_dev = f"DEV:{COMPROMISED_DEVICE}"
seed_usr = f"USR:{COMPROMISED_USER}"

fraud_nodes = set()
stack = [seed_dev, seed_usr]
while stack:
    node = stack.pop()
    if node not in fraud_nodes and node in G:
        fraud_nodes.add(node)
        for neighbor in G.neighbors(node):
            stack.append(neighbor)

G_sub = G.subgraph(fraud_nodes).copy()
logging.basicConfig(level=logging.INFO)
report_text = generate_report(enriched_df, G, G_sub)
print("Report content:\n")
print(report_text)
print(f"\n Report file created at: {REPORT_TXT}")

INFO:root:Analysis report saved: fraud_analysis_report.txt


Report content:

Cross-Bank Fraud Analysis Report
Date: 2025-06-23

I. Analysis Overview
--------------------
This report details the findings from an investigation into cross-bank fraud activities 
centered around a compromised device (91b12379-8...) and user account 
(0007f26556...). The analysis involved:

1. Data enrichment of IP and User Agent information
2. Network graph construction of device-user relationships
3. Identification of connected fraudulent entities
4. Visualization of the fraud network

Key Statistics:
- Total devices analyzed: 169
- Total user accounts: 333
- Total IP subnets: 145
- Accounts linked to compromised device: 332
- Devices linked to compromised account: 167

II. Key Findings
----------------
A. Compromised Account Details:
   - Bank: Bank8
   - Associated devices: 167

B. Fraud Connection Patterns:
   - The fraud network spans 641 entities (167 devices, 332 users, 142 subnets)
   - Connections were established through:
        * Direct device-user usage