SQL Queries for cyber_threat_dataset_250_samples.csv

Upload CSV in Colab

In [14]:
from google.colab import files
import pandas as pd

# Upload your CSV file
uploaded = files.upload()

# Get the filename
filename = list(uploaded.keys())[0]

# Load CSV into a pandas DataFrame
df = pd.read_csv(filename)
print("CSV Loaded Successfully")
df.head()


Saving cyber_threat_dataset_250_samples.csv to cyber_threat_dataset_250_samples (1).csv
CSV Loaded Successfully


Unnamed: 0,Year,Attacker_IP,Target_IP,Location,Type_of_Attack,Device_of_Attack,Security_Type
0,2020,93.233.131.112,192.168.152.119,Netherlands,Cryptojacking,IoT Device,MFA
1,2018,56.252.2.168,192.168.157.66,Ukraine,AI-Powered Phishing,Web Server,Antivirus
2,2019,39.199.128.189,192.168.174.201,Russia,Ransomware,IoT Device,Endpoint Security
3,2017,113.4.11.15,192.168.237.166,Germany,Zero-Day Exploit,Mobile Device,User Awareness
4,2021,201.4.36.23,192.168.57.126,Netherlands,Credential Stuffing,Voice Bot,WAF


Create SQLite database & table

In [15]:
import sqlite3

# Connect to SQLite database (it creates a file)
conn = sqlite3.connect('cyber_threats.db')
cursor = conn.cursor()

# Create table
cursor.execute("""
CREATE TABLE IF NOT EXISTS cyber_threats (
    ID INTEGER PRIMARY KEY AUTOINCREMENT,
    Year INTEGER,
    Attacker_IP TEXT,
    Target_IP TEXT,
    Location TEXT,
    Type_of_Attack TEXT,
    Device_of_Attack TEXT,
    Security_Type TEXT
);
""")
conn.commit()
print("Table created successfully!")


Table created successfully!


Insert CSV data into the table

In [16]:
# Insert data from DataFrame into SQL table
df.to_sql('cyber_threats', conn, if_exists='replace', index=False)
print("Data inserted successfully!")


Data inserted successfully!


View first 10 rows

In [17]:
query = "SELECT * FROM cyber_threats LIMIT 10;"
pd.read_sql_query(query, conn)


Unnamed: 0,Year,Attacker_IP,Target_IP,Location,Type_of_Attack,Device_of_Attack,Security_Type
0,2020,93.233.131.112,192.168.152.119,Netherlands,Cryptojacking,IoT Device,MFA
1,2018,56.252.2.168,192.168.157.66,Ukraine,AI-Powered Phishing,Web Server,Antivirus
2,2019,39.199.128.189,192.168.174.201,Russia,Ransomware,IoT Device,Endpoint Security
3,2017,113.4.11.15,192.168.237.166,Germany,Zero-Day Exploit,Mobile Device,User Awareness
4,2021,201.4.36.23,192.168.57.126,Netherlands,Credential Stuffing,Voice Bot,WAF
5,2021,200.189.200.43,192.168.162.30,USA,Phishing,Desktop,User Awareness
6,2023,222.164.161.136,192.168.253.221,Global,SQL Injection,Botnet,User Awareness
7,2025,40.148.85.191,192.168.126.194,Ukraine,API Abuse,Botnet,Endpoint Security
8,2022,113.251.10.228,192.168.158.240,Iran,AI-Powered Phishing,Cloud VM,Backup & Recovery
9,2023,129.42.17.245,192.168.181.84,USA,Credential Stuffing,Botnet,Firewall


Slice specific columns

In [18]:
query = "SELECT Year, Attacker_IP, Type_of_Attack, Location FROM cyber_threats;"
pd.read_sql_query(query, conn)


Unnamed: 0,Year,Attacker_IP,Type_of_Attack,Location
0,2020,93.233.131.112,Cryptojacking,Netherlands
1,2018,56.252.2.168,AI-Powered Phishing,Ukraine
2,2019,39.199.128.189,Ransomware,Russia
3,2017,113.4.11.15,Zero-Day Exploit,Germany
4,2021,201.4.36.23,Credential Stuffing,Netherlands
...,...,...,...,...
245,2025,137.42.48.89,Phishing,Netherlands
246,2023,18.152.108.48,DDoS,China
247,2023,48.16.106.139,Credential Stuffing,China
248,2021,154.238.217.49,AI-Powered Phishing,Nigeria


Filter attacks in 2025

In [19]:
query = "SELECT * FROM cyber_threats WHERE Year = 2025;"
pd.read_sql_query(query, conn)


Unnamed: 0,Year,Attacker_IP,Target_IP,Location,Type_of_Attack,Device_of_Attack,Security_Type
0,2025,40.148.85.191,192.168.126.194,Ukraine,API Abuse,Botnet,Endpoint Security
1,2025,150.181.114.27,192.168.176.24,Nigeria,Supply Chain Attack,Web Server,Backup & Recovery
2,2025,134.131.52.192,192.168.146.37,Germany,Social Engineering,Mobile Device,MFA
3,2025,171.13.126.194,192.168.131.192,Brazil,AI-Powered Phishing,Botnet,Zero Trust
4,2025,57.198.235.114,192.168.206.241,Ukraine,DDoS,Cloud VM,AI Email Filter
5,2025,70.109.239.212,192.168.91.158,Russia,Social Engineering,Web Server,Backup & Recovery
6,2025,61.57.225.17,192.168.108.157,Ukraine,DDoS,Email Server,User Awareness
7,2025,29.174.120.12,192.168.177.119,Nigeria,AI-Powered Phishing,Cloud VM,Backup & Recovery
8,2025,101.138.58.240,192.168.191.60,India,Ransomware,IoT Device,AI Email Filter
9,2025,37.97.67.167,192.168.14.123,Netherlands,Ransomware,Voice Bot,IDS


Aggregate: Count attacks per year

In [20]:
query = """
SELECT Year, COUNT(*) AS Number_of_Attacks
FROM cyber_threats
GROUP BY Year;
"""
pd.read_sql_query(query, conn)


Unnamed: 0,Year,Number_of_Attacks
0,2016,19
1,2017,24
2,2018,30
3,2019,30
4,2020,12
5,2021,38
6,2022,25
7,2023,25
8,2024,26
9,2025,21


Top 5 locations with most attacks

In [21]:
query = """
SELECT Location, COUNT(*) AS Attack_Count
FROM cyber_threats
GROUP BY Location
ORDER BY Attack_Count DESC
LIMIT 5;
"""
pd.read_sql_query(query, conn)


Unnamed: 0,Location,Attack_Count
0,USA,26
1,Netherlands,26
2,Ukraine,25
3,Iran,25
4,Global,23


Split table: Create new table for DDoS attacks

In [22]:
cursor.execute("""
CREATE TABLE IF NOT EXISTS ddos_attacks AS
SELECT * FROM cyber_threats
WHERE Type_of_Attack = 'DDoS';
""")
conn.commit()


In [23]:
query = "SELECT * FROM ddos_attacks LIMIT 10;"
pd.read_sql_query(query, conn)


Unnamed: 0,Year,Attacker_IP,Target_IP,Location,Type_of_Attack,Device_of_Attack,Security_Type
0,2020,134.220.174.110,192.168.252.183,India,DDoS,Desktop,IDS
1,2020,100.210.106.150,192.168.48.93,Brazil,DDoS,Mobile Device,Antivirus
2,2025,57.198.235.114,192.168.206.241,Ukraine,DDoS,Cloud VM,AI Email Filter
3,2018,174.255.187.134,192.168.128.225,China,DDoS,Mobile Device,Cloud Firewall
4,2022,134.107.61.89,192.168.62.22,India,DDoS,Botnet,IDS
5,2022,44.215.123.127,192.168.5.99,China,DDoS,Voice Bot,MFA
6,2019,111.194.115.123,192.168.104.78,Iran,DDoS,Email Server,AI Email Filter
7,2025,61.57.225.17,192.168.108.157,Ukraine,DDoS,Email Server,User Awareness
8,2021,129.6.156.174,192.168.249.217,Global,DDoS,Desktop,MFA
9,2023,129.21.181.212,192.168.151.47,Iran,DDoS,IoT Device,Zero Trust


Count attacks by type

In [24]:
query = """
SELECT Type_of_Attack, COUNT(*) AS Count_Attacks
FROM cyber_threats
GROUP BY Type_of_Attack
ORDER BY Count_Attacks DESC;
"""
pd.read_sql_query(query, conn)


Unnamed: 0,Type_of_Attack,Count_Attacks
0,Malware,26
1,Supply Chain Attack,22
2,Social Engineering,22
3,Brute Force,19
4,SQL Injection,18
5,DDoS,18
6,Cryptojacking,18
7,API Abuse,18
8,AI-Powered Phishing,18
9,Zero-Day Exploit,15


Count attacks by device

In [25]:
query = """
SELECT Device_of_Attack, COUNT(*) AS Count_Attacks
FROM cyber_threats
GROUP BY Device_of_Attack
ORDER BY Count_Attacks DESC;
"""
pd.read_sql_query(query, conn)


Unnamed: 0,Device_of_Attack,Count_Attacks
0,IoT Device,35
1,Botnet,34
2,API Gateway,33
3,Voice Bot,30
4,Desktop,27
5,Cloud VM,27
6,Email Server,23
7,Web Server,21
8,Mobile Device,20


Count attacks by security type

In [26]:
query = """
SELECT Security_Type, COUNT(*) AS Count_Attacks
FROM cyber_threats
GROUP BY Security_Type;
"""
pd.read_sql_query(query, conn)


Unnamed: 0,Security_Type,Count_Attacks
0,AI Email Filter,21
1,Antivirus,24
2,Backup & Recovery,26
3,Cloud Firewall,16
4,Endpoint Security,22
5,Firewall,24
6,IDS,26
7,IPS,10
8,MFA,20
9,User Awareness,23


Filter attacks by location (example: India)

In [27]:
query = "SELECT * FROM cyber_threats WHERE Location = 'India';"
pd.read_sql_query(query, conn)


Unnamed: 0,Year,Attacker_IP,Target_IP,Location,Type_of_Attack,Device_of_Attack,Security_Type
0,2016,129.63.221.68,192.168.50.225,India,Supply Chain Attack,Voice Bot,IDS
1,2020,134.220.174.110,192.168.252.183,India,DDoS,Desktop,IDS
2,2016,141.74.51.56,192.168.32.146,India,SQL Injection,IoT Device,Backup & Recovery
3,2019,133.145.175.42,192.168.173.67,India,API Abuse,Email Server,Firewall
4,2019,131.68.121.182,192.168.79.250,India,Brute Force,Voice Bot,IDS
5,2021,212.174.100.140,192.168.21.40,India,Malware,Voice Bot,AI Email Filter
6,2024,130.172.60.83,192.168.114.159,India,Zero-Day Exploit,Botnet,IDS
7,2018,195.99.209.80,192.168.104.167,India,Brute Force,Email Server,Cloud Firewall
8,2024,16.102.11.55,192.168.180.184,India,Deepfake Scam,Botnet,WAF
9,2022,134.107.61.89,192.168.62.22,India,DDoS,Botnet,IDS


Latest 10 attacks

In [29]:
query = """
SELECT *
FROM cyber_threats
ORDER BY Year DESC
LIMIT 10;
"""
pd.read_sql_query(query, conn)


Unnamed: 0,Year,Attacker_IP,Target_IP,Location,Type_of_Attack,Device_of_Attack,Security_Type
0,2025,40.148.85.191,192.168.126.194,Ukraine,API Abuse,Botnet,Endpoint Security
1,2025,150.181.114.27,192.168.176.24,Nigeria,Supply Chain Attack,Web Server,Backup & Recovery
2,2025,134.131.52.192,192.168.146.37,Germany,Social Engineering,Mobile Device,MFA
3,2025,171.13.126.194,192.168.131.192,Brazil,AI-Powered Phishing,Botnet,Zero Trust
4,2025,57.198.235.114,192.168.206.241,Ukraine,DDoS,Cloud VM,AI Email Filter
5,2025,70.109.239.212,192.168.91.158,Russia,Social Engineering,Web Server,Backup & Recovery
6,2025,61.57.225.17,192.168.108.157,Ukraine,DDoS,Email Server,User Awareness
7,2025,29.174.120.12,192.168.177.119,Nigeria,AI-Powered Phishing,Cloud VM,Backup & Recovery
8,2025,101.138.58.240,192.168.191.60,India,Ransomware,IoT Device,AI Email Filter
9,2025,37.97.67.167,192.168.14.123,Netherlands,Ransomware,Voice Bot,IDS


Maximum year of attack

In [30]:
query = """
SELECT MAX(Year) AS Max_Year
FROM cyber_threats;
"""
pd.read_sql_query(query, conn)


Unnamed: 0,Max_Year
0,2025


Minimum year of attack

In [31]:
query = """
SELECT MIN(Year) AS Min_Year
FROM cyber_threats;
"""
pd.read_sql_query(query, conn)


Unnamed: 0,Min_Year
0,2016


Average year of attacks

In [32]:
query = """
SELECT AVG(Year) AS Avg_Year
FROM cyber_threats;
"""
pd.read_sql_query(query, conn)


Unnamed: 0,Avg_Year
0,2020.536


Maximum attacks per year

In [33]:
query = """
SELECT Year, COUNT(*) AS Attack_Count
FROM cyber_threats
GROUP BY Year
ORDER BY Attack_Count DESC
LIMIT 1;
"""
pd.read_sql_query(query, conn)


Unnamed: 0,Year,Attack_Count
0,2021,38


Minimum attacks per year

In [34]:
query = """
SELECT Year, COUNT(*) AS Attack_Count
FROM cyber_threats
GROUP BY Year
ORDER BY Attack_Count ASC
LIMIT 1;
"""
pd.read_sql_query(query, conn)


Unnamed: 0,Year,Attack_Count
0,2020,12


Maximum attacks by Location

In [35]:
query = """
SELECT Location, COUNT(*) AS Attack_Count
FROM cyber_threats
GROUP BY Location
ORDER BY Attack_Count DESC
LIMIT 1;
"""
pd.read_sql_query(query, conn)


Unnamed: 0,Location,Attack_Count
0,USA,26


Minimum attacks by Location

In [36]:
query = """
SELECT Location, COUNT(*) AS Attack_Count
FROM cyber_threats
GROUP BY Location
ORDER BY Attack_Count ASC
LIMIT 1;
"""
pd.read_sql_query(query, conn)


Unnamed: 0,Location,Attack_Count
0,Germany,19


Inner Join: Get DDoS attacks with details from main table

In [37]:
query = """
SELECT c.Year, c.Attacker_IP, c.Target_IP, d.Type_of_Attack
FROM cyber_threats c
INNER JOIN ddos_attacks d
ON c.Attacker_IP = d.Attacker_IP AND c.Target_IP = d.Target_IP;
"""
pd.read_sql_query(query, conn)


Unnamed: 0,Year,Attacker_IP,Target_IP,Type_of_Attack
0,2020,134.220.174.110,192.168.252.183,DDoS
1,2020,100.210.106.150,192.168.48.93,DDoS
2,2025,57.198.235.114,192.168.206.241,DDoS
3,2018,174.255.187.134,192.168.128.225,DDoS
4,2022,134.107.61.89,192.168.62.22,DDoS
5,2022,44.215.123.127,192.168.5.99,DDoS
6,2019,111.194.115.123,192.168.104.78,DDoS
7,2025,61.57.225.17,192.168.108.157,DDoS
8,2021,129.6.156.174,192.168.249.217,DDoS
9,2023,129.21.181.212,192.168.151.47,DDoS


Left Join: All cyber threats with DDoS details if exists

In [38]:
query = """
SELECT c.Year, c.Attacker_IP, c.Target_IP, d.Type_of_Attack AS DDoS_Type
FROM cyber_threats c
LEFT JOIN ddos_attacks d
ON c.Attacker_IP = d.Attacker_IP AND c.Target_IP = d.Target_IP;
"""
pd.read_sql_query(query, conn)


Unnamed: 0,Year,Attacker_IP,Target_IP,DDoS_Type
0,2020,93.233.131.112,192.168.152.119,
1,2018,56.252.2.168,192.168.157.66,
2,2019,39.199.128.189,192.168.174.201,
3,2017,113.4.11.15,192.168.237.166,
4,2021,201.4.36.23,192.168.57.126,
...,...,...,...,...
245,2025,137.42.48.89,192.168.122.216,
246,2023,18.152.108.48,192.168.122.34,DDoS
247,2023,48.16.106.139,192.168.136.63,
248,2021,154.238.217.49,192.168.190.88,


Self Join: Find attacks where same attacker attacked same target multiple years

In [39]:
query = """
SELECT a.Attacker_IP, a.Target_IP, a.Year AS Year1, b.Year AS Year2
FROM cyber_threats a
INNER JOIN cyber_threats b
ON a.Attacker_IP = b.Attacker_IP AND a.Target_IP = b.Target_IP
WHERE a.Year < b.Year;
"""
pd.read_sql_query(query, conn)


Unnamed: 0,Attacker_IP,Target_IP,Year1,Year2
