# Cyber Threat Dataset Generation (2015–2025)


## Objective

The objective of this dataset is to simulate realistic cyber security incidents from the last ten years (2015–2025).  
This dataset will be used for SQL-based analysis and machine learning models to identify, classify, and detect cyber threats.


## Dataset Source and Justification

Real-world cyber attack datasets containing attacker IP addresses, target systems, and security mechanisms are usually confidential and not publicly accessible.  
Therefore, a synthetic cyber threat dataset was generated using AI-based prompting to realistically represent cyber attacks observed over the last decade.


## Time Period

2015 – 2025 (10 Years of Cyber Threat Data)


## Dataset Features

The dataset contains the following attributes:

- Incident ID  
- Timestamp  
- Attack Type  
- Attack Vector  
- Severity Level  
- Source Country  
- Target Country  
- Attacker IP Address  
- Target IP Address  
- Device Affected  
- Operating System  
- Target System  
- Port Number  
- Network Protocol  
- Attack Status (Successful / Failed / Blocked)  
- Detection Mechanism (Firewall, IDS, SIEM, Antivirus)  
- Response Time (Minutes)  
- Data Compromised (Yes / No)  
- Impact Level  
- Mitigation Action  


## Prompt – Cyber Threat Dataset Generation

"Generate a realistic synthetic cybersecurity dataset covering the last 10 years (2015–2025) with at least 300 records.  
The dataset should include attacker IP address, target IP address, source and target locations, attack type, attack vector, affected device, operating system, target system, port, protocol, severity level, detection mechanism, response time, impact level, and mitigation action.  
The dataset should be suitable for SQL analysis and machine learning."


### Reasoning

Since real-world cyber attack datasets with sensitive details such as IP addresses and security systems are not publicly accessible, a synthetic dataset is generated using AI-based prompting.  
This dataset simulates realistic cyber threats observed over the last decade and is suitable for both SQL analysis and machine learning experimentation.


In [5]:
import pandas as pd
import random
from datetime import datetime, timedelta

# Number of records
num_records = 300

# Helper functions
def random_ip():
    return ".".join(str(random.randint(1, 255)) for _ in range(4))

def random_date():
    start = datetime(2015, 1, 1)
    end = datetime(2025, 12, 31)
    return start + timedelta(seconds=random.randint(0, int((end - start).total_seconds())))

attack_types = ['DDoS', 'Malware', 'Phishing', 'Ransomware', 'SQL Injection', 'Brute Force']
attack_vectors = ['Email', 'Network', 'API', 'USB']
devices = ['Server', 'Laptop', 'Mobile', 'Cloud VM', 'Database']
operating_systems = ['Windows', 'Linux', 'macOS', 'Android']
target_systems = ['Web Server', 'Database Server', 'Network Device', 'User Account']
protocols = ['TCP', 'UDP', 'HTTP', 'HTTPS']
severities = ['Low', 'Medium', 'High', 'Critical']
countries = ['India', 'USA', 'China', 'UK', 'Germany', 'France', 'Brazil', 'Russia', 'Japan', 'South Korea']
detection_tools = ['Firewall', 'IDS', 'SIEM', 'Antivirus']
status = ['Blocked', 'Successful', 'Failed']
impact_levels = ['Low', 'Medium', 'High']
mitigation = ['IP Blocked', 'Patch Applied', 'Traffic Filtered', 'Account Disabled']

data = []

for i in range(num_records):
    data.append([
        f"INC{i+1:04d}",
        random_date(),
        random.choice(attack_types),
        random.choice(attack_vectors),
        random.choice(severities),
        random.choice(countries),
        random.choice(countries),
        random_ip(),
        random_ip(),
        random.choice(devices),
        random.choice(operating_systems),
        random.choice(target_systems),
        random.choice([22, 80, 443, 3389]),
        random.choice(protocols),
        random.choice(status),
        random.choice(detection_tools),
        round(random.uniform(10, 150), 2),
        random.choice(['Yes', 'No']),
        random.choice(impact_levels),
        random.choice(mitigation)
    ])

columns = [
    'incident_id', 'timestamp', 'attack_type', 'attack_vector', 'severity',
    'source_country', 'target_country', 'source_ip', 'destination_ip',
    'device_affected', 'operating_system', 'target_system',
    'port', 'protocol', 'status', 'detected_by',
    'response_time_minutes', 'data_compromised', 'impact_level', 'mitigation_action'
]

df = pd.DataFrame(data, columns=columns)

df.head()


Unnamed: 0,incident_id,timestamp,attack_type,attack_vector,severity,source_country,target_country,source_ip,destination_ip,device_affected,operating_system,target_system,port,protocol,status,detected_by,response_time_minutes,data_compromised,impact_level,mitigation_action
0,INC0001,2021-12-18 16:04:42,DDoS,API,Critical,Japan,Japan,56.200.85.194,144.132.243.89,Server,Android,User Account,80,TCP,Failed,Antivirus,31.0,Yes,Medium,Account Disabled
1,INC0002,2019-03-27 10:15:54,SQL Injection,Network,Critical,Brazil,Russia,155.251.157.117,41.165.135.223,Cloud VM,Windows,Network Device,80,TCP,Successful,Antivirus,114.3,Yes,Low,Traffic Filtered
2,INC0003,2025-12-28 15:31:32,Malware,API,Critical,France,India,91.115.27.88,65.23.150.110,Database,macOS,User Account,443,UDP,Successful,IDS,42.43,No,High,Patch Applied
3,INC0004,2018-06-10 07:25:57,SQL Injection,API,Critical,Russia,Japan,165.245.2.64,74.253.182.223,Database,Linux,Network Device,3389,UDP,Blocked,IDS,39.1,No,Low,Account Disabled
4,INC0005,2019-05-06 19:05:01,Phishing,Network,Critical,India,Russia,133.14.131.191,105.91.229.134,Cloud VM,macOS,Network Device,3389,TCP,Failed,SIEM,62.55,No,Medium,Traffic Filtered


In [6]:
df.to_csv("synthetic_cyber_threats_300.csv", index=False)
print("CSV file created successfully.")


CSV file created successfully.


### Dataset Generation Summary

- A synthetic cybersecurity dataset containing 300 incident records was generated using AI-assisted prompting.
- The dataset covers cyber threats from 2015 to 2025 with realistic attack attributes.
- The generated dataset includes network, system, and security-related features suitable for SQL and machine learning analysis.
- The dataset has been saved as a CSV file for reuse in subsequent analysis steps.


## Prompt – Load Cyber Threat Dataset

"Load the synthetic cybersecurity CSV dataset into a Python environment using Pandas for further analysis and preprocessing."


In [7]:
import pandas as pd

# Load dataset
df = pd.read_csv("synthetic_cyber_threats_300.csv")

# Display dataset structure
df.head()


Unnamed: 0,incident_id,timestamp,attack_type,attack_vector,severity,source_country,target_country,source_ip,destination_ip,device_affected,operating_system,target_system,port,protocol,status,detected_by,response_time_minutes,data_compromised,impact_level,mitigation_action
0,INC0001,2021-12-18 16:04:42,DDoS,API,Critical,Japan,Japan,56.200.85.194,144.132.243.89,Server,Android,User Account,80,TCP,Failed,Antivirus,31.0,Yes,Medium,Account Disabled
1,INC0002,2019-03-27 10:15:54,SQL Injection,Network,Critical,Brazil,Russia,155.251.157.117,41.165.135.223,Cloud VM,Windows,Network Device,80,TCP,Successful,Antivirus,114.3,Yes,Low,Traffic Filtered
2,INC0003,2025-12-28 15:31:32,Malware,API,Critical,France,India,91.115.27.88,65.23.150.110,Database,macOS,User Account,443,UDP,Successful,IDS,42.43,No,High,Patch Applied
3,INC0004,2018-06-10 07:25:57,SQL Injection,API,Critical,Russia,Japan,165.245.2.64,74.253.182.223,Database,Linux,Network Device,3389,UDP,Blocked,IDS,39.1,No,Low,Account Disabled
4,INC0005,2019-05-06 19:05:01,Phishing,Network,Critical,India,Russia,133.14.131.191,105.91.229.134,Cloud VM,macOS,Network Device,3389,TCP,Failed,SIEM,62.55,No,Medium,Traffic Filtered


## Prompt – Dataset Inspection

"Inspect the cybersecurity dataset to understand its structure, data types, and identify missing or inconsistent values."


In [8]:
# Dataset information
df.info()

# Statistical summary
df.describe(include='all')


<class 'pandas.core.frame.DataFrame'>
RangeIndex: 300 entries, 0 to 299
Data columns (total 20 columns):
 #   Column                 Non-Null Count  Dtype  
---  ------                 --------------  -----  
 0   incident_id            300 non-null    object 
 1   timestamp              300 non-null    object 
 2   attack_type            300 non-null    object 
 3   attack_vector          300 non-null    object 
 4   severity               300 non-null    object 
 5   source_country         300 non-null    object 
 6   target_country         300 non-null    object 
 7   source_ip              300 non-null    object 
 8   destination_ip         300 non-null    object 
 9   device_affected        300 non-null    object 
 10  operating_system       300 non-null    object 
 11  target_system          300 non-null    object 
 12  port                   300 non-null    int64  
 13  protocol               300 non-null    object 
 14  status                 300 non-null    object 
 15  detect

Unnamed: 0,incident_id,timestamp,attack_type,attack_vector,severity,source_country,target_country,source_ip,destination_ip,device_affected,operating_system,target_system,port,protocol,status,detected_by,response_time_minutes,data_compromised,impact_level,mitigation_action
count,300,300,300,300,300,300,300,300,300,300,300,300,300.0,300,300,300,300.0,300,300,300
unique,300,300,6,4,4,10,10,300,300,5,4,4,,4,3,4,,2,3,4
top,INC0300,2015-03-08 12:48:09,Ransomware,USB,Medium,Germany,Russia,104.234.94.154,105.123.162.32,Database,Android,Database Server,,TCP,Successful,SIEM,,Yes,Low,IP Blocked
freq,1,1,63,90,86,43,42,1,1,69,82,82,,84,110,87,,155,108,85
mean,,,,,,,,,,,,,918.77,,,,74.6101,,,
std,,,,,,,,,,,,,1374.380815,,,,41.06704,,,
min,,,,,,,,,,,,,22.0,,,,10.0,,,
25%,,,,,,,,,,,,,22.0,,,,39.325,,,
50%,,,,,,,,,,,,,80.0,,,,69.695,,,
75%,,,,,,,,,,,,,443.0,,,,107.29,,,


## Prompt – Data Cleaning

"Perform data cleaning by checking for missing values, correcting data types, and ensuring consistency in cybersecurity-related fields."


In [9]:
# Check missing values
df.isnull().sum()

# Convert timestamp to datetime
df['timestamp'] = pd.to_datetime(df['timestamp'])

# Remove duplicates if any
df = df.drop_duplicates()

df.head()


Unnamed: 0,incident_id,timestamp,attack_type,attack_vector,severity,source_country,target_country,source_ip,destination_ip,device_affected,operating_system,target_system,port,protocol,status,detected_by,response_time_minutes,data_compromised,impact_level,mitigation_action
0,INC0001,2021-12-18 16:04:42,DDoS,API,Critical,Japan,Japan,56.200.85.194,144.132.243.89,Server,Android,User Account,80,TCP,Failed,Antivirus,31.0,Yes,Medium,Account Disabled
1,INC0002,2019-03-27 10:15:54,SQL Injection,Network,Critical,Brazil,Russia,155.251.157.117,41.165.135.223,Cloud VM,Windows,Network Device,80,TCP,Successful,Antivirus,114.3,Yes,Low,Traffic Filtered
2,INC0003,2025-12-28 15:31:32,Malware,API,Critical,France,India,91.115.27.88,65.23.150.110,Database,macOS,User Account,443,UDP,Successful,IDS,42.43,No,High,Patch Applied
3,INC0004,2018-06-10 07:25:57,SQL Injection,API,Critical,Russia,Japan,165.245.2.64,74.253.182.223,Database,Linux,Network Device,3389,UDP,Blocked,IDS,39.1,No,Low,Account Disabled
4,INC0005,2019-05-06 19:05:01,Phishing,Network,Critical,India,Russia,133.14.131.191,105.91.229.134,Cloud VM,macOS,Network Device,3389,TCP,Failed,SIEM,62.55,No,Medium,Traffic Filtered


### Data Preprocessing Explanation

The cybersecurity dataset was successfully loaded and inspected using Pandas.  
Basic preprocessing steps such as timestamp conversion, duplicate removal, and missing value verification were performed.  
These steps ensure data quality and reliability for SQL analysis and machine learning modeling in subsequent stages.


## Prompt – SQL Environment Setup

"Set up an SQL environment in Google Colab using SQLite to perform structured SQL queries on a cybersecurity threat dataset."


In [10]:
import sqlite3
import pandas as pd

# Create SQLite database
conn = sqlite3.connect("cyber_threats.db")

print("SQLite database created successfully.")


SQLite database created successfully.


## Prompt – Load Dataset into SQL

"Load the cybersecurity pandas DataFrame into an SQLite database table for executing SQL queries."


In [11]:
# Load DataFrame into SQL table
df.to_sql("cyber_threats", conn, if_exists="replace", index=False)

print("Cyber threat dataset loaded into SQL table.")


Cyber threat dataset loaded into SQL table.


## Prompt – Table Verification

"Verify that the cyber_threats table has been successfully created in the SQLite database."


In [12]:
query = "SELECT * FROM cyber_threats LIMIT 5;"
pd.read_sql(query, conn)


Unnamed: 0,incident_id,timestamp,attack_type,attack_vector,severity,source_country,target_country,source_ip,destination_ip,device_affected,operating_system,target_system,port,protocol,status,detected_by,response_time_minutes,data_compromised,impact_level,mitigation_action
0,INC0001,2021-12-18 16:04:42,DDoS,API,Critical,Japan,Japan,56.200.85.194,144.132.243.89,Server,Android,User Account,80,TCP,Failed,Antivirus,31.0,Yes,Medium,Account Disabled
1,INC0002,2019-03-27 10:15:54,SQL Injection,Network,Critical,Brazil,Russia,155.251.157.117,41.165.135.223,Cloud VM,Windows,Network Device,80,TCP,Successful,Antivirus,114.3,Yes,Low,Traffic Filtered
2,INC0003,2025-12-28 15:31:32,Malware,API,Critical,France,India,91.115.27.88,65.23.150.110,Database,macOS,User Account,443,UDP,Successful,IDS,42.43,No,High,Patch Applied
3,INC0004,2018-06-10 07:25:57,SQL Injection,API,Critical,Russia,Japan,165.245.2.64,74.253.182.223,Database,Linux,Network Device,3389,UDP,Blocked,IDS,39.1,No,Low,Account Disabled
4,INC0005,2019-05-06 19:05:01,Phishing,Network,Critical,India,Russia,133.14.131.191,105.91.229.134,Cloud VM,macOS,Network Device,3389,TCP,Failed,SIEM,62.55,No,Medium,Traffic Filtered


## Prompt – Count Total Cyber Attacks

"Count the total number of cyber attack incidents recorded in the database."


In [13]:
query = "SELECT COUNT(*) AS total_attacks FROM cyber_threats;"
pd.read_sql(query, conn)


Unnamed: 0,total_attacks
0,300


## Prompt – Attack Type Distribution

"Analyze the frequency of different cyber attack types using SQL aggregation."


In [14]:
query = """
SELECT attack_type, COUNT(*) AS attack_count
FROM cyber_threats
GROUP BY attack_type
ORDER BY attack_count DESC;
"""
pd.read_sql(query, conn)


Unnamed: 0,attack_type,attack_count
0,Ransomware,63
1,Brute Force,55
2,Malware,50
3,SQL Injection,49
4,DDoS,49
5,Phishing,34


## Prompt – Severity-Based Analysis

"Analyze cyber attacks based on severity levels using SQL grouping."


In [15]:
query = """
SELECT severity, COUNT(*) AS count
FROM cyber_threats
GROUP BY severity;
"""
pd.read_sql(query, conn)


Unnamed: 0,severity,count
0,Critical,68
1,High,76
2,Low,70
3,Medium,86


## Prompt – Country-Based Attack Analysis

"Identify source countries contributing to cyber attacks using SQL queries."


In [16]:
query = """
SELECT source_country, COUNT(*) AS total_attacks
FROM cyber_threats
GROUP BY source_country
ORDER BY total_attacks DESC;
"""
pd.read_sql(query, conn)


Unnamed: 0,source_country,total_attacks
0,Germany,43
1,France,41
2,India,34
3,UK,30
4,Russia,29
5,Brazil,29
6,USA,24
7,South Korea,24
8,Japan,23
9,China,23


### SQL Analysis Insights

- SQL aggregation queries reveal the most frequent cyber attack types.
- Severity analysis highlights the distribution of high-risk incidents.
- Country-based analysis identifies geographical attack sources.
- SQL enables efficient querying and pattern detection in large cybersecurity datasets.


## Prompt – High Severity Attack Analysis

"Retrieve all cyber attacks classified as High or Critical severity using SQL filtering."


In [17]:
query = """
SELECT *
FROM cyber_threats
WHERE severity IN ('High', 'Critical');
"""
pd.read_sql(query, conn).head()


Unnamed: 0,incident_id,timestamp,attack_type,attack_vector,severity,source_country,target_country,source_ip,destination_ip,device_affected,operating_system,target_system,port,protocol,status,detected_by,response_time_minutes,data_compromised,impact_level,mitigation_action
0,INC0001,2021-12-18 16:04:42,DDoS,API,Critical,Japan,Japan,56.200.85.194,144.132.243.89,Server,Android,User Account,80,TCP,Failed,Antivirus,31.0,Yes,Medium,Account Disabled
1,INC0002,2019-03-27 10:15:54,SQL Injection,Network,Critical,Brazil,Russia,155.251.157.117,41.165.135.223,Cloud VM,Windows,Network Device,80,TCP,Successful,Antivirus,114.3,Yes,Low,Traffic Filtered
2,INC0003,2025-12-28 15:31:32,Malware,API,Critical,France,India,91.115.27.88,65.23.150.110,Database,macOS,User Account,443,UDP,Successful,IDS,42.43,No,High,Patch Applied
3,INC0004,2018-06-10 07:25:57,SQL Injection,API,Critical,Russia,Japan,165.245.2.64,74.253.182.223,Database,Linux,Network Device,3389,UDP,Blocked,IDS,39.1,No,Low,Account Disabled
4,INC0005,2019-05-06 19:05:01,Phishing,Network,Critical,India,Russia,133.14.131.191,105.91.229.134,Cloud VM,macOS,Network Device,3389,TCP,Failed,SIEM,62.55,No,Medium,Traffic Filtered


## Prompt – Average Impact Analysis

"Calculate the average numeric impact level of cyber attacks by mapping categorical impact levels into numerical values."


In [18]:
impact_mapping = {
    "Low": 1,
    "Medium": 2,
    "High": 3,
    "Critical": 4
}

df['impact_level_numeric'] = df['impact_level'].map(impact_mapping)
df.to_sql("cyber_threats", conn, if_exists="replace", index=False)


300

In [19]:
query = """
SELECT ROUND(AVG(impact_level_numeric), 2) AS avg_impact
FROM cyber_threats;
"""
pd.read_sql(query, conn)


Unnamed: 0,avg_impact
0,1.95


## Prompt – Advanced Impact Analysis

"Identify cyber attack types with an average impact level higher than the overall average using SQL subqueries."


In [20]:
query = """
SELECT attack_type, ROUND(AVG(impact_level_numeric), 2) AS avg_impact
FROM cyber_threats
GROUP BY attack_type
HAVING AVG(impact_level_numeric) >
    (SELECT AVG(impact_level_numeric) FROM cyber_threats);
"""
pd.read_sql(query, conn)


Unnamed: 0,attack_type,avg_impact
0,Malware,2.02
1,Phishing,2.09
2,SQL Injection,1.98


## Prompt – Device vs Attack Relationship

"Analyze relationships between device types and attack types using SQL grouping."


In [21]:
query = """
SELECT device_affected, attack_type, COUNT(*) AS attack_count
FROM cyber_threats
GROUP BY device_affected, attack_type
ORDER BY attack_count DESC;
"""
pd.read_sql(query, conn)


Unnamed: 0,device_affected,attack_type,attack_count
0,Database,Brute Force,16
1,Database,SQL Injection,15
2,Laptop,Ransomware,15
3,Mobile,Ransomware,15
4,Cloud VM,Brute Force,14
5,Mobile,Malware,14
6,Cloud VM,Ransomware,12
7,Database,Ransomware,12
8,Mobile,DDoS,12
9,Cloud VM,SQL Injection,11


## Prompt – SQL View Creation

"Create a SQL view to store high-risk cyber attack incidents for repeated analysis."


In [22]:
cursor = conn.cursor()

cursor.execute("""
CREATE VIEW IF NOT EXISTS high_risk_attacks AS
SELECT *
FROM cyber_threats
WHERE severity IN ('High', 'Critical');
""")

conn.commit()

print("SQL View 'high_risk_attacks' created successfully.")


SQL View 'high_risk_attacks' created successfully.


In [23]:
query = "SELECT * FROM high_risk_attacks LIMIT 5;"
pd.read_sql(query, conn)


Unnamed: 0,incident_id,timestamp,attack_type,attack_vector,severity,source_country,target_country,source_ip,destination_ip,device_affected,...,target_system,port,protocol,status,detected_by,response_time_minutes,data_compromised,impact_level,mitigation_action,impact_level_numeric
0,INC0001,2021-12-18 16:04:42,DDoS,API,Critical,Japan,Japan,56.200.85.194,144.132.243.89,Server,...,User Account,80,TCP,Failed,Antivirus,31.0,Yes,Medium,Account Disabled,2
1,INC0002,2019-03-27 10:15:54,SQL Injection,Network,Critical,Brazil,Russia,155.251.157.117,41.165.135.223,Cloud VM,...,Network Device,80,TCP,Successful,Antivirus,114.3,Yes,Low,Traffic Filtered,1
2,INC0003,2025-12-28 15:31:32,Malware,API,Critical,France,India,91.115.27.88,65.23.150.110,Database,...,User Account,443,UDP,Successful,IDS,42.43,No,High,Patch Applied,3
3,INC0004,2018-06-10 07:25:57,SQL Injection,API,Critical,Russia,Japan,165.245.2.64,74.253.182.223,Database,...,Network Device,3389,UDP,Blocked,IDS,39.1,No,Low,Account Disabled,1
4,INC0005,2019-05-06 19:05:01,Phishing,Network,Critical,India,Russia,133.14.131.191,105.91.229.134,Cloud VM,...,Network Device,3389,TCP,Failed,SIEM,62.55,No,Medium,Traffic Filtered,2


### Advanced SQL Analysis Insights

- Subqueries help identify attack types with above-average impact.
- SQL views simplify repeated analysis of high-risk incidents.
- Device-to-attack relationships highlight vulnerable platforms.
- Advanced SQL techniques enhance scalability and analytical depth.
