<a href="https://colab.research.google.com/github/guilhermelaviola/CybersecurityProblemSolvingWithDataScience/blob/main/Class11.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# **Advanced Persistent Threat (APT) Analysis**
Advanced Persistent Threats (APTs) are highly targeted, stealthy, and long-term cyberattacks aimed at gaining unauthorized access to sensitive information, often targeting governments and organizations. Their persistence and ability to evade traditional security measures make detection and response challenging. Effective defense against APTs requires a comprehensive approach that combines technical controls, threat intelligence, continuous monitoring, user awareness, and advanced technologies such as AI and machine learning. Ongoing analysis, collaboration, and adaptation to evolving attack techniques are essential to strengthen security posture and protect critical assets.

In [None]:
# Importing all the necessary libraries and resources:
import numpy as np

## **Anomaly Detection for APT Indicators**
The example below demonstrates a basic anomaly detection approach that could help identify unusual network behavior, a common indicator of potential APT activity.

In [None]:

# Simulated network traffic data (in this case, number of connections per hour):
traffic = np.array([120, 130, 125, 128, 500, 132, 127])

# Calculating basic statistics:
mean = traffic.mean()
std = traffic.std()

# Detecting anomalies through threshold-based detection:
threshold = mean + 2 * std
anomalies = traffic[traffic > threshold]

print('Mean traffic:', mean)
print('Anomalous values detected:', anomalies)

Mean traffic: 180.28571428571428
Anomalous values detected: [500]


## **IOC Matching: Suspicious IP Detection**
The following example illustrates how security teams can use threat intelligence (known malicious IP addresses) to identify potential APT-related activity within network logs.

In [None]:
# Known malicious IPs example:
malicious_ips = {
    '185.199.110.153',
    '203.0.113.45',
    '198.51.100.22'
}

# Simulated network log entries:
network_logs = [
    {'src_ip': '192.168.1.10', 'dst_ip': '185.199.110.153'},
    {'src_ip': '192.168.1.15', 'dst_ip': '8.8.8.8'},
    {'src_ip': '192.168.1.20', 'dst_ip': '203.0.113.45'},
]

# Identifying connections involving malicious IPs:
alerts = [
    log for log in network_logs
    if log['dst_ip'] in malicious_ips
]

print('Suspicious connections detected:')
for alert in alerts:
    print(alert)

Suspicious connections detected:
{'src_ip': '192.168.1.10', 'dst_ip': '185.199.110.153'}
{'src_ip': '192.168.1.20', 'dst_ip': '203.0.113.45'}
