<a href="https://colab.research.google.com/github/guilhermelaviola/CybersecurityProblemSolvingWithDataScience/blob/main/Class08.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# **Malware Analysis**
Malware, short for malicious software, includes various harmful programs such as viruses, worms, Trojans, ransomware, and spyware that are designed to damage systems, steal data, or disrupt operations. Because malware is constantly evolving, its detection and analysis require a combination of techniques, including signature-based detection, behavioral monitoring, static and dynamic analysis, reverse engineering, and network traffic inspection. Specialized tools like IDA Pro, Ghidra, Cuckoo Sandbox, and VirusTotal support these processes by helping analysts understand malware behavior, origin, and impact. Effective malware analysis and removal are essential for strengthening security defenses and protecting systems and data from ongoing cyber threats.

In [None]:
# Importing all the necessary libraries and resources:
import time
import psutil
import pandas as pd

## **Behavioral Monitoring Concept**
In the example below, a Pandas DataFrame represents a snapshot of system events (such as file creation). New or unexpected entries are treated as potentially suspicious activity.

In [4]:
# Initial snapshot of system activity
data = {
    'process_name': ['system', 'chrome', 'python'],
    'action': ['read_file', 'network_access', 'execute'],
    'resource': ['config.sys', 'google.com', 'script.py']
}

df_snapshot = pd.DataFrame(data)

print('Initial system snapshot:')
print(df_snapshot)

# Configuration to prevent infinite loop
max_cycles = 5      # number of monitoring iterations
cycle = 0           # loop counter

while cycle < max_cycles:
    time.sleep(5)
    cycle += 1

    # Simulated new system activit
    new_activity = {
        'process_name': ['unknown_process'],
        'action': ['create_file'],
        'resource': ['suspicious.exe']
    }

    df_current = pd.concat(
        [df_snapshot, pd.DataFrame(new_activity)],
        ignore_index=True
    )

    # Detect new or suspicious activity
    suspicious = df_current[
        ~df_current.isin(df_snapshot.to_dict(orient='list')).all(axis=1)
    ]

    if not suspicious.empty:
        print(f'\nWarning: Suspicious activity detected (cycle {cycle})!')
        print(suspicious)

    # Update snapshot
    df_snapshot = df_current

print('\nMonitoring stopped safely after', max_cycles, 'cycles.')

Initial system snapshot:
  process_name          action    resource
0       system       read_file  config.sys
1       chrome  network_access  google.com
2       python         execute   script.py

      process_name       action        resource
3  unknown_process  create_file  suspicious.exe

Monitoring stopped safely after 5 cycles.


## **Detecting Suspicious Network Connections**
The example below checks active network connections and flags connections made to uncommon or suspicious ports, which may indicate malware communicating with a command-and-control server.

In [5]:
# Commonly used ports:
COMMON_PORTS = {80, 443, 53, 22}

print('Scanning active network connections...')

for conn in psutil.net_connections(kind='inet'):
    if conn.raddr: # Remote address exists
        remote_ip, remote_port = conn.raddr
        if remote_port not in COMMON_PORTS:
            print(f'Suspicious connection detected:')
            print(f'  Local PID: {conn.pid}')
            print(f'  Remote IP: {remote_ip}')
            print(f'  Remote Port: {remote_port}')

Scanning active network connections...
Suspicious connection detected:
  Local PID: None
  Remote IP: ::ffff:172.28.0.1
  Remote Port: 50538
Suspicious connection detected:
  Local PID: None
  Remote IP: 172.28.0.12
  Remote Port: 52264
Suspicious connection detected:
  Local PID: None
  Remote IP: 172.28.0.12
  Remote Port: 37600
Suspicious connection detected:
  Local PID: None
  Remote IP: 172.28.0.12
  Remote Port: 34180
Suspicious connection detected:
  Local PID: 18
  Remote IP: 172.28.0.12
  Remote Port: 9000
Suspicious connection detected:
  Local PID: None
  Remote IP: ::ffff:172.28.0.1
  Remote Port: 59322
Suspicious connection detected:
  Local PID: 18
  Remote IP: 172.28.0.12
  Remote Port: 9000
Suspicious connection detected:
  Local PID: 18
  Remote IP: 172.28.0.12
  Remote Port: 42786
Suspicious connection detected:
  Local PID: 18
  Remote IP: 172.28.0.1
  Remote Port: 49770
Suspicious connection detected:
  Local PID: None
  Remote IP: ::ffff:172.28.0.1
  Remote Port: 