<a href="https://colab.research.google.com/github/guilhermelaviola/CybersecurityProblemSolvingWithDataScience/blob/main/Class14.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# **Behavioral Analysis**
Behavioral analysis plays a critical role in modern cybersecurity by establishing baselines of normal user, system, and network behavior to detect anomalies that may indicate malicious activity, including insider threats. By analyzing historical data such as logs and access records, organizations can identify deviations from expected patterns. Machine learning enhances this process by automating anomaly detection and adapting to evolving threats, while real-time analysis enables faster detection and response. When integrated into a comprehensive security program alongside preventive measures, tools, and trained personnel, behavioral analysis strengthens organizational defenses and contributes to a more resilient security posture.

In [1]:
# Importing all the necessary libraries and resources:
import numpy as np
from sklearn.ensemble import IsolationForest

## **Anomaly detection using statistics**
The example below demonstrates how a simple baseline can be created from historical data and used to flag anomalous behavior that may require further security investigation.

In [2]:
# Historical user login counts per day (baseline behavior):
historical_logins = np.array([20, 22, 19, 21, 23, 20, 22])

# Calculating baseline statistics:
mean = historical_logins.mean()
std = historical_logins.std()

# Checking if a value deviates significantly from baseline:
def is_anomalous(value, threshold=2):
    return abs(value - mean) > threshold * std

# New observed behavior:
new_login_count = 40

if is_anomalous(new_login_count):
    print('Anomalous behavior detected!')
else:
    print('Behavior is within normal range.')

Anomalous behavior detected!


## **Anomaly detection with Isolation Forest**
The following example uses Isolation Forest, which is a popular unsupervised machine learning algorithm for behavioral analysis. The model learns patterns of normal behavior from historical data and flags new observations that significantly deviate from those patterns. Such techniques are especially effective for detecting insider threats and previously unseen attack behaviors in dynamic cybersecurity environments.

In [3]:
# Example behavioral features: number_of_logins, average_session_duration_minutes, files_accessed:
historical_behavior = np.array([
    [5, 30, 10],
    [6, 28, 12],
    [4, 35, 9],
    [5, 32, 11],
    [6, 29, 10]
])

# Training the anomaly detection model on normal behavior:
model = IsolationForest(contamination=0.2, random_state=42)
model.fit(historical_behavior)

# New observed user behavior:
new_behavior = np.array([[15, 5, 50]])

# Predicting anomaly (-1 = anomaly, 1 = normal):
prediction = model.predict(new_behavior)

if prediction[0] == -1:
    print('Anomalous behavior detected: potential security risk.')
else:
    print('Behavior appears normal.')

Behavior appears normal.
