# Cybersecurity Analytics with Generative AI
This notebook includes exercises on behavioral analytics, threat detection, risk scoring, and automated response.

## Behavioral Analytics: Detect Anomalies in User Behavior

In [3]:
import pandas as pd

# Simulated login data
data = {
    "user": ["alice", "bob", "alice", "bob", "charlie"],
    "timestamp": ["2025-06-01 09:00", "2025-06-01 03:00", "2025-06-02 10:00", "2025-06-02 23:30", "2025-06-01 22:00"],
    "location": ["Denver", "Russia", "Denver", "Chicago", "Denver"]
}
df = pd.DataFrame(data)
df['timestamp'] = pd.to_datetime(df['timestamp'])
df['hour'] = df['timestamp'].dt.hour

df

Unnamed: 0,user,timestamp,location,hour
0,alice,2025-06-01 09:00:00,Denver,9
1,bob,2025-06-01 03:00:00,Russia,3
2,alice,2025-06-02 10:00:00,Denver,10
3,bob,2025-06-02 23:30:00,Chicago,23
4,charlie,2025-06-01 22:00:00,Denver,22


In [2]:
# Detect anomalies: logins outside 6AM-8PM
df['anomaly'] = df['hour'].apply(lambda x: x < 6 or x > 20)
df

Unnamed: 0,user,timestamp,location,hour,anomaly
0,alice,2025-06-01 09:00:00,Denver,9,False
1,bob,2025-06-01 03:00:00,Russia,3,True
2,alice,2025-06-02 10:00:00,Denver,10,False
3,bob,2025-06-02 23:30:00,Chicago,23,True
4,charlie,2025-06-01 22:00:00,Denver,22,True


## Threat Detection: Signature and Anomaly Detection

In [4]:
# Simulated firewall log
logs = {
    "source_ip": ["10.0.0.1", "10.0.0.2", "192.168.1.1", "172.16.0.5"],
    "port": [80, 23, 8080, 22],
    "action": ["ALLOW", "BLOCK", "ALLOW", "BLOCK"]
}
df_logs = pd.DataFrame(logs)
df_logs



Unnamed: 0,source_ip,port,action
0,10.0.0.1,80,ALLOW
1,10.0.0.2,23,BLOCK
2,192.168.1.1,8080,ALLOW
3,172.16.0.5,22,BLOCK


In [5]:
# Simple pattern detection: flag blocked ports
df_logs['threat_detected'] = df_logs['action'] == "BLOCK"
df_logs

Unnamed: 0,source_ip,port,action,threat_detected
0,10.0.0.1,80,ALLOW,False
1,10.0.0.2,23,BLOCK,True
2,192.168.1.1,8080,ALLOW,False
3,172.16.0.5,22,BLOCK,True


## Risk Scoring: Prioritize Based on Impact

In [6]:
# Simulated incidents
incidents = {
    "user_role": ["guest", "admin", "user"],
    "asset_value": [2, 5, 3],
    "incident_type": ["login_fail", "unauthorized_access", "data_exfiltration"],
    "confidence_score": [0.7, 0.9, 0.85]
}
df_incidents = pd.DataFrame(incidents)

df_incidents

Unnamed: 0,user_role,asset_value,incident_type,confidence_score
0,guest,2,login_fail,0.7
1,admin,5,unauthorized_access,0.9
2,user,3,data_exfiltration,0.85


In [7]:
# Define risk weights
role_weight = {"guest": 1, "user": 2, "admin": 3}
df_incidents["user_weight"] = df_incidents["user_role"].map(role_weight)
df_incidents["risk_score"] = (df_incidents["user_weight"] + df_incidents["asset_value"]) * df_incidents["confidence_score"]
df_incidents.sort_values("risk_score", ascending=False)

Unnamed: 0,user_role,asset_value,incident_type,confidence_score,user_weight,risk_score
1,admin,5,unauthorized_access,0.9,3,7.2
2,user,3,data_exfiltration,0.85,2,4.25
0,guest,2,login_fail,0.7,1,2.1


## Automated Response: Lock Accounts Based on Failed Logins

In [7]:
# Simulated login failures
login_attempts = {"user": ["alice"]*3 + ["bob"]*2 + ["alice"], "result": ["fail"]*6}
login_attempts



{'user': ['alice', 'alice', 'alice', 'bob', 'bob', 'alice'],
 'result': ['fail', 'fail', 'fail', 'fail', 'fail', 'fail']}

In [8]:
df_login = pd.DataFrame(login_attempts)
df_login

Unnamed: 0,user,result
0,alice,fail
1,alice,fail
2,alice,fail
3,bob,fail
4,bob,fail
5,alice,fail


In [5]:
# Count failed attempts
fail_counts = df_login[df_login["result"] == "fail"].groupby("user").size()
response = fail_counts.apply(lambda x: "LOCK ACCOUNT" if x >= 3 else "ALLOW")
response

user
alice    LOCK ACCOUNT
bob             ALLOW
dtype: object

## Passcode Cracking: 4-Digit PIN Attack Simulation
This section demonstrates different strategies for guessing 4-digit passcodes, commonly used in security assessments.