# üß† Login Activity Analysis using Pandas

### üìÑ Project Overview
This project explores **login activity data** using **Python and Pandas**, applying data-cleaning and exploration techniques similar to what a cybersecurity analyst would perform when reviewing authentication logs.  
The aim is to understand user behavior, identify failed logins, and highlight patterns that might indicate suspicious activity ‚Äî using only **core Pandas operations**, without any external visualization libraries.

This notebook is designed as a **hands-on extension** of the [Kaggle: Python](https://www.kaggle.com/learn/python) and [Kaggle: Pandas](https://www.kaggle.com/learn/pandas) courses.  
It reinforces the data manipulation and analysis techniques learned there in a realistic, cybersecurity-flavored dataset.

---

### üéØ Objectives
By the end of this notebook, we will:
1. Load and inspect the `login_activity.csv` dataset  
2. Clean the data ‚Äî remove duplicates, handle missing values, and format timestamps  
3. Explore user login activity through filtering, grouping, and summarizing data  
4. Identify patterns and anomalies (e.g., users or IPs with many failed attempts)  
5. Produce a structured summary of insights  

---

### üì¶ Dataset Description
The dataset (`login_activity.csv`) is **synthetic**, generated using a Python script.  
It contains simulated user login attempts with columns like:

| Column | Description |
|--------|--------------|
| `username` | Name of the user attempting login |
| `timestamp` | Date and time of the attempt |
| `source_ip` | IP address used |
| `location` | Login location (country or region) |
| `status` | Login outcome (Success / Failed) |

The data includes both successful and failed attempts, with occasional missing or duplicate entries ‚Äî ideal for practicing real-world data cleaning.

---

### üß© Deliverables
- A cleaned, well-structured DataFrame ready for analysis  
- Summary tables showing login frequency by user, IP, and time  
- Filtered lists of failed login attempts and suspicious patterns  
- A written summary of insights at the end of the notebook  

---

### üß∞ Tools & Libraries
- **Python 3.x**
- **Pandas** (for data manipulation)
- **NumPy** (for numeric operations, if required)

> üìù Note: Visualization libraries such as `matplotlib` or `seaborn` are **not used** in this project, as the focus is purely on Pandas-based data exploration.

---

### üîç Learning Goals
This project helps reinforce:
- Reading, inspecting, and cleaning CSV data  
- Working with missing values and duplicates  
- Grouping and aggregating data  
- Filtering and summarizing with Pandas  
- Interpreting real-world datasets without relying on charts or plots  

# 1. Setup & Preparation

In [45]:
import pandas as pd
pd.set_option('display.max_rows', 7)

In [46]:
login_file = pd.read_csv("login_activity.csv")

### Summary from Step 1:
1. The Panda library has been imported
2. Max display rows limited to 7 for better visibility.
3. The login file which was generated using a python script has been loaded into the notebook - login_activity.csv

# 2. Initial Data Inspection

In [47]:
login_file

Unnamed: 0,username,timestamp,source_ip,location,status
0,david,2026-01-04 17:30:55,136.103.14.3,Singapore,Success
1,judy,2026-01-07 12:34:55,227.133.121.123,Brazil,Success
2,frank,2026-01-02 20:14:55,97.116.137.169,Brazil,Success
...,...,...,...,...,...
199,alice,2026-01-05 02:43:55,162.151.169.194,USA,Failed
200,charlie,2026-01-04 09:59:55,241.97.191.182,UK,Failed
201,charlie,2026-01-03 03:04:55,106.167.90.178,Germany,Failed


In [48]:
login_file.describe()

Unnamed: 0,username,timestamp,source_ip,location,status
count,199,202,202,199,202
unique,10,198,200,7,2
top,charlie,2026-01-04 09:59:55,106.167.90.178,Australia,Success
freq,28,3,2,37,123


In [49]:
login_file.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 202 entries, 0 to 201
Data columns (total 5 columns):
 #   Column     Non-Null Count  Dtype 
---  ------     --------------  ----- 
 0   username   199 non-null    object
 1   timestamp  202 non-null    object
 2   source_ip  202 non-null    object
 3   location   199 non-null    object
 4   status     202 non-null    object
dtypes: object(5)
memory usage: 8.0+ KB


In [50]:
login_file[login_file.username.isnull()]

Unnamed: 0,username,timestamp,source_ip,location,status
35,,2026-01-03 04:17:55,155.111.231.166,Germany,Failed
63,,2026-01-06 01:16:55,171.41.113.253,,Failed
119,,2026-01-01 12:48:55,142.190.67.147,UK,Failed


In [51]:
login_file[login_file.timestamp.isnull()]

Unnamed: 0,username,timestamp,source_ip,location,status


In [52]:
login_file[login_file.source_ip.isnull()]

Unnamed: 0,username,timestamp,source_ip,location,status


In [53]:
login_file[login_file.location.isnull()]

Unnamed: 0,username,timestamp,source_ip,location,status
55,judy,2026-01-05 23:43:55,63.250.251.138,,Success
63,,2026-01-06 01:16:55,171.41.113.253,,Failed
126,eve,2026-01-02 05:04:55,126.20.160.56,,Failed


In [54]:
login_file[login_file.status.isnull()]

Unnamed: 0,username,timestamp,source_ip,location,status


In [55]:
login_file.isnull().sum()

username     3
timestamp    0
source_ip    0
location     3
status       0
dtype: int64

In [56]:
login_file.duplicated().sum()

np.int64(2)

### Summary from Step 2:
1. Data loaded into the notebook successfully and no issues detected.
2. All the columns are of object data type.
3. **Username** and **Location** column has 3 null values in rows (35,63,199) and (55,63,126) respectively.
4. Two rows are duplicate in the dataset.

# 3. Data Cleaning

In [57]:
login_file[login_file.duplicated()]

Unnamed: 0,username,timestamp,source_ip,location,status
200,charlie,2026-01-04 09:59:55,241.97.191.182,UK,Failed
201,charlie,2026-01-03 03:04:55,106.167.90.178,Germany,Failed


In [58]:
login_file = login_file.drop_duplicates()

In [59]:
login_file

Unnamed: 0,username,timestamp,source_ip,location,status
0,david,2026-01-04 17:30:55,136.103.14.3,Singapore,Success
1,judy,2026-01-07 12:34:55,227.133.121.123,Brazil,Success
2,frank,2026-01-02 20:14:55,97.116.137.169,Brazil,Success
...,...,...,...,...,...
197,ivan,2026-01-06 12:07:55,248.165.14.163,USA,Success
198,eve,2026-01-02 09:48:55,22.18.193.136,Brazil,Failed
199,alice,2026-01-05 02:43:55,162.151.169.194,USA,Failed


In [62]:
login_file.username.fillna("Unknown")

0      david
1       judy
2      frank
       ...  
197     ivan
198      eve
199    alice
Name: username, Length: 200, dtype: object

In [63]:
login_file.iloc[119]

username                 Unknown
timestamp    2026-01-01 12:48:55
source_ip         142.190.67.147
location                      UK
status                    Failed
Name: 119, dtype: object

In [67]:
login_file["location"].fillna("Unknown")

0      Singapore
1         Brazil
2         Brazil
         ...    
197          USA
198       Brazil
199          USA
Name: location, Length: 200, dtype: object

In [68]:
login_file.iloc[63]

username                 Unknown
timestamp    2026-01-06 01:16:55
source_ip         171.41.113.253
location                 Unknown
status                    Failed
Name: 63, dtype: object

In [70]:
login_file.info()

<class 'pandas.core.frame.DataFrame'>
Index: 200 entries, 0 to 199
Data columns (total 5 columns):
 #   Column     Non-Null Count  Dtype 
---  ------     --------------  ----- 
 0   username   200 non-null    object
 1   timestamp  200 non-null    object
 2   source_ip  200 non-null    object
 3   location   200 non-null    object
 4   status     200 non-null    object
dtypes: object(5)
memory usage: 9.4+ KB


In [76]:
login_file = login_file.astype({"timestamp":"datetime64[ns]"})

In [77]:
login_file.info()

<class 'pandas.core.frame.DataFrame'>
Index: 200 entries, 0 to 199
Data columns (total 5 columns):
 #   Column     Non-Null Count  Dtype         
---  ------     --------------  -----         
 0   username   200 non-null    object        
 1   timestamp  200 non-null    datetime64[ns]
 2   source_ip  200 non-null    object        
 3   location   200 non-null    object        
 4   status     200 non-null    object        
dtypes: datetime64[ns](1), object(4)
memory usage: 9.4+ KB


In [78]:
login_file.timestamp.dtype

dtype('<M8[ns]')

In [79]:
login_file

Unnamed: 0,username,timestamp,source_ip,location,status
0,david,2026-01-04 17:30:55,136.103.14.3,Singapore,Success
1,judy,2026-01-07 12:34:55,227.133.121.123,Brazil,Success
2,frank,2026-01-02 20:14:55,97.116.137.169,Brazil,Success
...,...,...,...,...,...
197,ivan,2026-01-06 12:07:55,248.165.14.163,USA,Success
198,eve,2026-01-02 09:48:55,22.18.193.136,Brazil,Failed
199,alice,2026-01-05 02:43:55,162.151.169.194,USA,Failed


In [80]:
login_file["hour"] = login_file.timestamp.dt.hour

In [82]:
login_file["date"] = login_file.timestamp.dt.date

In [83]:
login_file

Unnamed: 0,username,timestamp,source_ip,location,status,hour,date
0,david,2026-01-04 17:30:55,136.103.14.3,Singapore,Success,17,2026-01-04
1,judy,2026-01-07 12:34:55,227.133.121.123,Brazil,Success,12,2026-01-07
2,frank,2026-01-02 20:14:55,97.116.137.169,Brazil,Success,20,2026-01-02
...,...,...,...,...,...,...,...
197,ivan,2026-01-06 12:07:55,248.165.14.163,USA,Success,12,2026-01-06
198,eve,2026-01-02 09:48:55,22.18.193.136,Brazil,Failed,9,2026-01-02
199,alice,2026-01-05 02:43:55,162.151.169.194,USA,Failed,2,2026-01-05


In [84]:
login_file.info()

<class 'pandas.core.frame.DataFrame'>
Index: 200 entries, 0 to 199
Data columns (total 7 columns):
 #   Column     Non-Null Count  Dtype         
---  ------     --------------  -----         
 0   username   200 non-null    object        
 1   timestamp  200 non-null    datetime64[ns]
 2   source_ip  200 non-null    object        
 3   location   200 non-null    object        
 4   status     200 non-null    object        
 5   hour       200 non-null    int32         
 6   date       200 non-null    object        
dtypes: datetime64[ns](1), int32(1), object(5)
memory usage: 11.7+ KB


### Summary from Step 3:
1. Two duplicate rows were removed. Now the dataset is of (200*5)
2. 6 Null values were replaced by **Unknown**
3. 2 new columns (hour and date) have been extracted from timestamp (after converting its data type from object to datetime64)

# 4. Data Exploration

In [88]:
len(login_file)

200

In [90]:
len(login_file.username.unique())

11

In [94]:
len(login_file.source_ip.unique())

200

In [97]:
login_file.groupby("status").status.count()

status
Failed      77
Success    123
Name: status, dtype: int64

In [100]:
login_file.groupby("username").username.count().sort_values(ascending=False)

username
bob        26
charlie    26
judy       25
           ..
alice      13
heidi      12
Unknown     3
Name: username, Length: 11, dtype: int64

In [112]:
with pd.option_context('display.max_rows', None):
    print(login_file.groupby("username").status.value_counts())

username  status 
Unknown   Failed      3
alice     Failed      8
          Success     5
bob       Success    19
          Failed      7
charlie   Failed     14
          Success    12
david     Success    10
          Failed      7
eve       Failed     10
          Success    10
frank     Failed     10
          Success     9
grace     Success    16
          Failed      4
heidi     Success     8
          Failed      4
ivan      Success    17
          Failed      2
judy      Success    17
          Failed      8
Name: count, dtype: int64


In [118]:
login_file[login_file.status == "Failed"].groupby("username").username.count().sort_values(ascending=False)

username
charlie    14
eve        10
frank      10
           ..
grace       4
Unknown     3
ivan        2
Name: username, Length: 11, dtype: int64

In [119]:
login_file.groupby("source_ip").source_ip.count().sort_values(ascending=False)

source_ip
102.148.35.105     1
102.210.225.213    1
104.33.247.234     1
                  ..
97.147.217.96      1
97.34.17.169       1
97.35.139.157      1
Name: source_ip, Length: 200, dtype: int64

In [120]:
login_file[login_file.status == "Failed"].groupby("location").location.count().sort_values(ascending=False)

location
Australia    15
USA          13
India        11
             ..
Brazil        8
Singapore     8
Unknown       2
Name: location, Length: 8, dtype: int64

In [121]:
login_file.groupby("hour").hour.count().sort_values(ascending=False)

hour
7     12
12    12
5     11
      ..
14     5
20     4
8      2
Name: hour, Length: 24, dtype: int64

### Summary from Step 4:
1. There are **11** unique users with total of **200** login attempts, out of which **123** events are successful and **23** failed.
2. Users **Bob** and **Charlie** have the highest login attempts (**26**).
3. User **Charlie** has the highest count of failures - **14**.
4. All the IP addresses in 200 events are uniuqe and no IP address is repeated.
5. Highest count of failures originated from **Australia** - **15**.
6. At hours **7** and **12**, most login attempts were made - **12** each.

# 5. Filtering for Suspicious Activity

In [123]:
login_file[(login_file.hour >=0) & (login_file.hour <=5)]

Unnamed: 0,username,timestamp,source_ip,location,status,hour,date
5,charlie,2026-01-07 05:52:55,225.4.41.134,Australia,Success,5,2026-01-07
10,alice,2026-01-08 03:42:55,82.147.158.1,Germany,Failed,3,2026-01-08
14,eve,2026-01-07 03:15:55,229.138.39.80,India,Failed,3,2026-01-07
...,...,...,...,...,...,...,...
191,charlie,2026-01-08 03:53:55,67.148.248.39,Singapore,Success,3,2026-01-08
195,judy,2026-01-05 04:11:55,227.19.32.76,Australia,Failed,4,2026-01-05
199,alice,2026-01-05 02:43:55,162.151.169.194,USA,Failed,2,2026-01-05


In [127]:
with pd.option_context('display.max_rows', None):
    print(login_file[(login_file.hour >=0) & (login_file.hour <=5) & (login_file.status == "Failed")].groupby("username").status.value_counts().sort_values(ascending=False))

username  status
charlie   Failed    7
eve       Failed    6
frank     Failed    6
david     Failed    5
judy      Failed    5
alice     Failed    4
bob       Failed    4
Unknown   Failed    2
grace     Failed    2
heidi     Failed    2
Name: count, dtype: int64


In [131]:
failed_counts = login_file[login_file.status == "Failed"].groupby("username").username.count()
failed_counts[failed_counts > 3].sort_values(ascending = False)

username
charlie    14
frank      10
eve        10
           ..
bob         7
grace       4
heidi       4
Name: username, Length: 9, dtype: int64

### Summary from Step 5:
1. From hours **0** to **5** there are 57 login attempts.
2. From hours **0** to **5**, users **Charlie**, **Eve** and **Frank** had **7**,**6** and **6** failures respectively.
3. There are **9** users out of **11** user who have more than 3 failure attempts, with **Charlie** topping the list with **14** failures.
4. **Australia** remains the suspicious country with high login failures and the hours **7**,**12** and **5**.
5. **Charlie** has suspicious patterns which can be looked into on priority.

# üèÅ Final Summary and Insights

### üìÑ Dataset Overview
- **Total Records:** 200  
- **Unique Users:** 10 (+1 Unknown user)  
- **Columns:** username, timestamp, source_ip, location, status, hour, date  
- **Data Quality Improvements:**
  - 2 duplicate records removed  
  - 6 missing values replaced with `'Unknown'`  
  - Timestamp column converted to `datetime64` and expanded into `hour` and `date` columns  

---

### üìä Behavioral Insights
- Total login attempts: **200**  
- Successful logins: **123**  
- Failed logins: **77**  
- Users with highest login frequency: **Bob (26)** and **Charlie (26)**  
- Highest number of failures: **Charlie (14)**  
- Location with most failures: **Australia (15)**  
- Peak login hours: **7 AM**, **12 PM**, and **5 AM**  

---

### üïµÔ∏è Suspicious Patterns & Observations
- **Charlie** shows unusually high failed login activity (14 failures, several during late-night hours).  
- Late-night hours (**0‚Äì5 AM**) saw **57 login attempts**, which is atypical compared to other times of day.  
- Multiple users (**Charlie, Eve, Frank**) show frequent failures between midnight and 5 AM.  
- **Australia** continues to appear as the region with the highest number of failed logins ‚Äî possible source of repeated attacks or misconfigured users.  
- All IP addresses are unique ‚Äî may indicate ephemeral or randomized sources, or simulated test behavior.  

---

### üß≠ Recommendations / Next Steps
- üîé **Investigate User Accounts:**
  - Focus on `Charlie`, `Eve`, and `Frank` for repeated failed authentication attempts.  
  - Verify whether these attempts were from legitimate sources or suspicious IP ranges.  

- üåê **Geolocation Analysis:**
  - Review login trends from `Australia` ‚Äî validate whether these IPs align with known corporate users or external attempts.  

- ‚è∞ **Temporal Analysis:**
  - Examine whether failed attempts during **off-hours (0‚Äì5 AM)** correlate with known maintenance windows or potential brute-force activity.  

- üîÑ **Future Work:**
  - Integrate this cleaned dataset with a SIEM tool or an ML anomaly detection model (planned for Week 2 in the AI for Cybersecurity path).  
  - Incorporate visualization libraries (Matplotlib/Seaborn) for clearer pattern representation once those skills are covered.

---

### ‚úÖ Conclusion
This project demonstrated how **Pandas** can be effectively used to **clean, explore, and analyze login activity logs** in a cybersecurity context.  
It highlights how even simple data operations ‚Äî filtering, grouping, and aggregation ‚Äî can reveal potential threats such as unusual login times, high-failure accounts, and location-based anomalies.  

The same workflow forms the foundation for future **machine learning‚Äìbased threat detection** projects.
