Used file from Kaggle to Cyberattacks Detection.csv - https://www.kaggle.com/api/v1/datasets/download/lastman0800/cyberattacks-detection

Building ML models to analyze data and measure KPIs

In [None]:
# Import required libraries
import pandas as pd  # For data manipulation and analysis
import numpy as np   # For numerical operations
from datetime import datetime  # For handling date/time operations

def analyze_cyberattacks():
    """
    Main function to analyze cyberattack data and answer 20 specific questions.
    Each question's analysis is contained in its own section with detailed comments.
    """
    try:
        # Read the CSV file into a pandas DataFrame
        df = pd.read_csv("Cyberattacks Detection.csv")

        # Convert timestamp column to datetime format for easier date-based analysis
        df['Timestamp'] = pd.to_datetime(df['Timestamp'])

        # Convert payload size to numeric values, handling any conversion errors
        # 'coerce' will convert invalid values to NaN
        df['Payload Size (bytes)'] = pd.to_numeric(df['Payload Size (bytes)'], errors='coerce')

        # Question 1: TCP MITM attacks on Network Routers
        print("\nQuestion 1: Which source country paired with the 'TCP' protocol had the most 'Detected' 'Man-in-the-Middle (MITM)' attacks on 'Network Router' systems?")
        # Filter data for TCP MITM attacks on Network Routers that were detected
        q1_df = df[
            (df['Protocol'] == 'TCP') &
            (df['Attack Type'] == 'Man-in-the-Middle (MITM)') &
            (df['Detection Label'] == 'Detected') &
            (df['Affected System'] == 'Network Router')
        ]
        # Count attacks by source country and get the most frequent
        result = q1_df['Source Country'].value_counts().head(1)
        print(f"Answer: {result.index[0]} with {result.values[0]} attacks")

        # Question 2: Watering Hole attacks from Japan
        print("\nQuestion 2: Which destination port range had the highest frequency of 'Detected' 'Watering Hole Attack' instances originating from 'Japan'?")
        # Filter for Watering Hole attacks from Japan that were detected
        q2_df = df[
            (df['Attack Type'] == 'Watering Hole Attack') &
            (df['Detection Label'] == 'Detected') &
            (df['Source Country'] == 'Japan')
        ]
        # Define port ranges for analysis
        port_ranges = {
            '0-10000': (0, 10000),
            '10000-20000': (10000, 20000),
            '20000-30000': (20000, 30000),
            '40000-50000': (40000, 50000)
        }
        # Count attacks in each port range
        range_counts = {}
        for range_name, (min_port, max_port) in port_ranges.items():
            count = len(q2_df[(q2_df['Destination Port'] >= min_port) & (q2_df['Destination Port'] < max_port)])
            range_counts[range_name] = count
        # Find the range with maximum attacks
        max_range = max(range_counts.items(), key=lambda x: x[1])
        print(f"Answer: {max_range[0]} with {max_range[1]} attacks")

        # Question 3: Drive-by Download attacks on Workstations
        print("\nQuestion 3: Which destination port range had the highest average confidence score for undetected 'Drive-by Download' attacks targeting 'Workstation' systems?")
        # Filter for undetected Drive-by Download attacks on Workstations
        q3_df = df[
            (df['Attack Type'] == 'Drive-by Download') &
            (df['Detection Label'] == 'Not Detected') &
            (df['Affected System'] == 'Workstation')
        ]
        # Calculate average confidence score for each port range
        range_avg_conf = {}
        for range_name, (min_port, max_port) in port_ranges.items():
            avg_conf = q3_df[(q3_df['Destination Port'] >= min_port) & (q3_df['Destination Port'] < max_port)]['Confidence Score'].mean()
            range_avg_conf[range_name] = avg_conf
        # Find range with highest average confidence
        max_conf_range = max(range_avg_conf.items(), key=lambda x: x[1])
        print(f"Answer: {max_conf_range[0]} with average confidence score of {max_conf_range[1]:.3f}")

        # Question 4: UDP Insider Threat attacks
        print("\nQuestion 4: Which destination country paired with 'UDP' protocol had the most undetected 'Insider Threat' attacks with source ports above 50000?")
        # Filter for UDP Insider Threat attacks with high source ports
        q4_df = df[
            (df['Protocol'] == 'UDP') &
            (df['Attack Type'] == 'Insider Threat') &
            (df['Detection Label'] == 'Not Detected') &
            (df['Source Port'] > 50000)
        ]
        # Count attacks by destination country
        result = q4_df['Destination Country'].value_counts().head(1)
        print(f"Answer: {result.index[0]} with {result.values[0]} attacks")

        # Question 5: SQL Injection payload sizes
        print("\nQuestion 5: Which protocol shows the highest average payload size for 'SQL Injection' attacks that were not detected on 'Database Server' systems?")
        # Filter for undetected SQL Injection attacks on Database Servers
        q5_df = df[
            (df['Attack Type'] == 'SQL Injection') &
            (df['Detection Label'] == 'Not Detected') &
            (df['Affected System'] == 'Database Server')
        ]
        # Calculate average payload size by protocol
        result = q5_df.groupby('Protocol')['Payload Size (bytes)'].mean().sort_values(ascending=False)
        print(f"Answer: {result.index[0]} with average payload size of {result.values[0]:.2f} bytes")

        # Question 6: Ping of Death attacks in Q2 2024
        print("\nQuestion 6: Which machine learning model has the highest number of 'Detected' 'Ping of Death' attacks targeting 'Database Server' systems in Q2 2024?")
        # Filter for detected Ping of Death attacks in Q2 2024
        q6_df = df[
            (df['Attack Type'] == 'Ping of Death') &
            (df['Detection Label'] == 'Detected') &
            (df['Affected System'] == 'Database Server') &
            (df['Timestamp'].dt.year == 2024) &
            (df['Timestamp'].dt.quarter == 2)
        ]
        # Count detections by ML model
        result = q6_df['ML Model'].value_counts().head(1)
        print(f"Answer: {result.index[0]} with {result.values[0]} detections")

        # Question 7: FTP attacks in 2024
        print("\nQuestion 7: Which source country had the highest number of 'Detected' 'File Transfer Protocol (FTP) Attack' instances with confidence scores above 0.7 in 2024?")
        # Filter for detected FTP attacks with high confidence in 2024
        q7_df = df[
            (df['Attack Type'] == 'File Transfer Protocol (FTP) Attack') &
            (df['Detection Label'] == 'Detected') &
            (df['Confidence Score'] > 0.7) &
            (df['Timestamp'].dt.year == 2024)
        ]
        # Count attacks by source country
        result = q7_df['Source Country'].value_counts().head(1)
        print(f"Answer: {result.index[0]} with {result.values[0]} attacks")

        # Question 8: Email Server attack proportions
        print("\nQuestion 8: Which attack type targeting 'Email Server' systems in 2024 had the highest proportion of attacks with payload sizes below the 25th percentile?")
        # Filter for Email Server attacks in 2024
        q8_df = df[
            (df['Affected System'] == 'Email Server') &
            (df['Timestamp'].dt.year == 2024)
        ]
        # Calculate 25th percentile of payload sizes
        payload_25th = q8_df['Payload Size (bytes)'].quantile(0.25)
        # Calculate proportion of small payloads for each attack type
        attack_proportions = {}
        for attack_type in ['Credential Stuffing', 'SQL Injection', 'Brute Force', 'Phishing']:
            attack_df = q8_df[q8_df['Attack Type'] == attack_type]
            if len(attack_df) > 0:
                proportion = len(attack_df[attack_df['Payload Size (bytes)'] < payload_25th]) / len(attack_df)
                attack_proportions[attack_type] = proportion
        # Find attack type with highest proportion
        max_prop_attack = max(attack_proportions.items(), key=lambda x: x[1])
        print(f"Answer: {max_prop_attack[0]} with proportion {max_prop_attack[1]:.3f}")

        # Question 9: Zero-Day Exploits on Application Servers
        print("\nQuestion 9: In which month of 2024 did 'Application Server' systems experience the highest number of undetected 'Zero-Day Exploit' attacks?")
        # Filter for undetected Zero-Day Exploits on Application Servers in 2024
        q9_df = df[
            (df['Affected System'] == 'Application Server') &
            (df['Attack Type'] == 'Zero-Day Exploit') &
            (df['Detection Label'] == 'Not Detected') &
            (df['Timestamp'].dt.year == 2024)
        ]
        # Count attacks by month
        result = q9_df['Timestamp'].dt.month_name().value_counts().head(1)
        print(f"Answer: {result.index[0]} with {result.values[0]} attacks")

        # Question 10: IoT Device attack confidence
        print("\nQuestion 10: Which attack type targeting 'IoT Device' systems has the highest median confidence score for undetected attacks in 2024?")
        # Filter for undetected attacks on IoT Devices in 2024
        q10_df = df[
            (df['Affected System'] == 'IoT Device') &
            (df['Detection Label'] == 'Not Detected') &
            (df['Timestamp'].dt.year == 2024)
        ]
        # Calculate median confidence score by attack type
        result = q10_df.groupby('Attack Type')['Confidence Score'].median().sort_values(ascending=False)
        print(f"Answer: {result.index[0]} with median confidence score of {result.values[0]:.3f}")

        # Question 11: Cloud Storage attack payloads
        print("\nQuestion 11: Which attack type has the highest average payload size for undetected attacks targeting 'Cloud Storage' with a confidence score below 0.3?")
        # Filter for undetected attacks on Cloud Storage with low confidence
        q11_df = df[
            (df['Affected System'] == 'Cloud Storage') &
            (df['Detection Label'] == 'Not Detected') &
            (df['Confidence Score'] < 0.3)
        ]
        # Calculate average payload size by attack type
        result = q11_df.groupby('Attack Type')['Payload Size (bytes)'].mean().sort_values(ascending=False)
        print(f"Answer: {result.index[0]} with average payload size of {result.values[0]:.2f} bytes")

        # Question 12: APT attack confidence
        print("\nQuestion 12: Which protocol has the lowest median confidence score for detected 'Advanced Persistent Threat (APT)' attacks on 'Workstation' systems?")
        # Filter for detected APT attacks on Workstations
        q12_df = df[
            (df['Attack Type'] == 'Advanced Persistent Threat (APT)') &
            (df['Detection Label'] == 'Detected') &
            (df['Affected System'] == 'Workstation')
        ]
        # Calculate median confidence score by protocol
        result = q12_df.groupby('Protocol')['Confidence Score'].median().sort_values()
        print(f"Answer: {result.index[0]} with median confidence score of {result.values[0]:.3f}")

        # Question 13: Cryptojacking detection rates
        print("\nQuestion 13: Which destination country had the highest detection rate for 'Cryptojacking' attacks originating from 'India' with source ports below 20000?")
        # Filter for Cryptojacking attacks from India with low source ports
        q13_df = df[
            (df['Attack Type'] == 'Cryptojacking') &
            (df['Source Country'] == 'India') &
            (df['Source Port'] < 20000)
        ]
        # Calculate detection rate by destination country
        detection_rates = q13_df.groupby('Destination Country')['Detection Label'].apply(
            lambda x: (x == 'Detected').mean()
        ).sort_values(ascending=False)
        print(f"Answer: {detection_rates.index[0]} with detection rate of {detection_rates.values[0]:.3f}")

        # Question 14: DDoS attacks on Firewalls
        print("\nQuestion 14: In which quarter of 2024 did 'Firewall' systems face the most 'Detected' 'Distributed Denial of Service (DDoS)' attacks with payload sizes above the median?")
        # Filter for detected DDoS attacks on Firewalls in 2024
        q14_df = df[
            (df['Affected System'] == 'Firewall') &
            (df['Attack Type'] == 'Distributed Denial of Service (DDoS)') &
            (df['Detection Label'] == 'Detected') &
            (df['Timestamp'].dt.year == 2024)
        ]
        # Calculate median payload size
        median_payload = q14_df['Payload Size (bytes)'].median()
        # Filter for attacks above median payload
        q14_df = q14_df[q14_df['Payload Size (bytes)'] > median_payload]
        # Count attacks by quarter
        result = q14_df['Timestamp'].dt.quarter.value_counts().head(1)
        print(f"Answer: Q{result.index[0]} with {result.values[0]} attacks")

        # Question 15: Brute Force attacks on Web Servers
        print("\nQuestion 15: In 2024, which source country had the highest number of detected 'Brute Force' attacks targeting 'Web Server' systems with a confidence score above 0.9?")
        # Filter for detected Brute Force attacks on Web Servers with high confidence in 2024
        q15_df = df[
            (df['Attack Type'] == 'Brute Force') &
            (df['Detection Label'] == 'Detected') &
            (df['Affected System'] == 'Web Server') &
            (df['Confidence Score'] > 0.9) &
            (df['Timestamp'].dt.year == 2024)
        ]
        # Count attacks by source country
        result = q15_df['Source Country'].value_counts().head(1)
        print(f"Answer: {result.index[0]} with {result.values[0]} attacks")

        # Question 16: Email Spam detection rates
        print("\nQuestion 16: Which source country had the highest detection rate for 'Email Spam' attacks targeting 'Firewall' systems with payload sizes above 4000 bytes?")
        # Filter for Email Spam attacks on Firewalls with large payloads
        q16_df = df[
            (df['Attack Type'] == 'Email Spam') &
            (df['Affected System'] == 'Firewall') &
            (df['Payload Size (bytes)'] > 4000)
        ]
        # Calculate detection rate by source country
        detection_rates = q16_df.groupby('Source Country')['Detection Label'].apply(
            lambda x: (x == 'Detected').mean()
        ).sort_values(ascending=False)
        print(f"Answer: {detection_rates.index[0]} with detection rate of {detection_rates.values[0]:.3f}")

        # Question 17: Payload size variation
        print("\nQuestion 17: Which attack type has the highest standard deviation in payload sizes for detected attacks targeting 'Network Router' systems?")
        # Filter for detected attacks on Network Routers
        q17_df = df[
            (df['Affected System'] == 'Network Router') &
            (df['Detection Label'] == 'Detected')
        ]
        # Calculate standard deviation of payload sizes by attack type
        result = q17_df.groupby('Attack Type')['Payload Size (bytes)'].std().sort_values(ascending=False)
        print(f"Answer: {result.index[0]} with standard deviation of {result.values[0]:.2f}")

        # Question 18: ML model confidence variance
        print("\nQuestion 18: Which machine learning model has the lowest variance in confidence scores for detected 'Phishing' attacks targeting 'Email Server' systems?")
        # Filter for detected Phishing attacks on Email Servers
        q18_df = df[
            (df['Attack Type'] == 'Phishing') &
            (df['Detection Label'] == 'Detected') &
            (df['Affected System'] == 'Email Server')
        ]
        # Calculate variance of confidence scores by ML model
        result = q18_df.groupby('ML Model')['Confidence Score'].var().sort_values()
        print(f"Answer: {result.index[0]} with variance of {result.values[0]:.3f}")

        # Question 19: SNMP attack detection rates
        print("\nQuestion 19: Which machine learning model has the highest detection rate for 'Simple Network Management Protocol (SNMP) Attack' on 'Cloud Storage' systems?")
        # Filter for SNMP attacks on Cloud Storage
        q19_df = df[
            (df['Attack Type'] == 'Simple Network Management Protocol (SNMP) Attack') &
            (df['Affected System'] == 'Cloud Storage')
        ]
        # Calculate detection rate by ML model
        detection_rates = q19_df.groupby('ML Model')['Detection Label'].apply(
            lambda x: (x == 'Detected').mean()
        ).sort_values(ascending=False)
        print(f"Answer: {detection_rates.index[0]} with detection rate of {detection_rates.values[0]:.3f}")

        # Question 20: XSS attack detections
        print("\nQuestion 20: Which machine learning model detected the most 'Cross-Site Scripting (XSS) Attack' instances on 'Workstation' systems with a confidence score above 0.8?")
        # Filter for detected XSS attacks on Workstations with high confidence
        q20_df = df[
            (df['Attack Type'] == 'Cross-Site Scripting (XSS) Attack') &
            (df['Affected System'] == 'Workstation') &
            (df['Confidence Score'] > 0.8) &
            (df['Detection Label'] == 'Detected')
        ]
        # Count detections by ML model
        result = q20_df['ML Model'].value_counts().head(1)
        print(f"Answer: {result.index[0]} with {result.values[0]} detections")

    except FileNotFoundError:
        print("Error: 'Cyberattacks Detection.csv' not found. Please ensure the file is in the same directory.")
    except Exception as e:
        print(f"An error occurred: {str(e)}")

# Run the analysis if this script is executed directly
if __name__ == "__main__":
    analyze_cyberattacks()