Project 3 - Honeynet Visualization

Primary mentor: Kara Nance (US)
Student: Lucas McDaniel

Project Location:
http://code.google.com/p/honeyviz/

Project Overview:
HoneyViz - An Interactive Honeynet Visualization tool
The goal of this project is to develop a web-based visualization tool - called HoneyViz - capable of identifying attack patterns in honeynet logs. In general, this will be achieved by grouping together distinct areas which share similar types of attacks over similar time intervals through a few views. We envision an interactive component to this tool which allows an end user to customize the visualization by selecting parameters they are interested in viewing (e.g. types of attacks, time frame, and the source's geographical location). The end deliverable will include an applet intended to be embedded in a webpage as the main visualization tool.

Project Plan:
Present – May 24, 2011 (START)
Gain familiarity with the topic

  • View currently used open-source visualization techniques with a focus on GIS.
  • Gather access data sets and streams.
    • While the end deliverable will be independent of data source, it would be great to work with real data over the course of this project.
  • The emphasis here is on getting to know people and determining what resources are available.

May 25, 2011 (START) – June 5, 2011
Database

  • We will focus on building a database structure capable of meeting our performance needs. Since this database will be seeded from a variety of different sources (dionaea, snort, and p0f are among the ones that will be included in this version), this will require restructuring how this data is stored so that all may be contained in the same table format and accessed quickly. The interactive component requires that queries occur in real time.

June 6, 2011 – June 19, 2011
Database Access and Management

  • This section will consist of developing a set of PHP pages to handle access to the database via the end user as well as an administrator portal with tools to add or remove data sources from the database.

June 20, 2011 – July 12 (MIDTERM)
Visualization

  • This is the main focus of the project. In this step we will develop an applet interfacing with the database which allows a user to select specific data via a series of buttons and menus (and NOT SQL). The applet will consist of a few views such as overlaying attack data on a world map, and projecting this data onto a 2D metric space to identify regions with similar attack patterns.

July 17, 2011 – July 31, 2011
Reassessment

  • There are bound to be changes to the project is this is the time set aside to handle them. After the framework has been developed, we will preform any tweaking or modification that we deem necessary. We will also work on documenting the API and perhaps add a section on making new views.
  • We'd like to start releasing weekly prototypes for public viewing one day a week. Stay tuned for additional information.

August 1, 2011 – August 16, 2011
Bug Fixing

  • This section will focus on fixing any bugs that remain in the system as well as testing out deploying the system in a new environment.

Screenshots:
Since I won't get the prototype up and running prior to the end of the evaluation period, I've attached some screenshots demonstrating a couple features from one of the deliverables. The first one (HV.v.0.3_1.jpg) contains a visualization overlayed on a world map where the magnitude and intensity of the dots corresponds to larger and more frequent attacks. Since these are grouped by a common category of events, distinguishing between them is only possible via the "Historical Data" section which shows the frequency over a requested time interval (currently at 'day').
By changing from the 'category' view to the 'individual' view (HV.v.0.3_2.jpg), we can now distinguish between the types of events on the world overlay. This allows us observe how a group of attacks has spread and to identify regions that share similar types of attacks. This view can be refined by changing the time interval and adjusting the slider (corresponding with the "Historical Data" section below) to list a few other user-level modifications.
Updates:
May 14, 2011

Finals are done!! Now time to get to work; I'm current in the processes if finding data sets and streams. If you know of any cool ones (or have any fun logic puzzles), then send me a message at lamcdaniel@alaska.edu. Best of luck to everyone on their project!
May 30, 2011
Done last week

  • Setup VMware Server 2.0.2 for easy VM deployment and access (testing purposes)
  • Finished gnuplotsql's performance analysis

Planned next week

  • Update project description to contain more specifics
  • Finalize back-end structure

Quote of the week

  • "Sixty minutes of thinking of any kind is bound to lead to confusion and unhappiness." - James Thurber

June 13, 2011
Done last week

  • Set up database and logging.

Planned next week

  • Finishing writing log parser.
  • Test database import and query scripts.

Challenges of the week

  • Ran out of coffee. This has been fixed.

June 25, 2011
Done last week

  • Database creation scripts and one of the import scripts have been nicely packaged. Started working on building the layout for the frontend applet.

Planned next week

  • Finish up the applet and add comments to the code. I should be back from helping out at camp in 7 days!
  • It's going to be longer than a week before I can, but I'd like to get the prototype finalized soon so I can host it for people to view what I've been working on.

July 13, 2011
Done last week

  • Applet layout completed and functioning with the database.

Planned next week

  • Still working on testing. Screenshots will be out in a day or so and I'll see about getting a temporary VM setup to run the prototype during the weekend.

Challenges Faced

  • Out of town longer than expected.

July 26, 2011
Done last week

  • Cleaned up the UI and fixed a few bugs causing 'arbitrary' changes to the color scheme.

Planned next week

  • Package up the example views in the same frame and finish server-side support for specific queries.

August 1, 2011
Done last week

  • Deployed a subset of the tool for remote viewing and finished an additional view.

Planned next week

  • Setup the rest of the tool in the demo environment. Porting the primary tool from an application to an applet has resulted in several unanticipated errors and fixing these is the main goal for the week.

August 9, 2011
Done last week

  • Deployed more of the tool on the demo page. A full build should be available in a day or two.

Planned next week

  • Writing some PHP for the demo page, and testing some new scripts in the final build.
AttachmentSize
HV.v.0.3_1.jpg293.96 KB
HV.v.0.3_2.jpg289.14 KB