Develop and improve the ability to read and visualize Sebek data from high interaction honeypots.
Primary Mentor: Kara Nance
Student: Kevin Galloway
This project will consist of two main portions, a parser that read in data from Sebek, focusing on the event type and the timestamp of the data, and a visualizer that will take this newly parsed data, and display it in a manner focusing on events over time, to analyze trends.
Parser: Create a parser (or parsers) that will pair event types (or other information) with timestamps, so that a dynamic visualization can be created. This needs to read in Sebek data, and convert it into a format that the visualizer can use. The parser must allow a user to choose what data they wish to display, so that if a user is interested in only certain data, they can display just that.
Visualizer: The visualizer will need to display data in such a way that is conducive to analyzing trends. There are multiple visualization techniques that may be used, and the visualizer, in its final state, will have multiple visualizations to do this. It will also be able to display data from a single Sebek instance, to a network of instances, so that data can be analyzed from the micro scale to the macro scale. The current visualization idea is to create a grid for each Sebek instance, and then have events be color-coded and flow from the center, from oldest data to newest.
June 8th: Finish development of the parser.
July 1st: Visualizer prototype for a single instance of Sebek, including experimentation with different visualization types.
July 22nd: Visualizer for multiple instances of Sebek, such as Sebek instances deployed across a network.
July 29th: Finalized user interface for the visualizer.
August 1st: Finish development of the visualizer, with finalized user interface.
August 10th: Finish main testing and evaluation.
August 17th: Put finishing touches and finalize the project.