Threat Intelligence Dashboard

Distributed threat intelligence and security monitoring platform with live network monitoring, traceroute analysis, connection tracking, threat detection and classification, geographic threat mapping, and automated investigation. Native desktop application (Tkinter) with five operational tabs: live dashboard, geographic threat map, behavioural analysis view, honeypot control panel, and connection rules management.

Honeypot services simulate vulnerable endpoints across multiple protocols — FTP, SSH, Telnet, SMTP, MySQL, and HTTP — logging and classifying every probe attempt with source IP, protocol, payload, and timestamp. Connection rules engine enforces allow/block/temporary policies with configurable expiry. IP investigation workflow collects evidence, performs geolocation, runs traceroute analysis, and supports emergency blocking.

Behavioural analysis scores connection patterns over time — frequency, protocol diversity, port scanning signatures, and temporal patterns. Threat classification categorises probes by type (scan, brute force, exploit attempt) and assigns severity scores. Geographic threat mapping plots source locations on a visual map for pattern recognition across regions and autonomous systems.

Distributed security agents deployed across all nodes report system metrics, active network connections, failed authentication attempts, suspicious processes, and service health. Automated investigation loop monitors for new threats, enriches them with context, and escalates based on severity thresholds. Centralised reporting aggregates findings from all agents into a unified threat picture with real-time alerting via desktop notifications.