Desktop App

Dashboard

The main dashboard provides a real-time overview of network security status, traffic metrics, and recent activity.

Components

Statistics Cards

• Total Packets – Packets processed since monitoring started
• Total Bytes – Total traffic volume
• Active Connections – Current flows
• Threats – Detected threats
• Blocked – IPs blocked by firewall
• Packets/Bytes per Second – Real-time throughput
• CPU & Memory – System and app resource usage

Traffic Graph

Real-time chart showing packets, bytes, or connections over time. You can switch metrics and expand to full screen. Updates every few seconds from the analytics service.

Alerts Feed

Stream of recent security alerts with severity, source, and description. Supports filtering and quick actions (acknowledge, delete). See Alerts for details.

Threat Map

Geographic visualization of threat sources. Requires geolocation data (IP → lat/long). Click markers for details.

ML Status

Shows whether ML is initialized, if Python is active, and inference statistics. Use the diagnostic panel to troubleshoot ML issues.

Activity Log

Timeline of system events (info, warning, success, error). Filter by type to focus on specific activity.

Data Flow

The dashboard subscribes to IPC events (onSystemUpdate,onAnalyticsUpdate, onNewAlert) and pollsgetAnalytics, getSystemStatus, andgetMLStats for fresh data.

IPC Subscriptions (for devs)

// frontend - typical usage
useEffect(() => {
  const unsubSystem = window.electronAPI?.onSystemUpdate?.(handleSystemUpdate);
  const unsubAnalytics = window.electronAPI?.onAnalyticsUpdate?.(handleAnalytics);
  const unsubAlert = window.electronAPI?.onNewAlert?.(handleNewAlert);
  return () => {
    unsubSystem?.();
    unsubAnalytics?.();
    unsubAlert?.();
  };
}, []);

// Polling for stats
const stats = await window.electronAPI?.getAnalytics?.();
const mlStats = await window.electronAPI?.getMLStats?.();

Alerts

The alerts system captures and displays security events from both rule-based and ML detection. Alerts can be acknowledged, deleted, and exported.

Alert Sources

• Rule-based – Port scanning, SYN flood, brute force, SQL injection, XSS, suspicious ports, protocol anomalies, high volume
• ML-based – Anomaly detection when score and confidence exceed thresholds
• Honeypot – Any connection to a honeypot is a confirmed threat (100% confidence)

Alert Structure (from combined engine)

// Each alert includes:
{
  type: "port_scanning" | "syn_flood" | "brute_force" | "ml_anomaly" | ...,
  severity: "critical" | "high" | "medium" | "low",
  confidence: 0.0 - 1.0,
  description: "Human-readable message",
  srcIP: "attacker IP",
  dstIP: "target IP",
  method: "rule_based" | "ml",
  timestamp: Date.now(),
}

Alert Fields

• Severity – Critical, high, medium, low
• Type – e.g. port_scanning, syn_flood, ml_anomaly
• Source IP – Attacker or suspicious host
• Description – Human-readable explanation
• Timestamp – When detected
• Confidence – 0–1 score

Alerts Feed UI

The Enhanced Alerts Feed provides:

• Filtering by severity and type
• Search by IP, rule name, or description
• Expandable rows for full details
• Quick actions: acknowledge, delete
• Full-screen mode for focused analysis

Storage

Alerts are stored in SQLite. Retention and cleanup are configurable in Settings → Database. The alert management service handles CRUD operations and exposes them via IPC and REST API.

API

• GET /api/alerts?limit=N – List alerts
• POST /api/alerts/:id/acknowledge – Acknowledge
• DELETE /api/alerts/:id – Delete

Traffic Analysis

The traffic view shows real-time and historical network traffic metrics. Data comes from the analytics service, which aggregates packet and flow statistics.

Metrics

• Packets – Total packet count over time
• Bytes – Total byte count (throughput)
• Connections – Active or cumulative flow count

Chart Types

• Area – Filled area under the curve
• Line – Line chart
• Bar – Bar chart

Data Source

The real-time analytics service processes packets from the packet capture and maintains rolling windows of traffic stats. The frontend polls getAnalytics and getHistoricalData for chart data.

Analytics Data Shape (for devs)

// getAnalytics() returns:
{
  traffic: {
    totalPackets, totalBytes,
    packetsPerSecond, bytesPerSecond,
  },
  connections: { active, total },
  security: { threats, blocked },
  protocolDistribution: { TCP, UDP, ICMP, ... },
  geographicDistribution: [ { country, count }, ... ],
}

Protocol Distribution

You can view protocol breakdown (TCP, UDP, ICMP, etc.) viagetProtocolDistribution. This helps identify unusual protocol usage.

Geographic Distribution

getGeographicDistribution provides traffic by location for the threat map and geographic analytics.

Honeypots

Honeypots are deception services that mimic real systems to attract and profile attackers. When an attacker connects, the interaction is logged and can trigger alerts.

How It Works

The honeypot manager runs fake listeners on non-standard ports. When someone connects, the service accepts the connection, logs metadata (IP, port, timestamp), and optionally responds with bait content. No real services are exposed.

Starting a Honeypot (Code)

// backend/services/honeypotManager.js - startHoneypot()
const server = net.createServer((socket) => {
  this.handleConnection(socket, config);
});

server.listen(config.port, () => {
  console.log(`🍯 Honeypot started: ${config.name} on port ${config.port}`);
});

this.honeypots.set(config.port, {
  config,
  server,
  interactions: 0,
  started: Date.now(),
});

Connection Handling (Code)

On connect: log metadata, send fake banner, collect data, emit confirmed threat (100% confidence).

// backend/services/honeypotManager.js - handleConnection()
const interaction = {
  id: `interaction_${Date.now()}_...`,
  timestamp: Date.now(),
  honeypot: config.name,
  srcIP: socket.remoteAddress,
  srcPort: socket.remotePort,
  service: config.service,
  data: [],
};

socket.on("data", (data) => {
  interaction.data.push({ content: data.toString("utf8"), hex: data.toString("hex") });
  socket.write(this.generateFakeResponse(config.service, data));
});

// Banners: SSH-2.0-OpenSSH_7.4, "Welcome to Ubuntu...", HTTP 200 OK, etc.
socket.write(this.generateBanner(config.service));

// Emit confirmed threat - anything touching honeypot is malicious
this.emit("confirmedThreat", {
  srcIP: interaction.srcIP,
  confidence: 100,
  severity: "high",
  description: `Honeypot interaction on ${config.name}`,
});

Built-in Honeypots

• SSH Honeypot – Port 2222, mimics SSH
• RDP Honeypot – Port 3390, mimics RDP
• HTTP Honeypot – Port 8080, mimics web server
• SQL Honeypot – Port 3307, mimics MySQL
• Telnet Honeypot – Port 2323, mimics Telnet

Dashboard

The Honeypot Dashboard shows each honeypot's status (running/stopped), port, and interaction count. You can start or stop individual honeypots. Interaction logs list source IPs, timestamps, and service type.

Honey Tokens

Honey tokens are decoy credentials or files placed to detect misuse. The honeypot manager can generate and track tokens. Access to a token indicates potential insider threat or credential theft.

// backend/services/honeypotManager.js - generateHoneyTokens()
const tokens = [
  { type: "credential", username: "admin", password: "admin123", service: "ssh" },
  { type: "credential", username: "root", password: "toor", service: "ssh" },
  { type: "api_key", key: "sk_test_fake_key_12345678", service: "api" },
  { type: "database_connection", string: "Server=honeypot.local;...", service: "sql" },
];
// Each token has: id, created, accessed, lastAccess

Backend

The honeypotManager service uses Node.js netto create TCP servers. Interactions are stored in memory (configurable max) and emitted as events for alerting and logging.

Settings

Settings control monitoring, detection, firewall, notifications, database, and network behavior. Changes are persisted and applied at runtime where possible.

Monitoring

• Auto-start – Start packet capture when app launches
• Packet capture – Enable/disable capture
• Deep inspection – Payload inspection (if available)
• Rate limit – Max packets per second to process

Detection

• Signature-based – Rule-based detection (Suricata, custom rules)
• Anomaly detection – ML-based detection
• Threat intelligence – External feed integration
• Use Python ML – Prefer Python subprocess over JavaScript fallback

Firewall

• Auto-block – Automatically block IPs after N critical alerts
• Threshold – Alert count before auto-block (e.g. 3)
• Block duration – How long to block (ms)
• Whitelist/Blacklist – Manual IP lists

Notifications

• Desktop notifications – System notifications for alerts
• Email alerts – SMTP configuration
• Sound alerts – Audio for critical alerts
• Critical only – Only notify for critical severity

Database

• Retention days – How long to keep data
• Compression – Enable compression
• Backup – Auto-backup and interval

Network

• Interface – Network interface for capture (auto or specific)
• Promiscuous mode – Capture all traffic on segment
• Buffer size – Capture buffer
• Timeout – Capture timeout (seconds)

Persistence

Settings are stored via the main process and loaded on startup. The frontend calls getSettings and saveSettingsvia IPC.

Settings Structure (for devs)

// Settings object shape
{
  monitoring: { autoStart, packetCapture, deepInspection, rateLimit },
  detection: { signatureBased, anomalyDetection, threatIntelligence, usePythonML },
  firewall: { autoBlockEnabled, autoBlockThreshold, blockDuration, whitelistIPs, blacklistIPs },
  notifications: { desktopNotifications, emailAlerts, soundAlerts, criticalOnly },
  database: { retentionDays, compressionEnabled, backupEnabled, backupInterval },
  network: { interface: 'auto', promiscuousMode, bufferSize, timeout },
}