Real-Time Cyber Threat Management

Attack Visualization Subsystem

Real-time alert ingestion, storage, streaming, and visualization subsystem for a Kubernetes-based cyber threat monitoring platform.

---

Overview

This repository implements the Attack Visualization and Threat API subsystem of the Real-Time Cyber Threat Management (RTCT2) capstone project. The system is responsible for receiving, storing, streaming, and visualizing cyber threat alerts to support human operators within a Kubernetes-based command-and-control (C2) environment.

This repository does not implement threat detection or machine learning models. Instead, it is designed to consume alerts produced by external detection components and present them in a clear, real-time, operator-facing interface.

---

System Role Within RTCT2

The RTCT2 project is composed of multiple subsystems that collectively detect, analyze, and respond to cyber threats targeting C2 systems. This repository represents the operator-facing visualization layer and the central alert management interface.

The Attack Visualization system serves as the bridge between:

• Detection components (cluster-level, edge-device, or physics-based), and
• Human operators responsible for monitoring and responding to threats.

It provides both real-time situational awareness and historical context to support informed decision-making.

---

High-Level Architecture

At a conceptual level, the system follows this flow:

Alert Producers → Alert API → PostgreSQL → Dashboard (SSE + REST)

• Alerts are ingested through a detector-agnostic API
• Alerts are persisted for historical review
• Alerts are streamed to connected clients in real time
• Visualization is separated from detection logic to reduce system coupling
• Designed to minimize computational overhead on the C2 system

---

Repository Structure

k8s/ Kubernetes manifests and deployment configuration
alert-generation/ Simulated alert and traffic generators for testing
api/ Node.js/Express alert API and data layer
dashboard/ React-based operator dashboard

Each directory represents a distinct microservice or deployment concern within the overall system.

---

Alert Flow

1. Alerts are generated by simulated components or external detection systems
2. Alerts are ingested by the Threat API
3. Alerts are stored for historical analysis
4. Alerts are streamed to connected clients in real time
5. Operators view, filter, and prioritize alerts through the dashboard

This design allows the system to operate with simulated alerts during development and seamlessly integrate real detection outputs in later phases.

---

Key Features

• Real-time alert streaming to operators
• Persistent alert storage for post-event analysis
• Severity and confidence-based alert prioritization
• Operator-facing filtering and visualization
• Detector-agnostic alert ingestion
• Kubernetes-native, containerized deployment

---

Technologies Used

• Backend: Node.js, Express
• Frontend: React (SPA)
• Database: PostgreSQL
• Infrastructure: Docker, Kubernetes
• Streaming: Server-Sent Events (SSE)

---

Running the System

The subsystem is designed to run within a Kubernetes cluster. Below are the basic steps to deploy and run the system.

Prerequisites

• Kubernetes cluster (k3s, minikube, or cloud cluster)
• kubectl configured
• Docker (for building images if needed)

1. Deploy Core Services

From the repository root:

cd k8s
kubectl apply -f .

This will deploy:

• PostgreSQL database
• Alert API service
• Dashboard frontend

2. Verify Deployment

kubectl get pods -n rtct

Wait until all pods are in the Running state.

3. Access the Dashboard

Port-forward the web service:

kubectl port-forward -n rtct svc/web 8080:8080

Then open:

http://localhost:8080

4. Access the API

kubectl port-forward -n rtct svc/api 4000:4000

Example test request:

curl -X POST http://localhost:4000/internal/alert \
  -H "Content-Type: application/json" \
  -H "x-internal-token: YOUR_TOKEN" \
  -d '{
    "source": "demo",
    "type": "test",
    "severity": "high",
    "confidence": 90,
    "message": "Test alert"
  }'

5. (Optional) Run Alert Generators

cd alert-generation
python3 replay_attack.py

This will simulate alerts flowing through the system.

---

Deployment Model

The system is designed to run within a Kubernetes cluster alongside other RTCT2 subsystems.

• Each component runs as a containerized service
• Persistent storage is used for alert history
• Kubernetes manifests are provided for cluster deployment
• The architecture supports both local development and in-cluster execution

---

Project Context

This system was developed as part of the RTCT2 capstone project, which focuses on real-time cyber threat management for command-and-control systems. The broader project integrates telemetry collection, anomaly detection, and operator decision support within a simulated C2 environment.

This repository represents the attack visualization and alert management subsystem within that larger architecture.

---

Current Status

• Functional prototype used for demonstrations and evaluation
• Alert generation is currently simulated
• Architecture supports future integration with live detection systems

---

Future Work

• Integration with real-time ML-based detection outputs
• Authentication and access control
• Cross-detector alert correlation
• Performance and scalability evaluation
• Enhanced visualization for operator decision support

---

Disclaimer

This repository represents an academic research project.
It is not production-hardened and does not include sensitive or operational data.

---

Authors

Jaxson Mercer
RTCT2 – Team 41