Holoscope is a distributed edge platform designed for cybersecurity data collection and machine learning applications. The platform operates with multiple capabilities:
-
Passive Measurement Probes: Deployment of passive network probes for performance measurements, including darknet monitoring, to track ongoing network scanning activities.
-
Active Cybersecurity Probes: Deployment of a honeynet - a distributed network of honeypots at the edge that monitors ongoing network attacks. It includes low-interaction honeypots (Cowrie, Nginx) and a reactive network telescope (UDP Responder) that crafts stateless replies to incoming traffic.
-
Testbed for Vulnerabilities: Deployment of vulnerable applications that can be exploited by internal nodes or serve as high-interaction honeypots.
-
Federated Learning: Distributed training of ML tasks using data collected by the above probes. This federated learning approach allows the development of ML models on distributed data without requiring direct data exchange between nodes.
This platform is lightweight, stable, and scalable, built on K3s for Kubernetes management and Ansible for automated deployment and configuration.
If you are interested in joining the network, open an issue or contact us.
├── applications/ # Containerized applications
│ ├── clickhouse/ # ClickHouse database for network event storage
│ ├── collector-sync/ # Packet capture and log synchronization
│ ├── cowrie/ # SSH/Telnet honeypot
│ ├── darknet/ # Darknet monitoring probes
│ ├── idarkvec/ # Federated learning IP reputation application
│ ├── l4responder/ # Layer 4 response simulator
│ ├── nginx/ # Honeypot web server
│ ├── toolbox/ # Network management DaemonSet (iptables, forwarding)
│ └── udp-responder/ # Reactive network telescope (UDP/TCP responder)
├── infrastructure/ # Platform infrastructure
│ ├── ansible/ # Ansible automation
│ │ ├── inventory/ # Environment configurations
│ │ ├── playbooks/ # Deployment playbooks
│ │ └── roles/ # Ansible roles
│ ├── helm/ # Helm charts for Kubernetes
│ └── vagrant/ # Local development environment
└── README.md
- K3s: A lightweight Kubernetes distribution for running services on edge nodes
- Ansible: Automation tool for managing deployment and configuration
- Docker: Containerization of applications
- Helm: Kubernetes package manager for application deployment
- Vagrant: Local development environment setup
- Darknet: Passive network monitoring and scanning detection
- L4Responder: Layer 4 protocol response simulation
- UDP Responder: Reactive network telescope that listens for incoming UDP/TCP packets, crafts stateless replies, and logs traffic to ClickHouse
- Cowrie: SSH/Telnet honeypot
- Nginx: Honeypot web server logging HTTP/HTTPS reconnaissance activity
- ClickHouse: Columnar database for storing and querying network event data
- Collector-Sync: Packet capture on worker nodes with centralized log synchronization
- Toolbox: Privileged DaemonSet for managing iptables rules and network forwarding on each node
- IDarkVec: Federated learning platform for IP reputation with Flower server/client architecture
- Operating System: Linux (e.g., Ubuntu 24.04)
- Resources: Adequate CPU and memory for running at least 3 VMs for testing
- Dependencies:
- Vagrant
- VirtualBox or Libvirt
- Ansible
- Docker
- Operating System: Linux on all nodes
- Resources:
- Master: At least 2 CPUs, 16 GB of memory, and sufficient storage (~20 GBs for retention of honeypot logs)
- Agents: Similar to master requirements
- Network: Secure connectivity between nodes (WireGuard VPN supported)
For local development using Vagrant:
cd infrastructure/vagrant
./install.sh # Automated setup on Linux
# or manually:
vagrant upSee Vagrant README for detailed setup instructions.
Edit the inventory files to match your environment:
# Development environment
infrastructure/ansible/inventory/environments/dev/hosts.yml
# Production environment
infrastructure/ansible/inventory/environments/prod/hosts.ymlDeploy K3s cluster and basic infrastructure:
cd infrastructure/ansible
ansible-playbook -i inventory/environments/dev/hosts.yml playbooks/site.yml --ask-vault-passwordSet up local container registry for storing application images:
ansible-playbook -i inventory/environments/dev/hosts.yml playbooks/registry.ymlBuild and push all application Docker images to the registry:
ansible-playbook -i inventory/environments/dev/hosts.yml playbooks/build.ymlDeploy selected applications based on your hosts.yml configuration:
ansible-playbook -i inventory/environments/dev/hosts.yml playbooks/deploy.ymlThe platform supports multiple environments:
- Development:
inventory/environments/dev/ - Production:
inventory/environments/prod/
Configure which applications to deploy by editing the group variables in your inventory:
# Example: infrastructure/ansible/inventory/environments/dev/group_vars/all.yml
deploy_applications:
- cowrie
- darknet
- idarkvecThe platform requires various network configurations:
- WireGuard VPN: For secure inter-node communication
- Darknet Monitoring: For passive/active network experiments
- Network Policies: Kubernetes network policies for application isolation
ansible-playbook -i inventory/environments/dev/hosts.yml playbooks/add_node.ymlansible-playbook -i inventory/environments/dev/hosts.yml playbooks/reset.yml