October’s debut project brought together an unlikely pairing: honeypot security logs and Hilbert curves. Threat Plotter, written in C, processes log files from honeypots and other security sources and plots the data on Hilbert curves—space-filling fractal curves that preserve locality, meaning nearby points in the data map to nearby points on the curve.
The visualization is timezone-aware, coloring data points based on the geographic origin of source IP addresses. The result is a visual fingerprint of attack patterns that reveals structure invisible in traditional log views: geographic clusters, temporal patterns, and coordinated scanning campaigns become immediately apparent when mapped onto the curve’s fractal geometry.
Two commits in October delivered the initial implementation, establishing the core pipeline from log ingestion through IP geolocation to Hilbert curve rendering. It’s the kind of tool that turns mountains of log data into something a human analyst can actually see at a glance.
“Nearby points in the data map to nearby points on the curve—attack patterns become visible that logs alone can never show.”
— on Hilbert curve visualization
Two September projects continued their development arcs into October. Lightning, the XDP/eBPF Layer-4 load balancer, received architecture documentation updates as the project moved from initial implementation toward a more organized codebase. The documentation work suggests preparation for either collaboration or a future open-source release.
USB Overwatch, the cross-platform USB device monitor, fixed a Windows inventory tracking issue and continued refining its Linux MVP. The tool’s ability to detect malicious USB hardware—keystroke injectors, attack cables, and similar devices—depends on accurate device inventory, making this fix critical for real-world deployment reliability.
October was deliberately focused—three projects, targeted improvements, and one genuinely novel visualization approach. Not every month needs ten new projects to be productive. Sometimes the most valuable work is finishing what September started and adding one tool that changes how you see your data.
Traditional log analysis forces analysts to scroll through thousands of lines, searching for patterns their eyes can barely detect. Scatter plots help but lose the relationship between nearby data points. Hilbert curves solve this by mapping one-dimensional data (log entries ordered by time or IP) onto a two-dimensional space while preserving locality.
IP addresses that are numerically close—likely from the same network block—appear visually close on the curve. Time-adjacent events cluster together. When colored by geographic timezone, the visualization reveals coordinated campaigns: a synchronized scan from Eastern European IP ranges shows up as a colored cluster, while random background noise appears as scattered points.
The approach has been used in genomics and network mapping before, but applying it to honeypot logs with timezone-aware coloring is a novel combination that could change how security operations centers visualize threat data.
··· “Frustrating adversaries since the dial-up era” · GitHub: rondilley · 42 Repositories and Counting ···