nicter - Technology for visualizing and analyzing network attacks

At Interop Tokyo 2010, the NICT's Incident Countermeasures Group presented nicter, a system for precisely analyzing various kinds of attacks on networks in real time.

"At this year's Interop, nicter has been built into a network called ShowNet, which is being used at Interop. nicter is displaying actual attacks on ShowNet in real time."

nicter has three tools for visualizing network attacks. The first is called Atlas. This tool shows the attack situation on a map of the world, based the origins of packet data arriving at observation points on the network. Attacks are classified by malware type and protocol. This tool can be used to find out, in real time, which country attacks are coming from, and how many attacks are being made.

Another visualization tool is called Cube. This provides a 3D display, based on the IP address and port number for both packet origins and packet destinations. You can see how packets are moving between two planes, with IP address on the vertical axis and port number on the horizontal axis.

The third visualization tool, called Tiles, is also an analysis tool. It divides traffic among the attacking hosts, and analyzes the attack pattern every 30 seconds. It shows the attack pattern for each host, or each tile, in real time, and groups of hosts with the same attack pattern are highlighted in white. The flag of the country where the attack originates is shown on the rear of each tile.

"What we're observing right now is the state of attacks on a sensor installed in Japan. Such attacks are happening worldwide. There are lots of them, and not only in Japan. Many of the countries where the attacks originate have widespread network systems. There are quite a lot of attacks from America, Europe, China, and South-East Asia. Recently, many attacks have come from South America and in the last one to two years, an increasing number have come from Brazil."

The NICT is using nicter to develop a visualization and analysis system called NIRVANA. This system observes the traffic on a network and represents each packet visually. In this demo, actual traffic is mapped onto an Interop site map and a diagram of the network. This system can be used to quickly find out where traffic is concentrated, which links are interrupted, and how routes have changed. In this way, it can reduce the burden involved in network management.