Project NERD aims to build an extensive reputation database of known sources of cyber threats. That is, a list of known malicious IP addresses or other network entities (e.g. ASNs or domain names) together with all security-relevant information about each of them.

NERD public access

Notice: The project is still in development. All important parts are already working and it processes real data, but it should still be considered "beta" - expect occasional bugs, outages or changes of the system.


Data sources

Currently, the main source of data is Warden – the alert sharing system operated by CESNET – which collects reports from a number of systems – honeypots, netflow analyzers and other detectors of malicious traffic. We also get data from CIRCL's main MISP instance.

A record is kept for each IP address reported as a source of some attack attempt or other malicious activity, i.e. it appears in some event in Warden or MISP. Besides data about reported events, additional information related to the IP address are stored, such as:

We are constantly working on adding new data sources.

The database

The NERD database contains all the information described above for each reported IP address and allows to search it. Also, some information about related BGP prefixes, ASNs, registered IP blocks and organizations (from whois databases) is stored.

Moreover, the information known about each IP is summarized into a reputation score -- a number expressing the level of threat the IP address poses. Currently, quite a simple static formula is used to compute the reputation score, but there is an ongoing research about using advanced machine learning methods to estimate it.

The data are available via a simple web GUI and API. Both allow to show details about an entity (IP address, ASN, etc.) or search entities by various parameters.

For more information, see our poster from TNC16 conference, or a paper from CyberTIM workshop at ARES 2019

Access

Basic access to most of the data is allowed to anyone.

However, some of the information in the system may be sensitive and can not be accessible to public (e.g. raw alerts from Warden or data from MISP with TLP other than 'white'). Full access to the NERD system is therefore restricted to trusted partners only.

Generally, it is granted to members of trusted CSIRT teams and well-known security researchers. Also, those who contribute data to CESNET's Warden can automatically get privileged access to NERD.

Source codes & deployment

Source codes of all components of the NERD project are available on github. Documentation is available on project's wiki

Although we publish source codes, it's (currently) not expected that someone deploys his or her own instance (it doesn't make much sense without access to Warden data). We rather recommend to access the main instance operated by CESNET instead and share data or collaborate on development if possible.

Generally, it is preferred to have only one global instance of NERD. The main idea of NERD is to get all relevant data to one place and analyze it there. Running multiple instances with different data sets goes against this idea. Also, NERD is quite resource demanding and generates large amount of queries to DNS, public blacklists, etc. Last, but not least, some data are available only thanks to special agreements.

Despite all this, we understand there are cases where someone still needs their own instance, e.g. to include their own proprietary/confidential data. As a far future plan, we foresee a partially distributed or hierarchical version of NERD which would allow to deploy a separate instance of NERD that would use data from the main NERD as a basis and add another, private, data on top of it. But currently the only possible way is to deploy full instance of NERD -- contact us for assistance if you really need it.

Contact

For more information, to request access or if you have some data to share, please contact Václav Bartoš at bartos<at>cesnet.cz.


Project NERD is developed by CESNET.

The software this service is based on was developed within the scope of the Security Research Programme of the Czech Republic 2015 - 2020 (BV III / 1 VS) granted by the Ministry of the Interior of the Czech Republic under the project No. VI20162019029 The Sharing and analysis of security events in the Czech Republic (SABU).

Geolocation is performed using GeoLite2 data created by MaxMind, available from http://www.maxmind.com.
Classification of ASNs is performed using the CAIDA UCSD AS Classification Dataset.