The NERD system gathers data about sources of cyber threats from a number of sources and builds a constantly-updated database of the known malicious network entities (currently only IP addresses). It provides detailed information about each of them, including when and where it was reported as malicious, auxiliary data such as hostname or geolocation, and a numeric summarization of the IP's reputation. Most of the data are publicly accessible via a web interface:

Access the NERD web interface HERE


Network entity profiles

NERD keeps a record for each IP address reported as a source of some network attack or other malicious activity. Such a record contains meta-data about the reports and other relevant information fetched from other sources (see below for the list of all used data sources). Most of the data is periodically updated. The web interface allows to get a detail of each individual IP address as well as search for IPs matching given criteria.

Basic information about related BGP prefixes, ASNs, registered IP blocks and organizations (from whois databases) is stored as well.

Moreover, the information known about each IP is summarized into a reputation score -- a number expressing the level of threat the IP address poses. Currently, quite a simple static formula is used to compute the reputation score, but there is an ongoing research about how to better estimate it.


Data sources

Data about detected malicious activities which are used to create IP profiles (so called "primary data") are taken from the following sources:

Each IP record (created based on data from one of the primary sources above) is further enriched by data from the following "secondary" sources:

We are always looking for new data sources to include. If you have or know about some data that could be added, please contact us.


Access

The data are available via a simple web GUI and API. Both allow to show details about an entity (IP address, ASN, etc.) or search entities by various parameters.

Basic access to most of the data is allowed to anyone.

However, some of the information in the system may be sensitive and can not be accessible to public (e.g. raw alerts from Warden or data from MISP with TLP other than 'white'). Full access to the NERD system is therefore restricted to trusted partners only. Generally, it is granted to members of trusted CSIRT teams and well-known security researchers.


Source codes & more information

Source codes of all components of the NERD project are available on github. Documentation is available on project's wiki

Although we publish source codes, it's (currently) not expected that someone deploys his or her own instance (some parts would not work well without access to Warden data). Therefore, although there are some installation scripts that should make the installation easy, they are not well tested, documented and do not cover everything. If possible, we recommend to access the main instance operated by CESNET instead and share data or collaborate on development. Nevertheless, if you still need to deploy your own instance, do not hesitate to contact us for assistance.

For more information about how does it work, see our paper from CyberTIM workshop at ARES 2019.


Contact

For more information, to request access or provide feedback, or if you have some data to share, please contact:

Václav Bartoš at bartos@cesnet.cz.


Acknowledgments

NERD is developed and operated by CESNET (operator of the Czech National Research and Education Network) and its Liberouter team.

The software this service is based on was developed within the scope of the Security Research Programme of the Czech Republic 2015 - 2020 (BV III / 1 VS) granted by the Ministry of the Interior of the Czech Republic under the project No. VI20162019029 The Sharing and analysis of security events in the Czech Republic (SABU).

Computation of the FMP score and the underlying research were supported by the EU project PROTECTIVE.

Development of some parts of the web interface was partially supported by the EU project GÉANT GN4-2.

Geolocation is performed using GeoLite2 data created by MaxMind, available from http://www.maxmind.com.
Classification of ASNs is performed using the CAIDA UCSD AS Classification Dataset.