See Your Scanners

What is it?

LightScope is free, open source software that gathers data for graduate cybersecurity research at the University of Southern California ISI. Those who deploy it are rewarded with rich threat intelligence about who's targeting their systems and how. The threat intelligence LightScope provides to users is enhanced through research partnerships with ipinfo, greynoise, and abuseIPDB.

What does the software do?

Observes attacker interactions with closed ports on live hosts, forwards that traffic to USC honeypots, and reports attackers to AbuseIPDB and ISPs.

What do you get for running it?

Detailed information about who's targeting you, automatic reporting of the malicious actors to ISPs, and personalized IP blocklists.

What DOESN'T it do?

It's not antivirus or Endpoint Detection and Response (EDR), and it won't slow down your system like they do. It's also not a Web Application Firewall (WAF), and it doesn't examine traffic to running services such as webservers (for privacy reasons).

Why should I run it?

See who's attacking your server
Find out if your laptop is getting attacked on public Wifi
Discover compromised routers/smart TVs scanning your home network
Support open cybersecurity research

What data do you collect?

We are interested in the traffic scanners and attackers send to closed ports on your servers. Your IP is fully anonymized and we do not collect any identifiable data about your machine. We went through IRB to certify our methods. A full list of data collected can be found in FAQs.

Why are you doing this?

To help people who can't afford expensive services. To collect data in support of PhD research.

Is it actively supported?

Yes.

How do I contact you?

E@alumni.usc.edu

X (Twitter)

Discord

How do I install it?

Installation Guide

What are your research questions?

RQ1: What is the differences in attacker/scanner interactions between telescopes, dedicated honeypots, and live machines.

RQ2: What is the proportion of unwanted TCP traffic that is spoofed.

RQ3: How can the different scan types be fingerprinted based on packet sequences (as opposed to examining fields on a packet by packet basis)?

LightScope Research Overview

LightScope is a free, open source cybersecurity research initiative that examines unwanted traffic from attackers and scanners. LightScope is different from existing solutions as it turns closed ports on live machines into network telescopes/honeypots, and transparently forwards attacker traffic to USC managed honeypots. This removes the risk of running honeypots on production systems, and makes LightScope difficult for attackers to detect and avoid (unlike traditional honeypots and network telescopes). All this leads to better data for researchers and network operators.

Although it's broken out into two applications (laptop/home computers vs servers), they're really just two use cases for the same tool. The main difference is that unwanted/scan traffic is expected on public facing servers, but should never be seen on home networks or public wifi networks.

LightScope is only interested in unwanted traffic attackers/scanners are sending you. If you're running a webserver or some other application, LightScope will ignore traffic to and from it. We only look at what gets sent to your closed ports, where no legitmate services are running.

LightScope is provided by the University of Southern California Information Sciences Institute.

LightScope For Servers

LightScope turns closed ports on your server into network telescopes, and transparently forwards attacker traffic to USC managed honeypots. This removes the risk of running honeypots on production systems, and makes LightScope difficult for attackers to detect and avoid (unlike traditional honeypots and network telescopes). All this leads to better data for researchers and network operators.

The LightScope client is free, open source, extremely lightweight, and designed to run on production machines. If you install it you will be provided with rich information about who's targeting your network and tailored IP blocklists you can use to keep your network safe. Please click on one of the images below and select a public enpoint to view the type of data you will recieve.

General Dashboard Overview

Individual Threat Actors

Who's Targeting You?

Support Cybersecurity Research at the University of Southern California, and the Open Source Community!

Install LightScope Now Explore Live Data Download Most Recent General Blocklist

See who's targeting your systems • Get custom IP blocklists • Help us make the internet safer.

IRB Certified Data Protection

LightScope has passed IRB approval verifying our anonymization, collection, and encrypted storage methods (certified exempt), as study UP-25-00124 — LightScope - Survey of unwanted traffic to large user populations to the University of Southern California Institutional Review Board.

LightScope For Laptops and Home Computers

Router Security Threats and FBI Warnings

Recent FBI warnings and security reports about router hacking campaigns

The FBI has issued critical warnings about routers being hacked, but how know if your router is compromised? Even the FBI itself states:

FBI Statement: It is difficult for an end user to know if their device is compromised due to the inability of anti-virus tools to scan these devices

LightScope, a free and open-source tool provided by the University of Southern California Information Sciences Institute can help detect if your router (or printer, smart tv, etc.) is compromised and scanning your computer. If you have a laptop, it can also tell you if connecting to that sketchy-looking wifi was a bad idea, hopefully before you get infected.

LightScope is software you install on your home computer or laptop. It monitors for unwanted traffic like port scans, which anti-virus software doesn't look for. Without LightScope, your computer will simply ignore malicious scans without giving you any warning.

Many types of malware, (including router malware such as Zorac RAT) will conduct scans as a first step towards exploiting machines on your network. LightScope will not only detect this and alert you, but it will also create decoy services (called honeypots) that trick the attackers, causing them to attempt to exploit the fake services. LightScope then shows you what the attackers did, and warns you if you should disconnect from the network.

The attacker data collected by LightScope is then reviewed by cybersecurity researchers to learn about new threats and help make the internet a safer place for everyone.

Is your home router compromised?

Support Cybersecurity Research at the University of Southern California, and the Open Source Community!

Install LightScope Now Explore Live Data

Free • Open-Source • Help make the internet safer.

IRB Certified Data Protection

Attacker IP	AbuseIPDB Score	GreyNoise Status	GreyNoise Class	LightScope Blocklist	Interactions
Loading attack data...

Attacker IP

AbuseIPDB Score

GreyNoise Status

GreyNoise Class

LightScope Blocklist

Interactions

Loading attack data...

Top Observed Attacks

Real attack commands captured by LightScope honeypots running on production systems

Attack Type	Attacker IP	Command Preview

Click any attack to view full details and analysis

Global Threat Intelligence

Real-time threat intelligence from the entire LightScope network

Traffic Trends

Recent Packets: Loading...

Previous Packets: Loading...

Change: Loading...

New Subnets

Loading... new subnets detected

Stopped Subnets

Loading... subnets stopped activity

Top Attacking Countries

Most Targeted Ports

Coordinated Attacks

Loading... coordinated subnet groups

How LightScope Compares

See how LightScope's unique approach provides advantages over other security tools and services.

GreyNoise

LightScope runs on production hosts instead of dedicated honeypots, providing a different vantagepoint.

AbuseIPDB & SpamHaus

LightScope blocks IPs faster. We report our findings to these services, but it may take more than our reports to get an IP blocked.

Cisco Talos

LightScope is free, open source, and vendor-neutral - not limited to any one vendor's ecosystem.

Fail2Ban

LightScope analyzes traffic at a lower level with more visibility, detecting things like port scans that Fail2Ban doesn't analyze.

CrowdStrike Falcon

LightScope doesn't run as root/admin/in kernel space, which should limit the impact of... "bad" updates. It's free, open source, and ultra-lightweight.

SentinelOne Singularity

LightScope won't slow down your system as it doesn't scan running processes or system memory.

EDR/XDR

LightScope is not EDR/XDR. LightScope provides far more information about your attackers than EDR/XDR, and produces IP blocklists. Unlike EDR/XDR, it is extremely fast and won't bog down your system inspecting processes or memory. It is designed to work with your existing EDR/XDR solutions.

Honeypots

LightScope runs on production systems, which attackers target. Attackers avoid dedicated honeypots, but to attackers LightScope systems appear real (because they are). LightScope is more secure than running your own honeypot, as it transparently forwards attackers to USC managed honeypots.

Network Telescopes

Attackers avoid darkspace hosting network telescopes. LightScope works with your in use IP addresses and live machines. Feel free to use both LightScope and traditional network telescopes together for complete coverage of both your in use and unused IP space!

LightScope