LightScope Research - Turn closed ports into honeypots

What is it?

LightScope is free, open source software that gathers data for graduate cybersecurity research at the University of Southern California ISI (https://www.isi.edu). Those who deploy it are rewarded with rich threat intelligence about who's targeting their systems and how. The threat intelligence LightScope provides to users is enhanced through research partnerships with ipinfo (https://ipinfo.io), greynoise (https://greynoise.io), and abuseIPDB (https://abuseIPDB.com).

What does the software do?

Observes attacker interactions with closed ports on live hosts, forwards that traffic to USC honeypots, and reports attackers to AbuseIPDB.com and ISPs.

What do you get for running it?

Detailed information about who's targeting you, automatic reporting of the malicious actors to ISPs, and personalized IP blocklists.

What DOESN'T it do?

It's not antivirus or Endpoint Detection and Response (EDR), and it won't slow down your system like they do. It's also not a Web Application Firewall (WAF), and it doesn't examine traffic to running services such as webservers (for privacy reasons).

Why should I run it?

• See who's attacking your server
• Find out if your laptop is getting attacked on public Wifi
• Discover compromised routers/smart TVs scanning your home network
• Support open cybersecurity research

What data do you collect?

We are interested in the traffic scanners and attackers send to closed ports on your servers. Your IP is fully anonymized and we do not collect any identifiable data about your machine. We went through IRB to certify our methods. A full list of data collected can be found in FAQs (https://lightscope.isi.edu/faq.html)

Why are you doing this?

To help people who can't afford expensive services. To collect data in support of PhD research.

Is it actively supported?

Yes.

How do I contact you?

E@alumni.usc.edu

https://x.com/EricKapitanski

https://discord.gg/7s3nkhXP

How do I install it?

https://lightscope.isi.edu/installation.html

What are your research questions?

RQ1: What is the differences in attacker/scanner interactions between telescopes, dedicated honeypots, and live machines.

RQ2: What is the proportion of unwanted TCP traffic that is spoofed.

RQ3: How can the different scan types be fingerprinted based on packet sequences (as opposed to examining fields on a packet by packet basis)?