SiteVisor is a real-time alert system based on a large-scale darknet monitoring facility that has been deployed as a part of the Network Incident analysis Center for Tactical Emergency Response (NICTER), which has been established and operated by Japan’s National Institute of Information and Communications Technology (NICT).
A darknet is a set of unassigned IP addresses. Large-scale darknet monitoring is an effective approach to detect a global trend in malicious activities on the Internet, such as a worldwide spread of malwares. There is, however, a gap between darknet monitoring and actual security operations on live networks (livenets): monitoring the global trend does not make a very direct contribution toward livenet protection.
SiteVisor is a novel application of large-scale darknet monitoring whose objective is to bridge this gap, thereby contributing significantly to the security of livenets. In contrast to conventional methods, wherein only the packets received from outside the organization are observed, SiteVisor employs a large-scale distributed darknet that consists of several contributing organizations that mutually observe the malicious packets transmitted from inside the organizations.
SiteVisor utilizes an analysis center (NICTER) and several contributing organizations. Each organization installs a darknet sensor and establishes a secure channel between it and the analysis center, and continuously forwards darknet traffic toward the center. In addition, each organization registers the IP address range of its livenet at the center in advance. Below illustrates the overall architecture of SiteVisor.