Opt-In Network Threat Intelligence
Deploy Network Threat Intelligence on Your NRP Infrastructure
NRP contributors can opt-in to run LightScope on their NRP nodes. LightScope transforms closed ports on your machines into network telescopes, forwarding observed traffic to USC-managed honeypots. Simply open a set of ports—LightScope handles the rest.
What is LightScope?
Network Telescopes, Not Honeypots
LightScope turns closed ports on your nodes into network telescopes. Your servers remain your servers—traffic is simply observed and forwarded to USC-managed honeypots. No honeypot software runs on your machines, and your actual services are never affected.
See Who Is Targeting You
Get detailed information about who is targeting your infrastructure. LightScope provides comprehensive insights into scanning activities, attack patterns, and malicious actors attempting to access your systems.
Automatic Threat Reporting
LightScope automatically reports attackers to AbuseIPDB and participating ISPs, helping to take down malicious infrastructure while contributing to the broader cybersecurity community.
Personalized IP Blocklists
Receive customized IP blocklists tailored to your specific threat profile, enabling you to proactively protect your infrastructure against known malicious actors.
What LightScope Does
LightScope provides powerful network security insights with minimal performance overhead.
Monitors traffic sent to closed ports on your live hosts, capturing valuable data about scanning and attack activities.
All IP addresses are fully anonymized before being stored or shared. The research is IRB certified (UP-25-00124).
LightScope observes traffic to closed ports only and has minimal impact on system resources. Your services run unaffected.
Contribute to cybersecurity research studying scanner behavior, spoofed traffic, and scan type fingerprinting.
Technical Details for Security Teams
What LightScope requires from your infrastructure and how it works.
Simply configure your firewall to allow incoming TCP connections on a specific set of ports (e.g., 10000-60000). LightScope will bind to these ports and forward all observed traffic to USC honeypots. No additional software, agents, or kernel modules required on your nodes.
When traffic arrives at a closed port, LightScope captures the SYN packet and forwards the entire interaction to USC-managed honeypots via an outbound connection. Your server never processes the attack traffic—it is transparently redirected to USC for analysis.
LightScope only binds to ports you explicitly assign. Your actual production services on other ports run completely unaffected. The forwarding happens asynchronously with minimal CPU and memory overhead.
LightScope is read-only observation—no data leaves your network except the forwarded attack samples. All IP addresses are anonymized before storage. The research has received IRB certification (UP-25-00124).
Research Focus
LightScope supports graduate cybersecurity research at USC Information Sciences Institute
Differences in Attacker Behavior
Research how attacker interactions differ across network telescopes, honeypots, and production machines.
Spoofed Traffic Analysis
Study the proportion and characteristics of spoofed TCP traffic in real-world network environments.
Scan Type Fingerprinting
Develop techniques to identify and classify different types of network scans based on packet sequences.
What LightScope Is NOT
Important clarifications about what LightScope does and does not do.
LightScope does not detect or block malware on your systems. It focuses on external threat intelligence.
It does not examine or filter traffic going to your running services like webservers or APIs.
Your nodes are NOT honeypots. Traffic is only observed at closed ports and forwarded to USC-managed honeypots. Your actual services are never impacted.
It only observes traffic to closed ports and does not access or monitor any legitimate traffic to running services.
Ready to Deploy LightScope on Your NRP Nodes?
Join other NRP contributors in supporting cybersecurity research while gaining valuable threat intelligence for your infrastructure. This is an optional opt-in—participation is entirely voluntary.