It looks like something you’d see in a 1980s film about a nuclear apocalypse. A screen in a control room in an underground bunker, where our mutually assured destruction was being mapped out.
In fact it’s a real-time visualization of computers attacking other computers
The Honeynet Project
, which runs the map, works by setting up “honeypot” sensors, computers that behave as potential targets for malware. The red markers on the map symbolize the attacks, mostly from botnets and worms. The yellow are the honeypots.
The worms attempt to exploit the sensors by scanning them and looking for open ports. Just like the famed femmes fatales in the world of espionage, honeypots mimic vulnerabilities in order to learn how attackers operate and what tactics they use.
In the text scroll on the map, you can see where the attacks are coming from -- mostly from Russia, the United States, Brazil, and Eastern Europe. The recipient of the attack is always one of the sensors, so for instance Aachen, Germany, comes up a lot as the project hosts a sensor at a university there. “The actual location of these sensors could be university server rooms or living rooms at home and they are mostly dedicated computers or virtual machines,” says Mark Schloesser, a research assistant at the RWTH Aachen University who is involved with the project.
I asked Schloesser whether the map is representative of reality or is it skewed by where they have sensors:
That depends on the worm code that actually attacks the sensors. Historically this kind of visualization would be skewed by the sensor location but with newer attack code (e.g. Conficker) [a computer worm] this is not true anymore, as the attack target selection is randomized. This means that a infected machine in Russia has the same chance of attacking Aachen as it has in attacking China. This means that the red dots roughly depict reality, but the amount of events is high at big sensors and low at small sensors.
There have been other visualizations of network attacks. Check out this one from Akamai
And if you thought packets of data couldn’t be beautiful, have a look at this stylized visualization of cybercriminals hitting a VOIP (Voice over Internet protocol) server.
WATCH: Visualizing a cyberattack on a VOIP server from Ben Reardon, Dataviz Australia on Vimeo.
Just like disease tracking, the initiative could be helpful in helping fight malware, as Kyt Dotson points out at Silicon Angle
With data collection ventures like the Honeynet Project and a strong sifting through of the Big Data by security researchers and other outfits, we might see a revolution in how we track and prepare for the malware storms of the future. Mobile devices and PCs could make good use of anti-virus companies having access to knowledge of what’s trending so that they can prepare their flu-shots and vaccines early by prototyping and fingerprinting new malware.
Japan's National Institute of Information and Communications Technology is doing this with its project Daedalus
, which visualizes network attacks in real time.
But for now the people behind HoneyMap are aware of its limited functionality. “To be honest, this specific visualization just looks nice and raises awareness about the still-existing worm infections and automated spreading code in use. In terms of actionable intelligence, you can't get a lot out of this,” Schloesser says.
“In the future, as we add more sensor types and data sources, we hope that we can use the map as an easy monitoring solution and representation of Honeynet coverage. Also, for other botnet/worm families and other sensor types it actually might yield some insights. Right now it gives a purpose to our big screen at the office.”