Cybersecurity Research Institute TOP日本語

Development Team

The Cybersecurity Laboratory has a dedicated development team for in-house development of our core R&D technologies, such as large-scale observation and analysis platforms and various visualization engines.

In-house production enables us to quickly turn the R&D cycle around and keep up with changing attack trends, as well as implement and verify systems that utilize research results at a high level of completion, accelerating social implementation.


NICTER: Darknet monitoring and analysis system

NICTER System Overview

NICTER is an integrated security system for countering indiscriminate cyberattacks. It is based on large-scale darknet monitoring, automated malware analysis, and their correction. To monitor large-scale darknets, we have distributed our sensor systems at cooperative research organizations in Japan and overseas. We currently operate a darknet monitoring system with approximately 300,000 IPv4 addresses. The sensor system captures all incoming packets from the Internet to the darknet and then forwards those packets to the gate system in real-time. Due to the recent increase in cyberattacks, the number of packets captured by all sensor systems amounts to 15,000 packets per second. NICTER has collected over 350 TB of darknet traffic data.

The development team has been developing and operating all components of the NICTER system. In particular, it is important to develop a flexible and stable database consisting of dozens of servers to accumulate a large amount of packet data collected in real time without any missing data. Furthermore, we developed a statistical information system that pre-computes statistics on darknet data for easy data retrieval by researchers and analysts, analysis systems implementing algorithms devised by researchers, and a visualization system to facilitate the recognition of changes in attack trends. By continuously providing feedback from researchers and analysts and improving the system, R&D results can be quickly applied to actual operations as in agile software development.

DAEDALUS: Darknet-based real-time alert system

Alert visualization with DAEDALUS

DAEDALUS (Direct Alert Environment for Darknet And Livenet Unified Security) is a real-time alert system based on a large-scale darknet monitoring facility that has been deployed as a part of the NICTER system. Conventional cyber-attack countermeasures mainly consist of “perimeter defense” that detects and prevents cyber-attacks from outside the organization by means of firewalls (FW) and intrusion detection systems (IDS) at the network boundary where the organization’s internal network is connected to the Internet. However, with the growth of IoT and cloud computing, perimeter defenses alone are no longer sufficient to protect organizations. DAEDALUS can detect malware-infected devices within an organization at an early stage by capturing abnormal packets sent from within the organization to our darknet and send alert information to the organization in real time. This enables quick response to security incidents.

The development team has been developing all the components of the DAEDALUS system in-house, including a large-scale database, alert detection and analysis engines, and a visualization engine that enables users to understand the alert status at a glance. The visualization engine has an intuitive interface to draw a large amount of alert information, allowing operators to understand an alert situation instantly.

NIRVANA KAI: Integrated security platform against APT

Alert occurrences in the organization visualized by NIRVANA KAI

The Cybersecurity Laboratory is engaged in research and development on NIRVANA KAI, an integrated analysis platform intended to counter cyberattacks especially APT. An advanced persistent threat (APT) is a broad term used to describe an organized cyberattack by a group of skilled, sophisticated threat actors. To combat cyberattacks, many organizations have installed and operate multiple cybersecurity products, including firewalls, intrusion detection systems, and endpoint security software. These security products generate a daily flood of security alerts. The burden of processing these alerts entails significant human resource costs. As an integrated analysis platform designed to counter cyberattacks for efficient security operations based on centralized management and triaging of security alerts, NIRVANA KAI can be described as a real-time graphical SIEM (Security Information and Event Management) engine equipped with four functions: security alert aggregation and analysis, actuation, network traffic monitoring, and real-time visualization. The security alert information generated by security appliances and endpoint security software installed inside an organization is managed in a centralized manner using the security alert aggregator and analyzed via the NIRVANA KAI user interface. The operator categorizes the alert information and performs triage to prioritize incident responses.

The development team is continuing to develop new features for NIRVANA KAI, including the development of various functions to support not only IPv4 networks but also IPv6 networks, enhancement of alert management functions (automatic statistics, classification of similar alerts, and alert search function), enhancement of the alert management function in conjunction with EDR (Endpoint Detection and Response) software, and vulnerability management functions in conjunction with a vulnerability scanner. NIRVANA KAI is used in security operations by the analysis team and NICT-CSIRT to improve security in real organizations and is also being deployed in society through technology transfer to private companies.

Visualization Engine for Cybersecurity CTF Competitions

Real-time visualization of a domestic CTF competition

The shortage of human resources in cybersecurity has become a social issue, and many CTF (Capture The Flag) competitions have been held in Japan and overseas for the purpose of exercising security personnel and competing through cybersecurity skills. CTF is a competition in which participants use their cybersecurity knowledge and skills to find hidden flags (answers) and compete for total points.

The development team has been working on the development of a system that visualizes the competition status of CTF in real time, utilizing the know-how gained from the development of the cyberattack visualization engine. By visualizing the competition, we solve the problem of CTF, which is that it is difficult for non-participants to understand the content and status of the competition, thereby promoting excitement for the competition. Through the development of this CTF visualization engine, the development team contributes to broadening the base of people newly interested in the field of cybersecurity.

back to page top