After network flows are collected, they are processed using NEMEA modules, which extracts valuable insights for security analysts and network administrators. Instead of just recording raw communication, NEMEA filters relevant data, enriches it with domain knowledge, and transforms it into actionable insights about network devices.
This processed information is stored in ADiCT (Asset Discovery, Classification, and Tagging), a system that maintains long-term profiles of detected devices. ADiCT runs on the open DP³ platform and supports various modules for enhanced network visibility.
- Tracks communication volume of devices.
- Counts network flows, packets, and bytes in 10-minute intervals.
- Labels activity levels (e.g., idle, medium, high) for easy monitoring.
- Identifies open ports on network devices by analyzing traffic.
- Helps administrators detect running services and potential vulnerabilities.
- Data is periodically sent to ADiCT for tracking.
- Analyzes service banners (e.g., SSH, SMTP) to identify:
- Device types
- Operating systems & versions
- Running services
- Helps detect outdated or vulnerable software, improving security.
- Resolves IP addresses into domain names for better device identification.
- Identifies misconfigured DNS resolvers that could be exploited for cyberattacks.
- Warns administrators of potential security risks (e.g., DDoS amplification).
All collected data is stored in ADiCT, allowing users to track historical device activity. The system is designed for future expansion, supporting additional modules to further enhance network security and device monitoring.
The PANDDA infrastructure includes a user interface for the ADiCT system. The PANDDA GUI displays the stored data and allows filtering and querying. For security reasons, access to the interface is only allowed to authorized users based on a login name and password set by the installation tool. While other components of the PANDDA infrastructure are based on pre-existing software, the GUI was developed specifically for the PANDDA project.
The main page of the user interface is an overview of IP addresses (picture below) consisting of filters and a paginated table with current data. The table contains the IP address, device name, list of open ports, activity class, and an open DNS resolver indicator. All of this data can be filtered.
Clicking on any IP address in the table displays its details. The IP address details (picture below) contain current data, as well as a complete history of data according to the configuration. In the page's header, there is a selector for selecting a time. This can be selected using simple relative data, for example. -7 days, -24 hours, etc.; or it is possible to enter an exact date and time. The displayed history always corresponds to the time window between the selected time and 24 hours before that.
The displayed data contains a list of open ports, including the level of trust (confidence), banners of SSH and SMTP services from the Recog module, and a graph of IP address activity - the number of bytes transferred, packets, and the number of flows on the network.
