Frequently Asked Questions
- What is the ATLAS Initiative?
- How does ATLAS work?
- How does ATLAS determine something is an attack?
- What does "Attacks per subnet" mean?
- What information is available via the ATLAS public portal?
- Is any private or other personally identifiable information shared?
- Data from my organization's AS(s) or prefixes appears within ATLAS, can it be removed?
- Can I contribute information to better ATLAS?
- How can I get a sensor deployed in my network?
- Can I copy and use the information obtained from ATLAS?
- How do I contact the people behind ATLAS?
The Active Threat Level Analysis System (ATLAS) Initiative is the worlds first globally scoped threat analysis network.
As a trusted partner to the service provider community, Arbor is leveraging these relationships to advance threat analysis and security intelligence to an entirely new level. This visibility and insight is transforming static data into actionable business intelligence for service providers and enterprises through a subscription-based service.
Data is captured by using a distributed network of sensors running a number of data capture and analysis tools. These sensors can:
- Interact with attackers to discover what activity they are attempting
- Capture full payloads and classify them
- Characterize scan traffic
All of this data is sent back to a central location for storage and further analysis and presentation to the ATLAS user. ATLAS brings together a number of data sources, including:
- Honeypot-captured payloads
- IDS logs
- Scan logs
- Internet DoS statistics
- News & vulnerability reports
- Captured malware samples
- Phishing infrastructure data
- Botnet command & control data
ASERT then brings their knowledge to bear analyzing this globally collected data. This analysis is shared with Arbor customers in the form of reports, briefs and incident follow-up.
ATLAS classifies traffic into several different types, including random packets, scans and attacks. Scans are distilled using a host scan algorithm that is similar to that employed in Peakflow NSI, our flagship enterprise security platform. Attacks are classified using payload signatures of known attacks and known attack characteristics. If ATLAS cannot classify a packet into one of these types, it does not say that the packet was part of an attack.
ATLAS scan and attack data is normalized to the number of subnet equivalents the system is monitoring, where a subnet is defined as a /24 (commonly called a "Class C") netblock of 256 addresses. This scaling is done to minimize the artificial increases or decreases in global scan prevalence when ATLAS sensors are added or deleted. You can think of this value as the number of scans and attacks an arbitrary class C netblock would receive.
The ATLAS portal today is a public resource that delivers a sub-set of the intelligence derived from the ATLAS sensor network on host/port scanning activity, zero-day exploits and worm propagation, security events, vulnerability disclosures and dynamic botnet and phishing infrastructures. It includes:
- Global Threat Map: Real-time visibility into globally propagating threats
- Threat Briefs: Summarizing the most significant security events that have taken place over the past 24 hours
- Top Threat Sources: Multi-dimensional visualization of originating attack activity
- Threat Index: Summarizing Internet malicious activity by offering detailed threat ratings
- Top Internet Attacks: 24-hour snapshot of the most prevalent exploits being used to launch attacks globally
- Vulnerability Risk Index: Determines the most dangerous vulnerabilities being exploited on the Internet today
ATLAS does not screen arbitrary e-mail messages, instant messaging conversations, or anything else that would contain personal, sensitive information. ATLAS does capture payloads, which, more often than not, originate from attacking hosts.
No, ATLAS data is not manipulated to remove references to a specific organization.
ATLAS data is composed of a number of sources, including attacks and scans that may contain spoofed packets.
The source IP addresses within the ATLAS UI appear exactly as recorded by the ATLAS sensors and as a result of spoofing, packets and other data may appear to have originated from and be attributed to a source other than the actual source IP address, country code, or AS number.
At this time, ATLAS does not employ data from non-Arbor devices. We are exploring opportunities to import data from third-party devices, such as IDS sensors, firewall logs, and related data sources, but those remain TBD items.
We are very much interested in having ATLAS sensors deployed pervasively around the world. While we will be working with our service provider customers to roll out more sensors, it is always nice when a provider comes to us! If you are a service provider interested in working with Arbor to have an ATLAS sensor deployed in your network, please contact us.
You may use the data obtained from ATLAS, provided that you give the following notice and attribution:
This information was obtained from Arbor Networks' ATLAS Initiative on (date) and permission to republish has been obtained. ATLAS initiative data is dynamic and therefore, the information may have changed since the date of publication of the data. © Arbor Networks, Inc. ALL RIGHTS RESERVED. Atlas is a trademark of Arbor Networks, Inc.
If you have data analysis, malware samples to be reviewed, or feedback about the portal regarding its content or features youd like to see added, feel free to contact us, and dont forget to use the included PGP key for encrypted submissions!