About NoAH


NoAH is a three-year project to gather and analyse information about the nature of Internet cyberattacks. It will also develop an infrastructure to detect and provide early warning of such attacks, so that appropriate countermeasures may be taken to combat them.

The last few years have witnessed an increasing number of cyberattacks such as viruses, worms, trojans and spyware on the Internet. These are discouraging effective use of the Internet, are crippling IT infrastructures, and can take over large parts of networks within minutes. This often happens too quickly for humans to respond in time, which means that an automated structure is necessary to detect and contain them.

The NoAH project will design and develop a infrastructure for security monitoring based on honeypot technology. Honeypots are computer systems that do not provide production services, but are instead are intentionally made vulnerable and closely monitored to analyse attacksdirected at them. NoAH will use geographically-dispersed honeypots as an early-warning system, and will correlate the data received from them to generate automated warnings and possibly trigger appropriate containment measures. The aim is to help NRENs and ISPs limit damage to their networks, allow information security organisations to better assess threats, and provide researchers with a wealth of attack-related data to improve detection techniques.

NoAH involves eight partners from the academic, research and commercial sectors and represents a total investment of EUR 2,429,374; 60% of which is funded from the Research Infrastructures Programme of the European Union. The project started on 1 April 2005 and runs until 31 March 2008.


  • Design a state-of-the-art infrastructure of honeypots which will gather and correlate data on cyberattacks.
  • Develop techniques for the automatic identification of attacks, and for the automatic generation of their signatures. Mechanisms to distribute these signatures to firewalls and other containment systems will also be investigated.
  • Install and operate a pilot honeypot infrastructure to demonstrate the usefulness and effectiveness of distributed security monitoring systems. This will be operated for at least one year, with the eventual aim of rolling out a full-scale infrastructure across Europe.
  • Collect information on attacks to examine trends, refine security models, and support Internet-related research efforts in general.
  • Disseminate the results of the project, including open-source software and anonymised traffic data to NRENs, ISPs, CSIRTs and network security analysts.

Work Packages

WP0: Requirements Analysis and State-of-the-Art

This work package will review existing technology and identify the requirements of the NoAH infrastructure.
Lead Partner: FORTHnet

WP1: Design of System Architecture

This work package will define the NoAH infrastructure, including methods for attack detection and signature generation.
Lead Partner: FORTH

WP2: Implementation

This work package will implement the NoAH infrastructure by developing the necessary components and optimising the complete system.
Lead Partner: VU

WP3: Demonstration and Pilot Operation

This work package will operate the pilot infrastructure in conjunction with a number of participating sites.
Lead Partner: DFN

WP4: Management and Dissemination

This work package is responsible for the administrative and financial aspects of the project. It will also maintain the NoAH web server and organise two workshops.
Lead Partner: FORTH