ABSTRACT
If an outbound flow is observed at the boundary of a protected network, destined to an IP address within a few addresses of a known malicious IP address, should it be considered a suspicious flow? Conventional blacklisting is not going to cut it in this situation, and the established fact that malicious IP addresses tend to be highly clustered in certain portions of IP address space, should indeed raise suspicions. We present a new approach for perimeter defense that addresses this concern. At the heart of our approach, we attempt to infer internal, hidden boundaries in IP address space, that lie within publicly known boundaries of registered IP netblocks. Our hypothesis is that given a known bad IP address, other IP address in the same internal contiguous block are likely to share similar security properties, and may therefore be vulnerable to being similarly hacked and used by attackers in the future. In this paper, we describe how we infer hidden internal boundaries in IPv4 netblocks, and what effect this has on being able to predict malicious IP addresses.
- S. Coull, F. Monrose, and M. Bailey. On Measuring the Similarity of Network Hosts: Pitfalls, New Metrics, and Empirical Analyses. In Proceedings of the 18th Annual Network and Distributed Systems Security Symposium, February, 201Google Scholar
- A. K. Jain, "Data Clustering: 50 Years Beyond K-Means" , Pattern Recognition Letters, Vol. 31, No. 8, pp. 651--666, 2010. Google ScholarDigital Library
- A. K. Jain, M.N. Murthy and P.J. Flynn, Data Clustering: A Review, ACM Computing Reviews, Nov 1999.Google Scholar
- Shyam Boriah, Varun Chandola, Vipin Kumar, "imilarity measures for categorical data: A comparative evaluation", In Proceedings of the eighth SIAM International Conference on Data MiningGoogle Scholar
- SF Chen, J Goodman (1996). "An empirical study of smoothing techniques for language modeling". Proceedings of the 34th annual meeting on Association for Computational Linguistics. Google ScholarDigital Library
- Meila, Marina, "Comparing Clusterings by the Variation of Information". Learning Theory and Kernel Machines, 2003, pp 173--187.Google ScholarCross Ref
- Meila, Marina, "Comparing clusterings -- an axiomatic view", Int. Conf. on Machine Learning, 2005. Google ScholarDigital Library
- Manos Antonakakis, Roberto Perdisci, David Dagon, Wenke Lee, and Nick Feamster. 2010. Building a dynamic reputation system for DNS. In Proceedings of the 19th USENIX conference on Security (USENIX Security'10). USENIX Association, Berkeley, CA, USA, 18--1 Google ScholarDigital Library
- Yuanchen He, Zhenyu Zhong, Sven Krasser, Yuchun Tang, "Mining DNS for Malicious Domain Registrations," Proc. of The 6th International Conference on Collaborative Computing (CollaborateCom 2010), Chicago, 2010.Google Scholar
- S. Sinha, M. Bailey, and F. Jahanian. Shades of grey: On the effectiveness of reputation-based blacklists. In 3rd International Conference on MALWARE, 2008.Google Scholar
- J. Zhang, P. Porra, and J. Ullrich. Highly predictive blacklisting. In Proceedings of the USENIX Security Symposium, 2008. Google ScholarDigital Library
- D. Anderson, C. Fleizach, S. Savage, and G. Voelker. Spamscatter: Characterizing internet scam hosting infrastructure. In Proceedings of the USENIX Security Symposium, 2007 Google ScholarDigital Library
- S. Hao, N. Syed, N. Feamster, A. Gray and S. Krasser. Detecting spammers with SNARE: Spatiotemporal network-level automatic reputation engine. In Proceedings of the USENIX Security Symposium, 2009 Google ScholarDigital Library
- Exploiting Network Structure for Proactive Spam Mitigation Shobha Venkataraman, Subhabrata Sen, Oliver Spatscheck, Patrick Haffner and Dawn Song In Usenix Security 2007, August 2007Google Scholar
- Tracking Dynamic Sources of Malicious Activity a Internet-Scale, NIPS 2009, Shobha Venkataraman, Avrim Blum, Dawn Song, Subhabrata Sen, Oliver SpatscheckGoogle Scholar
- Brett Stone-gross, Christopher Kruegel, Kevin Almeroth, Andreas Moser, Engin Kirda, FIRE: FInding Rogue nEtworks, ACSAC 2009 Proceedings of the 2009 Annual Computer Security Applications Conference. Google ScholarDigital Library
- M. Collins, T. Shimeall, S. Faber, J. Janies, R. Weaver, and M. D. Shon. Using Uncleanliness to Predict Future Botnet Addresses. In ACM Internet Measurement Conference (IMC), 2007. Google ScholarDigital Library
Index Terms
- Detecting hidden enemy lines in IP address space
Recommendations
Filtering spam with behavioral blacklisting
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securitySpam filters often use the reputation of an IP address (or IP address range) to classify email senders. This approach worked well when most spam originated from senders with fixed IP addresses, but spam today is also sent from IP addresses for which ...
Detecting Malicious Websites by Learning IP Address Features
SAINT '12: Proceedings of the 2012 IEEE/IPSJ 12th International Symposium on Applications and the InternetWeb-based malware attacks have become one of the most serious threats that need to be addressed urgently. Several approaches that have attracted attention as promising ways of detecting such malware include employing various blacklists. However, these ...
Gossip: Automatically Identifying Malicious Domains from Mailing List Discussions
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityDomain names play a critical role in cybercrime, because they identify hosts that serve malicious content (such as malware, Trojan binaries, or malicious scripts), operate as command-and-control servers, or carry out some other role in the malicious ...
Comments