research-article

Identifying dynamic IP address blocks serendipitously through background scanning traffic

Authors:

Yu Jin,

Esam Sharafuddin,

Zhi Li ZhangAuthors Info & Claims

CoNEXT '07: Proceedings of the 2007 ACM CoNEXT conference

Article No.: 4, Pages 1 - 12

https://doi.org/10.1145/1364654.1364659

Published: 10 December 2007 Publication History

Get Access

Abstract

Today's Internet contains a large portion of "dynamic" IP addresses, which are assigned to clients upon request. A significant amount of malicious activities have been reported from dynamic IP space, such as spamming, botnets, etc. Accurate identification of dynamic IP addresses will help build blacklists of suspicious hosts with more confidence, and help track the sources of different types of anomalous activities. In this paper, we contrast traffic activity patterns between static and dynamic IP addresses in a large campus network, as well as their activity patterns when countering outside scanning traffic. Based on the distinct characteristics observed, we propose a scanning-based technique for identifying dynamic IP addresses in blocks. We conduct an experiment using a month-long data collected from our campus network, and instead of scanning our own network, we utilize identified outside scanning traffic. The experiment results demonstrate a high classification rate with low false positive rate. As an on-going work, we also introduce our design of an online classifier that identifies dynamic IP addresses in any network in real-time.

References

[1]

Y. Xie, F. Yu, K. Achan, E. Gillum, M. Goldszmidt and T. Wobber. How Dynamic are IP Addresses. In Proc. of ACM SIGCOMM, 2007.

Digital Library

Google Scholar

[2]

A. V. Ramachandran, N. Feamster. Understanding the Network-level Behavior of Spammers. In Proc. of ACM SIGCOMM, September 2006.

Digital Library

Google Scholar

[3]

M. Casado and M. Freedman. Peering Through the Shroud: The Effect of Edge Opacity on IP-Based Client Identification. In Proc. of ACM/USENIX NSDI, 2007.

Digital Library

Google Scholar

[4]

K. Xu, Z.-L. Zhang and S. Bhattacharyya. Profiling Internet Backbone Traffic: Behavior Models and Applications. In Proc. of ACM SIGCOMM, August 2005.

Digital Library

Google Scholar

[5]

T. Karagiannis, K. Papagiannaki and M. Faloutsos. BLINC: Multilevel Traffic Classification in the Dark. In Proc. of ACM SIGCOMM, August 2005.

Digital Library

Google Scholar

[6]

Y. Jin, G. Simon, K. Xu, Z.-L. Zhang and V. Kumar. Gray's Anatomy: Dissecting Scanning Activities Using IP Gray Space Analysis. In SysML07, 2007.

Digital Library

Google Scholar

[7]

Whois.net-Domain Research Tools. http://www.whois.net/.

Google Scholar

[8]

M. Freedman, M. Vutukuru, N. Feamster, and H. Balakrishnan. Geographic Locality of IP Prefixes. In Proc. of ACM IMC, 2005.

Digital Library

Google Scholar

[9]

Y. Xie, F. Yu, K. Achan, E. Gillum, M. Goldszmidt, and T. Wobber. How Dynamic are IP Addresses? In Proc. of ACM SIGCOMM, 2007.

Digital Library

Google Scholar

[10]

S. Venkataraman, S. Sen, O. Spatscheck, P. Haffner, and D. Song. Exploiting Network Structure for Proactive Spam Mitigation. In 16th USENIX Security Symposium, 2007.

Digital Library

Google Scholar

[11]

Know your Enemy: Tracking Botnets. http://honeynet.org.

Google Scholar

[12]

R. Johnson, and D. Wichern. Applied Multivariate Statistical Analysis. Prentice Hall, 2007.

Digital Library

Google Scholar

Cited By

View all

Cardoso GOliveira LCunha Í(2024)Identificação de Endereços IP Dinâmicos com Dados PúblicosAnais do XXIV Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2024)10.5753/sbseg.2024.241681(822-828)Online publication date: 16-Sep-2024
https://doi.org/10.5753/sbseg.2024.241681
KANEI FCHIBA DHATO KYOSHIOKA KMATSUMOTO TAKIYAMA M(2020)Detecting and Understanding Online Advertising Fraud in the WildIEICE Transactions on Information and Systems10.1587/transinf.2019ICP0008E103.D:7(1512-1523)Online publication date: 1-Jul-2020
https://doi.org/10.1587/transinf.2019ICP0008
Kanei FChiba DHato KAkiyama M(2019)Precise and Robust Detection of Advertising Fraud2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC)10.1109/COMPSAC.2019.00115(776-785)Online publication date: Jul-2019
https://doi.org/10.1109/COMPSAC.2019.00115
Show More Cited By

Recommendations

Identifying botnets by capturing group activities in DNS traffic

Botnets have become the main vehicle to conduct online crimes such as DDoS, spam, phishing and identity theft. Even though numerous efforts have been directed towards detection of botnets, evolving evasion techniques easily thwart detection. Moreover, ...
Detecting Intra-enterprise Scanning Worms based on Address Resolution
ACSAC '05: Proceedings of the 21st Annual Computer Security Applications Conference

Signature-based schemes for detecting Internet worms often fail on zero-day worms, and their ability to rapidly react to new threats is typically limited by the requirement of some form of human involvement to formulate updated attack signatures. We ...
IP routing on logical address group
IC3N '97: Proceedings of the 6th International Conference on Computer Communications and Networks

In principle, more than one routers are intervened between different IP subnets. IETF RFC1577 "Classical IP and ARP over ATM", which is specified to provide IP services on an ATM network, also requires that the router be used between different logical ...

Comments

Information & Contributors

Information

Published In

CoNEXT '07: Proceedings of the 2007 ACM CoNEXT conference

December 2007

448 pages

ISBN:9781595937704

DOI:10.1145/1364654

General Chairs:
Jim Kurose
University of Massachusetts
,
Henning Schulzrinne
Columbia University

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 December 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Division of Computer and Network Systems

Acceptance Rates

Overall Acceptance Rate 198 of 789 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
325
Total Downloads

Downloads (Last 12 months)25
Downloads (Last 6 weeks)3

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Cardoso GOliveira LCunha Í(2024)Identificação de Endereços IP Dinâmicos com Dados PúblicosAnais do XXIV Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2024)10.5753/sbseg.2024.241681(822-828)Online publication date: 16-Sep-2024
https://doi.org/10.5753/sbseg.2024.241681
KANEI FCHIBA DHATO KYOSHIOKA KMATSUMOTO TAKIYAMA M(2020)Detecting and Understanding Online Advertising Fraud in the WildIEICE Transactions on Information and Systems10.1587/transinf.2019ICP0008E103.D:7(1512-1523)Online publication date: 1-Jul-2020
https://doi.org/10.1587/transinf.2019ICP0008
Kanei FChiba DHato KAkiyama M(2019)Precise and Robust Detection of Advertising Fraud2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC)10.1109/COMPSAC.2019.00115(776-785)Online publication date: Jul-2019
https://doi.org/10.1109/COMPSAC.2019.00115
Du FBao XZhang YWang Y(2019)GeoBLR: Dynamic IP Geolocation Method Based on Bayesian Linear RegressionCollaborative Computing: Networking, Applications and Worksharing10.1007/978-3-030-12981-1_22(310-328)Online publication date: 7-Feb-2019
https://doi.org/10.1007/978-3-030-12981-1_22
Richter PSmaragdakis GPlonka DBerger AGill PHeidemann JByers JGovindan R(2016)Beyond CountingProceedings of the 2016 Internet Measurement Conference10.1145/2987443.2987473(135-149)Online publication date: 14-Nov-2016
https://dl.acm.org/doi/10.1145/2987443.2987473
Sharafuddin EJiang NJin YZhang Z(2010)HOSPITAL: Host and network system profiler and Internet traffic analyzer2010 IEEE Globecom Workshops10.1109/GLOCOMW.2010.5700354(420-424)Online publication date: Dec-2010
https://doi.org/10.1109/GLOCOMW.2010.5700354
Sharafuddin EJiang NJin YZhang Z(2010)Know Your Enemy, Know Yourself: Block-Level Network Behavior Profiling and Tracking2010 IEEE Global Telecommunications Conference GLOBECOM 201010.1109/GLOCOM.2010.5684140(1-6)Online publication date: Dec-2010
https://doi.org/10.1109/GLOCOM.2010.5684140

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Abstract

References

Cited By

Recommendations

Identifying botnets by capturing group activities in DNS traffic

Detecting Intra-enterprise Scanning Worms based on Address Resolution

IP routing on logical address group

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Qualifiers

Funding Sources

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations