Identifying dynamic IP address blocks serendipitously through background scanning traffic

Yu Jin, Esam Sharafuddin, Zhi-Li Zhang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Scopus citations

Abstract

Today's Internet contains a large portion of "dynamic" IP addresses, which are assigned to clients upon request. A significant amount of malicious activities have been reported from dynamic IP space, such as spamming, botnets, etc.. Accurate identification of dynamic IP addresses will help build blacklists of suspicious hosts with more confidence, and help track the sources of different types of anomalous activities. In this paper, we contrast traffic activity patterns between static and dynamic IP addresses in a large campus network, as well as their activity patterns when countering outside scanning traffic. Based on the distinct characteristics observed, we propose a scanning-based technique for identifying dynamic IP addresses in blocks. We conduct an experiment using a month-long data collected from our campus network, and instead of scanning our own network, we utilize identified outside scanning traffic. The experiment results demonstrate a high classification rate with low false positive rate. As an on-going work, we also introduce our design of an online classifier that identifies dynamic IP addresses in any network in real-time.

Original languageEnglish (US)
Title of host publicationProceedings of 2007 ACM CoNEXT Conference - 3rd International Conference on Emerging Networking EXperiments and Technologies, CoNEXT
DOIs
StatePublished - 2007
Event2007 ACM CoNEXT Conference - 3rd International Conference on Emerging Networking EXperiments and Technologies, CoNEXT - New York, NY, United States
Duration: Dec 10 2007Dec 13 2007

Publication series

NameProceedings of 2007 ACM CoNEXT Conference - 3rd International Conference on Emerging Networking EXperiments and Technologies, CoNEXT

Other

Other2007 ACM CoNEXT Conference - 3rd International Conference on Emerging Networking EXperiments and Technologies, CoNEXT
Country/TerritoryUnited States
CityNew York, NY
Period12/10/0712/13/07

Fingerprint

Dive into the research topics of 'Identifying dynamic IP address blocks serendipitously through background scanning traffic'. Together they form a unique fingerprint.

Cite this