TY - GEN
T1 - Identifying dynamic IP address blocks serendipitously through background scanning traffic
AU - Jin, Yu
AU - Sharafuddin, Esam
AU - Zhang, Zhi-Li
PY - 2007
Y1 - 2007
N2 - Today's Internet contains a large portion of "dynamic" IP addresses, which are assigned to clients upon request. A significant amount of malicious activities have been reported from dynamic IP space, such as spamming, botnets, etc.. Accurate identification of dynamic IP addresses will help build blacklists of suspicious hosts with more confidence, and help track the sources of different types of anomalous activities. In this paper, we contrast traffic activity patterns between static and dynamic IP addresses in a large campus network, as well as their activity patterns when countering outside scanning traffic. Based on the distinct characteristics observed, we propose a scanning-based technique for identifying dynamic IP addresses in blocks. We conduct an experiment using a month-long data collected from our campus network, and instead of scanning our own network, we utilize identified outside scanning traffic. The experiment results demonstrate a high classification rate with low false positive rate. As an on-going work, we also introduce our design of an online classifier that identifies dynamic IP addresses in any network in real-time.
AB - Today's Internet contains a large portion of "dynamic" IP addresses, which are assigned to clients upon request. A significant amount of malicious activities have been reported from dynamic IP space, such as spamming, botnets, etc.. Accurate identification of dynamic IP addresses will help build blacklists of suspicious hosts with more confidence, and help track the sources of different types of anomalous activities. In this paper, we contrast traffic activity patterns between static and dynamic IP addresses in a large campus network, as well as their activity patterns when countering outside scanning traffic. Based on the distinct characteristics observed, we propose a scanning-based technique for identifying dynamic IP addresses in blocks. We conduct an experiment using a month-long data collected from our campus network, and instead of scanning our own network, we utilize identified outside scanning traffic. The experiment results demonstrate a high classification rate with low false positive rate. As an on-going work, we also introduce our design of an online classifier that identifies dynamic IP addresses in any network in real-time.
UR - http://www.scopus.com/inward/record.url?scp=56749159227&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=56749159227&partnerID=8YFLogxK
U2 - 10.1145/1364654.1364659
DO - 10.1145/1364654.1364659
M3 - Conference contribution
AN - SCOPUS:56749159227
SN - 9781595937704
T3 - Proceedings of 2007 ACM CoNEXT Conference - 3rd International Conference on Emerging Networking EXperiments and Technologies, CoNEXT
BT - Proceedings of 2007 ACM CoNEXT Conference - 3rd International Conference on Emerging Networking EXperiments and Technologies, CoNEXT
T2 - 2007 ACM CoNEXT Conference - 3rd International Conference on Emerging Networking EXperiments and Technologies, CoNEXT
Y2 - 10 December 2007 through 13 December 2007
ER -