Applied multivariate statistical analysis
Applied multivariate statistical analysis
Profiling internet backbone traffic: behavior models and applications
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
BLINC: multilevel traffic classification in the dark
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Understanding the network-level behavior of spammers
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Geographic locality of IP prefixes
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Gray's anatomy: dissecting scanning activities using IP gray space analysis
SYSML'07 Proceedings of the 2nd USENIX workshop on Tackling computer systems problems with machine learning techniques
Exploiting network structure for proactive spam mitigation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Peering through the shroud: the effect of edge opacity on ip-based client identification
NSDI'07 Proceedings of the 4th USENIX conference on Networked systems design & implementation
Hi-index | 0.00 |
Today's Internet contains a large portion of "dynamic" IP addresses, which are assigned to clients upon request. A significant amount of malicious activities have been reported from dynamic IP space, such as spamming, botnets, etc. Accurate identification of dynamic IP addresses will help build blacklists of suspicious hosts with more confidence, and help track the sources of different types of anomalous activities. In this paper, we contrast traffic activity patterns between static and dynamic IP addresses in a large campus network, as well as their activity patterns when countering outside scanning traffic. Based on the distinct characteristics observed, we propose a scanning-based technique for identifying dynamic IP addresses in blocks. We conduct an experiment using a month-long data collected from our campus network, and instead of scanning our own network, we utilize identified outside scanning traffic. The experiment results demonstrate a high classification rate with low false positive rate. As an on-going work, we also introduce our design of an online classifier that identifies dynamic IP addresses in any network in real-time.