Identifying dynamic IP address blocks serendipitously through background scanning traffic

  • Authors:
  • Yu Jin;Esam Sharafuddin;Zhi Li Zhang

  • Affiliations:
  • University of Minnesota;University of Minnesota;University of Minnesota

  • Venue:
  • CoNEXT '07 Proceedings of the 2007 ACM CoNEXT conference
  • Year:
  • 2007

Quantified Score

Hi-index 0.00

Visualization

Abstract

Today's Internet contains a large portion of "dynamic" IP addresses, which are assigned to clients upon request. A significant amount of malicious activities have been reported from dynamic IP space, such as spamming, botnets, etc. Accurate identification of dynamic IP addresses will help build blacklists of suspicious hosts with more confidence, and help track the sources of different types of anomalous activities. In this paper, we contrast traffic activity patterns between static and dynamic IP addresses in a large campus network, as well as their activity patterns when countering outside scanning traffic. Based on the distinct characteristics observed, we propose a scanning-based technique for identifying dynamic IP addresses in blocks. We conduct an experiment using a month-long data collected from our campus network, and instead of scanning our own network, we utilize identified outside scanning traffic. The experiment results demonstrate a high classification rate with low false positive rate. As an on-going work, we also introduce our design of an online classifier that identifies dynamic IP addresses in any network in real-time.