Abstract
Malicious hosts tend to be concentrated in certain areas of the IP addressing space, forming the so-called Bad Neighborhoods. Knowledge about this concentration is valuable in predicting attacks from unseen IP addresses. This observation has been employed in previous works to filter out spam. In this paper, we focus on the temporal behavior of bad neighborhoods. The goal is to determine if bad neighborhoods strike multiple times over a certain period of time, and if so, when do the attacks occur. Among other findings, we show that even though bad neighborhoods do not exhibit a favorite combination of days to carry out attacks, 85% of the recurrent bad neighborhoods do carry out a second attack within the first 5 days from the first attack. These and the other findings here presented lead to several considerations on how attack prediction models can be more effective i.e., generating both predictive and short neighborhood blacklists.
| Original language | Undefined |
|---|---|
| Title of host publication | Proceedings of the IEEE/IFIP Network Operations and Management Symposium (NOMS 2014) |
| Place of Publication | USA |
| Publisher | IEEE |
| Pages | - |
| Number of pages | 9 |
| ISBN (Print) | 978-1-4799-0913-1 |
| DOIs | |
| Publication status | Published - 5 May 2014 |
| Event | 14th IEEE/IFIP Network Operations and Management Symposium, NOMS 2014 - Radisson Park Inn, Krakow, Poland Duration: 5 May 2014 → 9 May 2014 Conference number: 14 http://noms2014.ieee-noms.org/ |
Publication series
| Name | |
|---|---|
| Publisher | IEEE Communications Society |
Conference
| Conference | 14th IEEE/IFIP Network Operations and Management Symposium, NOMS 2014 |
|---|---|
| Abbreviated title | NOMS 2014 |
| Country/Territory | Poland |
| City | Krakow |
| Period | 5/05/14 → 9/05/14 |
| Internet address |
Keywords
- EWI-25863
- METIS-310012
- IR-95236