Internet Bad Neighborhoods temporal behavior

Giovane Moreira Moura, R. Sadre, Aiko Pras

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    5 Citations (Scopus)
    55 Downloads (Pure)


    Malicious hosts tend to be concentrated in certain areas of the IP addressing space, forming the so-called Bad Neighborhoods. Knowledge about this concentration is valuable in predicting attacks from unseen IP addresses. This observation has been employed in previous works to filter out spam. In this paper, we focus on the temporal behavior of bad neighborhoods. The goal is to determine if bad neighborhoods strike multiple times over a certain period of time, and if so, when do the attacks occur. Among other findings, we show that even though bad neighborhoods do not exhibit a favorite combination of days to carry out attacks, 85% of the recurrent bad neighborhoods do carry out a second attack within the first 5 days from the first attack. These and the other findings here presented lead to several considerations on how attack prediction models can be more effective i.e., generating both predictive and short neighborhood blacklists.
    Original languageUndefined
    Title of host publicationProceedings of the IEEE/IFIP Network Operations and Management Symposium (NOMS 2014)
    Place of PublicationUSA
    Number of pages9
    ISBN (Print)978-1-4799-0913-1
    Publication statusPublished - 5 May 2014
    Event14th IEEE/IFIP Network Operations and Management Symposium, NOMS 2014 - Radisson Park Inn, Krakow, Poland
    Duration: 5 May 20149 May 2014
    Conference number: 14

    Publication series

    PublisherIEEE Communications Society


    Conference14th IEEE/IFIP Network Operations and Management Symposium, NOMS 2014
    Abbreviated titleNOMS 2014
    Internet address


    • EWI-25863
    • METIS-310012
    • IR-95236

    Cite this