كتاب Identifying Dynamic IP Address Blocks Serendipitously through Background Scanning Trafficكتب الهندسة و التكنولوجيا

كتاب Identifying Dynamic IP Address Blocks Serendipitously through Background Scanning Traffic

Identifying Dynamic IP Address Blocks Serendipitously through Background Scanning Traffic Yu Jin, Esam Sharafuddin, Zhi-Li Zhang University of Minnesota ABSTRACT Today’s Internet contains a large portion of “dynamic” IP addresses, which are assigned to clients upon request. A sig- nificant amount of malicious activities have been reported from dynamic IP space, such as spamming, botnets, etc.. Accurate identification of dynamic IP addresses will help us build blacklists of suspicious hosts with more confidence, and help track the sources of different types of anomalous activities. In this paper, we contrast traffic activity patterns between static and dynamic IP addresses in a large campus network, as well as their activity patterns when countering outside scanning traffic. Based on the distinct character- istics observed, we propose a scanning-based technique for identifying dynamic IP addresses in blocks. We conduct an experiment using a one-month data collected from our cam- pus network, and instead of scanning our own network, we utilize identified outside scanning traffic. The experiment results demonstrate a high classification rate with low false positive rate. As an on-going work, we also introduce our design of an online classifier that identifies dynamic IP ad- dresses in any network in real-time. 1. INTRODUCTION Knowledge of IP address assignments, e.g., whether IP addresses within an address block are dynamically or stat- ically assigned, can provide valuable information and hints in managing and securing one’s network. For instance, on the Internet at large, a significant amount of malicious ac- tivities have been reported (see, e.g., [1–5]) from dynamic IP addresses, such as spamming, botnets, and so forth. Infor- mation regarding the source IP addresses of suspected mali- cious activities (e.g., email spam) not only provides us with more confidence in classifying such malicious activities, but also allows us to associate multiple instances of such activi- ties from the same dynamic address block over time to better track the origins of attackers. Within a campus or enterprise network, dynamic addresses are typically assigned to mobile devices (e.g., laptops) which tend to roam and be used in unprotected networks (e.g., the wireless hotspot in a coffee shop or at home), thus are more likely to get infected with malware. Hence, knowledge of such address blocks can assist network operators/security analysts of a campus/enterprise network in focusing additional scrutiny to suspicious activ- ities on these blocks, detecting and preventing attacks from inside (compromised) hosts. For the purpose of profiling the activities and behavior of hosts within a network [6, 7], knowledge of dynamic and static addresses is also important in building and associating behavior models to appropriate hosts for anomaly detection and behavior tracking. Information regarding whether an IP address is dynamic or not may not be readily available, even for those within one’s own network. This is particularly true for large net- works with decentralized management, where large blocks of addresses are allocated and delegated to sub-organizations which control and manage how these addresses are assigned and utilized. While it is possible to infer whether an IP address is dynamic or static by its DNS name, such an ap- proach may not always be feasible nor accurate for a variety of reasons. Not all IP addresses have DNS names assigned or registered. Furthermore, from the DNS name, it may not be completely clear whether an IP address is dynamic or static. In addition, DNS records are not always kept up-to- date. Hence, alternative methods for accurately classifying IP addresses, in particular for identifying dynamic IP ad- dresses, are needed. In this paper, we investigate the feasibility of classifying IP addresses based on “usage patterns” or “traffic activities” on a large campus network. More specifically, we consider the following problem setting. Suppose that at a certain vantage (e.g., a border router of a campus network), we can passively observe – and if necessary, inject active probes – traffic coming into or going out of a particular address block (of an appropriate size, say, /24 or /28). Is it possi- ble to infer and classify the said address block as dynamic or static based solely on such observations? Here, in ac- cordance within common practice, we assume that the ad- dresses within the whole contiguous block, typically in size of 2k, for some (relatively) small k, e.g., k = 3, 4, . . . , 8, are assigned as dynamic (i.e., allocated to hosts via DHCP with a limited lease time), or static (i.e., allocated to hosts “permanently”). To answer this question, we extract and analyze the traffic activities of dynamic and static address blocks of a large campus network with diversified user pop- ulation and usage patterns, utilizing a month-long netflow data collected at the campus border router. As the basis for our study, we first perform an exhaustive DNS look-up to extract the registered DNS name, if avail- able, of each IP address of a class B address block within the campus network. We develop a simple name-based heuristic to classify individual IP addresses into four groups, Dynamic and Static, as well as NoName which contains IP addresses with no registered DNS names, and Undecided which con- tains those IP addresses we cannot classify with high con- fidence whether they are static or dynamic based on their
-
من كتب الهندسة - مكتبة كتب الهندسة و التكنولوجيا.

وصف الكتاب : Identifying Dynamic IP Address Blocks
Serendipitously through Background Scanning Traffic
Yu Jin, Esam Sharafuddin, Zhi-Li Zhang
University of Minnesota
ABSTRACT
Today’s Internet contains a large portion of “dynamic” IP
addresses, which are assigned to clients upon request. A sig-
nificant amount of malicious activities have been reported
from dynamic IP space, such as spamming, botnets, etc..
Accurate identification of dynamic IP addresses will help
us build blacklists of suspicious hosts with more confidence,
and help track the sources of different types of anomalous
activities. In this paper, we contrast traffic activity patterns
between static and dynamic IP addresses in a large campus
network, as well as their activity patterns when countering
outside scanning traffic. Based on the distinct character-
istics observed, we propose a scanning-based technique for
identifying dynamic IP addresses in blocks. We conduct an
experiment using a one-month data collected from our cam-
pus network, and instead of scanning our own network, we
utilize identified outside scanning traffic. The experiment
results demonstrate a high classification rate with low false
positive rate. As an on-going work, we also introduce our
design of an online classifier that identifies dynamic IP ad-
dresses in any network in real-time.
1. INTRODUCTION
Knowledge of IP address assignments, e.g., whether IP
addresses within an address block are dynamically or stat-
ically assigned, can provide valuable information and hints
in managing and securing one’s network. For instance, on
the Internet at large, a significant amount of malicious ac-
tivities have been reported (see, e.g., [1–5]) from dynamic IP
addresses, such as spamming, botnets, and so forth. Infor-
mation regarding the source IP addresses of suspected mali-
cious activities (e.g., email spam) not only provides us with
more confidence in classifying such malicious activities, but
also allows us to associate multiple instances of such activi-
ties from the same dynamic address block over time to better
track the origins of attackers. Within a campus or enterprise
network, dynamic addresses are typically assigned to mobile
devices (e.g., laptops) which tend to roam and be used in
unprotected networks (e.g., the wireless hotspot in a coffee
shop or at home), thus are more likely to get infected with
malware. Hence, knowledge of such address blocks can assist
network operators/security analysts of a campus/enterprise
network in focusing additional scrutiny to suspicious activ-
ities on these blocks, detecting and preventing attacks from
inside (compromised) hosts. For the purpose of profiling
the activities and behavior of hosts within a network [6, 7],
knowledge of dynamic and static addresses is also important
in building and associating behavior models to appropriate
hosts for anomaly detection and behavior tracking.
Information regarding whether an IP address is dynamic
or not may not be readily available, even for those within
one’s own network. This is particularly true for large net-
works with decentralized management, where large blocks of
addresses are allocated and delegated to sub-organizations
which control and manage how these addresses are assigned
and utilized. While it is possible to infer whether an IP
address is dynamic or static by its DNS name, such an ap-
proach may not always be feasible nor accurate for a variety
of reasons. Not all IP addresses have DNS names assigned
or registered. Furthermore, from the DNS name, it may not
be completely clear whether an IP address is dynamic or
static. In addition, DNS records are not always kept up-to-
date. Hence, alternative methods for accurately classifying
IP addresses, in particular for identifying dynamic IP ad-
dresses, are needed.
In this paper, we investigate the feasibility of classifying
IP addresses based on “usage patterns” or “traffic activities”
on a large campus network. More specifically, we consider
the following problem setting. Suppose that at a certain
vantage (e.g., a border router of a campus network), we
can passively observe – and if necessary, inject active probes
– traffic coming into or going out of a particular address
block (of an appropriate size, say, /24 or /28). Is it possi-
ble to infer and classify the said address block as dynamic
or static based solely on such observations? Here, in ac-
cordance within common practice, we assume that the ad-
dresses within the whole contiguous block, typically in size
of 2k, for some (relatively) small k, e.g., k = 3, 4, . . . , 8,
are assigned as dynamic (i.e., allocated to hosts via DHCP
with a limited lease time), or static (i.e., allocated to hosts
“permanently”). To answer this question, we extract and
analyze the traffic activities of dynamic and static address
blocks of a large campus network with diversified user pop-
ulation and usage patterns, utilizing a month-long netflow
data collected at the campus border router.
As the basis for our study, we first perform an exhaustive
DNS look-up to extract the registered DNS name, if avail-
able, of each IP address of a class B address block within the
campus network. We develop a simple name-based heuristic
to classify individual IP addresses into four groups, Dynamic
and Static, as well as NoName which contains IP addresses
with no registered DNS names, and Undecided which con-
tains those IP addresses we cannot classify with high con-
fidence whether they are static or dynamic based on their

عدد مرات التحميل : 4083 مرّة / مرات.
تم اضافته في : الأربعاء , 10 أكتوبر 2018م.
حجم الكتاب عند التحميل : 480.7 كيلوبايت .

ولتسجيل ملاحظاتك ورأيك حول الكتاب يمكنك المشاركه في التعليقات من هنا:

كتب الهندسة

Identifying Dynamic IP Address Blocks
Serendipitously through Background Scanning Traffic
Yu Jin, Esam Sharafuddin, Zhi-Li Zhang
University of Minnesota
ABSTRACT
Today’s Internet contains a large portion of “dynamic” IP
addresses, which are assigned to clients upon request. A sig-
nificant amount of malicious activities have been reported
from dynamic IP space, such as spamming, botnets, etc..
Accurate identification of dynamic IP addresses will help
us build blacklists of suspicious hosts with more confidence,
and help track the sources of different types of anomalous
activities. In this paper, we contrast traffic activity patterns
between static and dynamic IP addresses in a large campus
network, as well as their activity patterns when countering
outside scanning traffic. Based on the distinct character-
istics observed, we propose a scanning-based technique for
identifying dynamic IP addresses in blocks. We conduct an
experiment using a one-month data collected from our cam-
pus network, and instead of scanning our own network, we
utilize identified outside scanning traffic. The experiment
results demonstrate a high classification rate with low false
positive rate. As an on-going work, we also introduce our
design of an online classifier that identifies dynamic IP ad-
dresses in any network in real-time.
1. INTRODUCTION
Knowledge of IP address assignments, e.g., whether IP
addresses within an address block are dynamically or stat-
ically assigned, can provide valuable information and hints
in managing and securing one’s network. For instance, on
the Internet at large, a significant amount of malicious ac-
tivities have been reported (see, e.g., [1–5]) from dynamic IP
addresses, such as spamming, botnets, and so forth. Infor-
mation regarding the source IP addresses of suspected mali-
cious activities (e.g., email spam) not only provides us with
more confidence in classifying such malicious activities, but
also allows us to associate multiple instances of such activi-
ties from the same dynamic address block over time to better
track the origins of attackers. Within a campus or enterprise
network, dynamic addresses are typically assigned to mobile
devices (e.g., laptops) which tend to roam and be used in
unprotected networks (e.g., the wireless hotspot in a coffee
shop or at home), thus are more likely to get infected with
malware. Hence, knowledge of such address blocks can assist
network operators/security analysts of a campus/enterprise
network in focusing additional scrutiny to suspicious activ-
ities on these blocks, detecting and preventing attacks from
inside (compromised) hosts. For the purpose of profiling
the activities and behavior of hosts within a network [6, 7],
knowledge of dynamic and static addresses is also important
in building and associating behavior models to appropriate
hosts for anomaly detection and behavior tracking.
Information regarding whether an IP address is dynamic
or not may not be readily available, even for those within
one’s own network. This is particularly true for large net-
works with decentralized management, where large blocks of
addresses are allocated and delegated to sub-organizations
which control and manage how these addresses are assigned
and utilized. While it is possible to infer whether an IP
address is dynamic or static by its DNS name, such an ap-
proach may not always be feasible nor accurate for a variety
of reasons. Not all IP addresses have DNS names assigned
or registered. Furthermore, from the DNS name, it may not
be completely clear whether an IP address is dynamic or
static. In addition, DNS records are not always kept up-to-
date. Hence, alternative methods for accurately classifying
IP addresses, in particular for identifying dynamic IP ad-
dresses, are needed.
In this paper, we investigate the feasibility of classifying
IP addresses based on “usage patterns” or “traffic activities”
on a large campus network. More specifically, we consider
the following problem setting. Suppose that at a certain
vantage (e.g., a border router of a campus network), we
can passively observe – and if necessary, inject active probes
– traffic coming into or going out of a particular address
block (of an appropriate size, say, /24 or /28). Is it possi-
ble to infer and classify the said address block as dynamic
or static based solely on such observations? Here, in ac-
cordance within common practice, we assume that the ad-
dresses within the whole contiguous block, typically in size
of 2k, for some (relatively) small k, e.g., k = 3, 4, . . . , 8,
are assigned as dynamic (i.e., allocated to hosts via DHCP
with a limited lease time), or static (i.e., allocated to hosts
“permanently”). To answer this question, we extract and
analyze the traffic activities of dynamic and static address
blocks of a large campus network with diversified user pop-
ulation and usage patterns, utilizing a month-long netflow
data collected at the campus border router.
As the basis for our study, we first perform an exhaustive
DNS look-up to extract the registered DNS name, if avail-
able, of each IP address of a class B address block within the
campus network. We develop a simple name-based heuristic
to classify individual IP addresses into four groups, Dynamic
and Static, as well as NoName which contains IP addresses
with no registered DNS names, and Undecided which con-
tains those IP addresses we cannot classify with high con-
fidence whether they are static or dynamic based on their



نوع الكتاب : pdf.
اذا اعجبك الكتاب فضلاً اضغط على أعجبني
و يمكنك تحميله من هنا:

تحميل Identifying Dynamic IP Address Blocks Serendipitously through Background Scanning Traffic



كتب اخرى في كتب الهندسة

إنتقال حرارة وكتلة أمثلة محلولة ومسائل إضافية PDF

قراءة و تحميل كتاب إنتقال حرارة وكتلة أمثلة محلولة ومسائل إضافية PDF مجانا

كتاب حساب مساحات وحجوم الأشكال الهندسية الإدارة العامة لتطوير وتصميم المناهج PDF

قراءة و تحميل كتاب كتاب حساب مساحات وحجوم الأشكال الهندسية الإدارة العامة لتطوير وتصميم المناهج PDF مجانا

كتاب ديناميكا حرارية PDF

قراءة و تحميل كتاب كتاب ديناميكا حرارية PDF مجانا

Statics and Dynamics - Andy Ruina PDF

قراءة و تحميل كتاب Statics and Dynamics - Andy Ruina PDF مجانا

STATICS DYNAMICS Chapters 1-10 PDF

قراءة و تحميل كتاب STATICS DYNAMICS Chapters 1-10 PDF مجانا

انشاء مقاولة الترصيص الصحي والغاز ضمن وكالة PDF

قراءة و تحميل كتاب انشاء مقاولة الترصيص الصحي والغاز ضمن وكالة PDF مجانا

Development of Quality Control System for Cement Manufacturing using Software Techniques PDF

قراءة و تحميل كتاب Development of Quality Control System for Cement Manufacturing using Software Techniques PDF مجانا

كتاب ديناميكا حرارية الجزء الثاني PDF

قراءة و تحميل كتاب كتاب ديناميكا حرارية الجزء الثاني PDF مجانا

المزيد من كتب الهندسة المدنية والمعمارية في مكتبة كتب الهندسة المدنية والمعمارية , المزيد من كتب الهندسة الميكانيكية في مكتبة كتب الهندسة الميكانيكية , المزيد من كتب الهندسة في مكتبة كتب الهندسة , المزيد من كتب أوتوكاد في مكتبة كتب أوتوكاد , المزيد من كتب هندسة الإنتاج والتصميم الميكانيكي في مكتبة كتب هندسة الإنتاج والتصميم الميكانيكي , المزيد من كتب الهندسة الكيميائية في مكتبة كتب الهندسة الكيميائية , المزيد من مجلات التكنولوجيا في مكتبة مجلات التكنولوجيا , المزيد من الهندسة الكهربائية في مكتبة الهندسة الكهربائية , المزيد من كتب ثري دي ستديو ماكس في مكتبة كتب ثري دي ستديو ماكس
عرض كل كتب الهندسة و التكنولوجيا ..
اقرأ المزيد في مكتبة كتب إسلامية , اقرأ المزيد في مكتبة كتب تقنية , اقرأ المزيد في مكتبة كتب الهندسة و التكنولوجيا , اقرأ المزيد في مكتبة كتب التنمية البشرية , اقرأ المزيد في مكتبة الكتب التعليمية , اقرأ المزيد في مكتبة القصص و الروايات و المجلات , اقرأ المزيد في مكتبة كتب التاريخ و الجغرافيا , اقرأ المزيد في مكتبة كتب تعلم اللغات , اقرأ المزيد في مكتبة كتب الأطفال قصص و مجلات , اقرأ المزيد في مكتبة الكتب و الموسوعات العامة , اقرأ المزيد في مكتبة كتب الأدب , اقرأ المزيد في مكتبة كتب الطب , اقرأ المزيد في مكتبة كتب علوم سياسية و قانونية , اقرأ المزيد في مكتبة كتب الروايات الأجنبية والعالمية , اقرأ المزيد في مكتبة كتب اللياقة البدنية والصحة العامة , اقرأ المزيد في مكتبة الكتب الغير مصنّفة , اقرأ المزيد في مكتبة كتب الأسرة والتربية الطبخ و الديكور , اقرأ المزيد في مكتبة كتب المعاجم و اللغات , اقرأ المزيد في مكتبة كتب علوم عسكرية و قانون دولي , اقرأ المزيد في مكتبة الكتب العلمية
جميع مكتبات الكتب ..