Predicting zero-day malicious IP addresses

Amirreza Niakanlahiji; Mir Mehedi Pritom; Bei Tseng Chu; Ehab Al-Shaer

doi:10.1145/3140368.3140369

Predicting zero-day malicious IP addresses

Amirreza Niakanlahiji
, Mir Mehedi Pritom
, Bei Tseng Chu
, Ehab Al-Shaer

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

7 Scopus citations

Abstract

Blacklisting IP addresses is an important part of enterprise security today. Malware infections and Advanced Persistent Threats can be detected when blacklisted IP addresses are contacted. It can also thwart phishing attacks by blocking suspicious websites. An unknown binary file may be executed in a sandbox by a modern firewall. It is blocked if it attempts to contact a blacklisted IP address. However, today's providers of IP blacklists are based on observed malicious activities, collected from multiple sources around the world. Attackers can evade those reactive IP blacklist defense by using IP addresses that have not been recently engaged in malicious activities. In this paper, we report an approach that can predict IP addresses that are likely to be used in malicious activities in the near future. Our evaluation shows that this approach can detect 88% of zero-day malware instances missed by top five antivirus products. It can also block 68% of phishing websites before reported by Phishtank.

Original language	English
Title of host publication	SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017
Publisher	Association for Computing Machinery, Inc
Pages	1-6
Number of pages	6
ISBN (Electronic)	9781450352031
DOIs	https://doi.org/10.1145/3140368.3140369
State	Published - 3 Nov 2017
Externally published	Yes
Event	10th Workshop on Automated Decision Making for Active Cyber Defense, SafeConfig 2017 - Dallas, United States Duration: 3 Nov 2017 → …

Publication series

Name	SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017

Conference

Conference	10th Workshop on Automated Decision Making for Active Cyber Defense, SafeConfig 2017
Country/Territory	United States
City	Dallas
Period	3/11/17 → …

Bibliographical note

Publisher Copyright:
© 2017 Association for Computing Machinery.

Keywords

Malicious IP Prediction
Zero Day Malware Prediction

ASJC Scopus subject areas

Artificial Intelligence
Computational Theory and Mathematics
Computer Science Applications

Access to Document

10.1145/3140368.3140369

Cite this

Niakanlahiji, A., Pritom, M. M., Chu, B. T., & Al-Shaer, E. (2017). Predicting zero-day malicious IP addresses. In SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017 (pp. 1-6). (SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017). Association for Computing Machinery, Inc. https://doi.org/10.1145/3140368.3140369

Niakanlahiji, Amirreza ; Pritom, Mir Mehedi ; Chu, Bei Tseng et al. / Predicting zero-day malicious IP addresses. SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017. Association for Computing Machinery, Inc, 2017. pp. 1-6 (SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017).

@inproceedings{754c3f995f5e49b0a9d1721e0597e51a,

title = "Predicting zero-day malicious IP addresses",

abstract = "Blacklisting IP addresses is an important part of enterprise security today. Malware infections and Advanced Persistent Threats can be detected when blacklisted IP addresses are contacted. It can also thwart phishing attacks by blocking suspicious websites. An unknown binary file may be executed in a sandbox by a modern firewall. It is blocked if it attempts to contact a blacklisted IP address. However, today's providers of IP blacklists are based on observed malicious activities, collected from multiple sources around the world. Attackers can evade those reactive IP blacklist defense by using IP addresses that have not been recently engaged in malicious activities. In this paper, we report an approach that can predict IP addresses that are likely to be used in malicious activities in the near future. Our evaluation shows that this approach can detect 88\% of zero-day malware instances missed by top five antivirus products. It can also block 68\% of phishing websites before reported by Phishtank.",

keywords = "Malicious IP Prediction, Zero Day Malware Prediction",

author = "Amirreza Niakanlahiji and Pritom, \{Mir Mehedi\} and Chu, \{Bei Tseng\} and Ehab Al-Shaer",

note = "Publisher Copyright: {\textcopyright} 2017 Association for Computing Machinery.; 10th Workshop on Automated Decision Making for Active Cyber Defense, SafeConfig 2017 ; Conference date: 03-11-2017",

year = "2017",

month = nov,

day = "3",

doi = "10.1145/3140368.3140369",

language = "English",

series = "SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017",

publisher = "Association for Computing Machinery, Inc",

pages = "1--6",

booktitle = "SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017",

}

Niakanlahiji, A, Pritom, MM, Chu, BT & Al-Shaer, E 2017, Predicting zero-day malicious IP addresses. in SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017. SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017, Association for Computing Machinery, Inc, pp. 1-6, 10th Workshop on Automated Decision Making for Active Cyber Defense, SafeConfig 2017, Dallas, United States, 3/11/17. https://doi.org/10.1145/3140368.3140369

Predicting zero-day malicious IP addresses. / Niakanlahiji, Amirreza; Pritom, Mir Mehedi; Chu, Bei Tseng et al.
SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017. Association for Computing Machinery, Inc, 2017. p. 1-6 (SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Predicting zero-day malicious IP addresses

AU - Niakanlahiji, Amirreza

AU - Pritom, Mir Mehedi

AU - Chu, Bei Tseng

AU - Al-Shaer, Ehab

PY - 2017/11/3

Y1 - 2017/11/3

N2 - Blacklisting IP addresses is an important part of enterprise security today. Malware infections and Advanced Persistent Threats can be detected when blacklisted IP addresses are contacted. It can also thwart phishing attacks by blocking suspicious websites. An unknown binary file may be executed in a sandbox by a modern firewall. It is blocked if it attempts to contact a blacklisted IP address. However, today's providers of IP blacklists are based on observed malicious activities, collected from multiple sources around the world. Attackers can evade those reactive IP blacklist defense by using IP addresses that have not been recently engaged in malicious activities. In this paper, we report an approach that can predict IP addresses that are likely to be used in malicious activities in the near future. Our evaluation shows that this approach can detect 88% of zero-day malware instances missed by top five antivirus products. It can also block 68% of phishing websites before reported by Phishtank.

AB - Blacklisting IP addresses is an important part of enterprise security today. Malware infections and Advanced Persistent Threats can be detected when blacklisted IP addresses are contacted. It can also thwart phishing attacks by blocking suspicious websites. An unknown binary file may be executed in a sandbox by a modern firewall. It is blocked if it attempts to contact a blacklisted IP address. However, today's providers of IP blacklists are based on observed malicious activities, collected from multiple sources around the world. Attackers can evade those reactive IP blacklist defense by using IP addresses that have not been recently engaged in malicious activities. In this paper, we report an approach that can predict IP addresses that are likely to be used in malicious activities in the near future. Our evaluation shows that this approach can detect 88% of zero-day malware instances missed by top five antivirus products. It can also block 68% of phishing websites before reported by Phishtank.

KW - Malicious IP Prediction

KW - Zero Day Malware Prediction

UR - https://www.scopus.com/pages/publications/85037141364

U2 - 10.1145/3140368.3140369

DO - 10.1145/3140368.3140369

M3 - Conference contribution

AN - SCOPUS:85037141364

T3 - SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017

SP - 1

EP - 6

BT - SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017

PB - Association for Computing Machinery, Inc

T2 - 10th Workshop on Automated Decision Making for Active Cyber Defense, SafeConfig 2017

Y2 - 3 November 2017

ER -

Niakanlahiji A, Pritom MM, Chu BT, Al-Shaer E. Predicting zero-day malicious IP addresses. In SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017. Association for Computing Machinery, Inc. 2017. p. 1-6. (SafeConfig 2017 - Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, co-located with CCS 2017). doi: 10.1145/3140368.3140369

Predicting zero-day malicious IP addresses

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this