Detection of Malicious or Black IP Addresses Via Analysis of Daily Darknet Traffic
The world has recently began to recognize the significance and dangerous impact of various forms of network vulnerabilities. Moreover, cybercriminals can exploit these vulnerabilities to phish sensitive and private information from the machines of vulnerable web users. As such, researchers have recently began to thoroughly study how countermeasures can be created to solve various network vulnerability issues. A recently published paper proposed utilizing the darknet to detect black IP addresses, which represent IP addresses that are used by attackers to spread spam and malware. The researchers gathered 8,192 IP addresses within the darknet and then monitored darknet traffic associated with these IPs for a period of 1 month. Throughout this article, we will take a look at the method proposed by the authors of this paper and how it can help in minimizing the threats affecting vulnerable networks.
The Proposed Process for Detection of Black IPs:
Before we dig deeper into the proposed process, we need to understand the different types of darknet packets that were collected during the experiment. The collected darknet packets were mainly in the form of real attack packets, scanning packets and misconfiguration packets. Scanning packets represent a pre-investigation method for real attack forms. Misconfiguration packets represent various errors of data management that occur throughout communications in a network setting.
Darknet information is comprised of many elements including source IP address and port; destination IP address and port; payload, event time and others. As such, the method proposed by the authors of the paper focused on the source IP addresses within the collected darknet data packets. The researchers selected the top 10 source IP addresses among the daily collected data packets. Whenever more inflow data packets can be linked to a source IP address, the possibility of malicious activities rises. The below figure represents an illustration of the proposed process for detection of black IP addresses, which depends on a service named “VirusTotal”.
VirusTotal can aid in providing verification results for almost any antivirus solution. VirusTotal analyzes the top 10 source IP addresses to determine whether they are malicious or safe IP addresses. The next step is comparing between the packets gathered on the day of collection by VirusTotal and the darknet packets collected on any other random day. In the end, if a day of gathered source IP addresses represented a date prior to the day of detection via VirusTotal, then malicious IP addresses could be early identified through the darknet. The below figure represents the main idea of the process of detection of black IP addresses.
Results of the Experiment:
The proposed experimental process collected 8,192 destination IP addresses within the darknet environment and the associated darknet traffic in the month of August 2016. This led to collection of 277,002,257 darknet data packets and 8,392,962 source IP addresses. The below figure illustrates the overall number of malicious IP addresses, as compared to the monthly duplicate IP addresses.
The experiment revealed a daily number of duplicate IP addresses of 142. Also, a total of 34 monthly duplicate IP addresses were detected. As such, the results of the experiment can vary according to the period of monitoring and the number of source IP addresses.
The results of VirusTotal monitoring detected malicious IP addresses via the latest monitored URLs, the latest monitored files which were downloaded from these IP addresses, the latest monitored files that interacted with these specific IP addresses…etc. Daily duplicate IP addresses represented 72.17% of all daily IP addresses and monthly duplicate IP addresses represented 52.94% of all monthly IP addresses.
The paper presented practical analysis and classification via usage of darknet information, even though analyzing darknet data packets represents a rather difficult task to handle. The proposed process relied on analyzing the top source IP addresses to detect black, or malicious IP addresses. The results of the experiment proved that whenever the analysis involved a longer period of time, more accurate results can be obtained. As such, the researchers recommended repeating the experiment using longer time periods (week, month,…etc) to improve the efficiency and accuracy of the results to help in the construction of more advanced security control systems.