A Decade of Mal-Activity Reporting: A Retrospective Analysis of Internet Malicious Activity Blacklists
This paper focuses on reporting of Internet malicious activity (or mal-activity in short) by public blacklists with the objective of providing a systematic characterization of what has been reported over the years, and more importantly, the evolution of reported activities. Using an initial seed of...
Gespeichert in:
| Veröffentlicht in: | arXiv.org 2019-04 |
|---|---|
| Hauptverfasser: | , , , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | arXiv.org |
| container_volume | |
| creator | Benjamin Zi Hao Zhao Ikram, Muhammad Hassan Jameel Asghar Mohamed Ali Kaafar Chaabane, Abdelberi Thilakarathna, Kanchana |
| description | This paper focuses on reporting of Internet malicious activity (or mal-activity in short) by public blacklists with the objective of providing a systematic characterization of what has been reported over the years, and more importantly, the evolution of reported activities. Using an initial seed of 22 blacklists, covering the period from January 2007 to June 2017, we collect more than 51 million mal-activity reports involving 662K unique IP addresses worldwide. Leveraging the Wayback Machine, antivirus (AV) tool reports and several additional public datasets (e.g., BGP Route Views and Internet registries) we enrich the data with historical meta-information including geo-locations (countries), autonomous system (AS) numbers and types of mal-activity. Furthermore, we use the initially labelled dataset of approx 1.57 million mal-activities (obtained from public blacklists) to train a machine learning classifier to classify the remaining unlabeled dataset of approx 44 million mal-activities obtained through additional sources. We make our unique collected dataset (and scripts used) publicly available for further research. The main contributions of the paper are a novel means of report collection, with a machine learning approach to classify reported activities, characterization of the dataset and, most importantly, temporal analysis of mal-activity reporting behavior. Inspired by P2P behavior modeling, our analysis shows that some classes of mal-activities (e.g., phishing) and a small number of mal-activity sources are persistent, suggesting that either blacklist-based prevention systems are ineffective or have unreasonably long update periods. Our analysis also indicates that resources can be better utilized by focusing on heavy mal-activity contributors, which constitute the bulk of mal-activities. |
| format | Article |
| fullrecord | <record><control><sourceid>proquest</sourceid><recordid>TN_cdi_proquest_journals_2214607948</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2214607948</sourcerecordid><originalsourceid>FETCH-proquest_journals_22146079483</originalsourceid><addsrcrecordid>eNqNjMsKwjAURIMgWLT_EHBdSJO-dFdf6MKNuC-h3kpqSGpuKvTvtSCuXQ3DzDkTEnAh4qhIOJ-RELFljPEs52kqAtKUdAe1vAG1DT1LHZW1Vy_lB3qBzjqvzH1Ny0_xzmIH4wi0NFIPqHBkTsaDM-BHWNXK9kh_io2W9UMr9Lgg00ZqhPCbc7I87K_bY9Q5--wBfdXa3n20WHEeJxnLV0kh_nu9AT0VRqY</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2214607948</pqid></control><display><type>article</type><title>A Decade of Mal-Activity Reporting: A Retrospective Analysis of Internet Malicious Activity Blacklists</title><source>Free E- Journals</source><creator>Benjamin Zi Hao Zhao ; Ikram, Muhammad ; Hassan Jameel Asghar ; Mohamed Ali Kaafar ; Chaabane, Abdelberi ; Thilakarathna, Kanchana</creator><creatorcontrib>Benjamin Zi Hao Zhao ; Ikram, Muhammad ; Hassan Jameel Asghar ; Mohamed Ali Kaafar ; Chaabane, Abdelberi ; Thilakarathna, Kanchana</creatorcontrib><description>This paper focuses on reporting of Internet malicious activity (or mal-activity in short) by public blacklists with the objective of providing a systematic characterization of what has been reported over the years, and more importantly, the evolution of reported activities. Using an initial seed of 22 blacklists, covering the period from January 2007 to June 2017, we collect more than 51 million mal-activity reports involving 662K unique IP addresses worldwide. Leveraging the Wayback Machine, antivirus (AV) tool reports and several additional public datasets (e.g., BGP Route Views and Internet registries) we enrich the data with historical meta-information including geo-locations (countries), autonomous system (AS) numbers and types of mal-activity. Furthermore, we use the initially labelled dataset of approx 1.57 million mal-activities (obtained from public blacklists) to train a machine learning classifier to classify the remaining unlabeled dataset of approx 44 million mal-activities obtained through additional sources. We make our unique collected dataset (and scripts used) publicly available for further research. The main contributions of the paper are a novel means of report collection, with a machine learning approach to classify reported activities, characterization of the dataset and, most importantly, temporal analysis of mal-activity reporting behavior. Inspired by P2P behavior modeling, our analysis shows that some classes of mal-activities (e.g., phishing) and a small number of mal-activity sources are persistent, suggesting that either blacklist-based prevention systems are ineffective or have unreasonably long update periods. Our analysis also indicates that resources can be better utilized by focusing on heavy mal-activity contributors, which constitute the bulk of mal-activities.</description><identifier>EISSN: 2331-8422</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Artificial intelligence ; Blacklisting ; Classification ; Datasets ; Internet ; IP (Internet Protocol) ; Machine learning ; Phishing</subject><ispartof>arXiv.org, 2019-04</ispartof><rights>2019. This work is published under http://creativecommons.org/publicdomain/zero/1.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>776,780</link.rule.ids></links><search><creatorcontrib>Benjamin Zi Hao Zhao</creatorcontrib><creatorcontrib>Ikram, Muhammad</creatorcontrib><creatorcontrib>Hassan Jameel Asghar</creatorcontrib><creatorcontrib>Mohamed Ali Kaafar</creatorcontrib><creatorcontrib>Chaabane, Abdelberi</creatorcontrib><creatorcontrib>Thilakarathna, Kanchana</creatorcontrib><title>A Decade of Mal-Activity Reporting: A Retrospective Analysis of Internet Malicious Activity Blacklists</title><title>arXiv.org</title><description>This paper focuses on reporting of Internet malicious activity (or mal-activity in short) by public blacklists with the objective of providing a systematic characterization of what has been reported over the years, and more importantly, the evolution of reported activities. Using an initial seed of 22 blacklists, covering the period from January 2007 to June 2017, we collect more than 51 million mal-activity reports involving 662K unique IP addresses worldwide. Leveraging the Wayback Machine, antivirus (AV) tool reports and several additional public datasets (e.g., BGP Route Views and Internet registries) we enrich the data with historical meta-information including geo-locations (countries), autonomous system (AS) numbers and types of mal-activity. Furthermore, we use the initially labelled dataset of approx 1.57 million mal-activities (obtained from public blacklists) to train a machine learning classifier to classify the remaining unlabeled dataset of approx 44 million mal-activities obtained through additional sources. We make our unique collected dataset (and scripts used) publicly available for further research. The main contributions of the paper are a novel means of report collection, with a machine learning approach to classify reported activities, characterization of the dataset and, most importantly, temporal analysis of mal-activity reporting behavior. Inspired by P2P behavior modeling, our analysis shows that some classes of mal-activities (e.g., phishing) and a small number of mal-activity sources are persistent, suggesting that either blacklist-based prevention systems are ineffective or have unreasonably long update periods. Our analysis also indicates that resources can be better utilized by focusing on heavy mal-activity contributors, which constitute the bulk of mal-activities.</description><subject>Artificial intelligence</subject><subject>Blacklisting</subject><subject>Classification</subject><subject>Datasets</subject><subject>Internet</subject><subject>IP (Internet Protocol)</subject><subject>Machine learning</subject><subject>Phishing</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2019</creationdate><recordtype>article</recordtype><sourceid>BENPR</sourceid><recordid>eNqNjMsKwjAURIMgWLT_EHBdSJO-dFdf6MKNuC-h3kpqSGpuKvTvtSCuXQ3DzDkTEnAh4qhIOJ-RELFljPEs52kqAtKUdAe1vAG1DT1LHZW1Vy_lB3qBzjqvzH1Ny0_xzmIH4wi0NFIPqHBkTsaDM-BHWNXK9kh_io2W9UMr9Lgg00ZqhPCbc7I87K_bY9Q5--wBfdXa3n20WHEeJxnLV0kh_nu9AT0VRqY</recordid><startdate>20190424</startdate><enddate>20190424</enddate><creator>Benjamin Zi Hao Zhao</creator><creator>Ikram, Muhammad</creator><creator>Hassan Jameel Asghar</creator><creator>Mohamed Ali Kaafar</creator><creator>Chaabane, Abdelberi</creator><creator>Thilakarathna, Kanchana</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope></search><sort><creationdate>20190424</creationdate><title>A Decade of Mal-Activity Reporting: A Retrospective Analysis of Internet Malicious Activity Blacklists</title><author>Benjamin Zi Hao Zhao ; Ikram, Muhammad ; Hassan Jameel Asghar ; Mohamed Ali Kaafar ; Chaabane, Abdelberi ; Thilakarathna, Kanchana</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-proquest_journals_22146079483</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2019</creationdate><topic>Artificial intelligence</topic><topic>Blacklisting</topic><topic>Classification</topic><topic>Datasets</topic><topic>Internet</topic><topic>IP (Internet Protocol)</topic><topic>Machine learning</topic><topic>Phishing</topic><toplevel>online_resources</toplevel><creatorcontrib>Benjamin Zi Hao Zhao</creatorcontrib><creatorcontrib>Ikram, Muhammad</creatorcontrib><creatorcontrib>Hassan Jameel Asghar</creatorcontrib><creatorcontrib>Mohamed Ali Kaafar</creatorcontrib><creatorcontrib>Chaabane, Abdelberi</creatorcontrib><creatorcontrib>Thilakarathna, Kanchana</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science & Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Benjamin Zi Hao Zhao</au><au>Ikram, Muhammad</au><au>Hassan Jameel Asghar</au><au>Mohamed Ali Kaafar</au><au>Chaabane, Abdelberi</au><au>Thilakarathna, Kanchana</au><format>book</format><genre>document</genre><ristype>GEN</ristype><atitle>A Decade of Mal-Activity Reporting: A Retrospective Analysis of Internet Malicious Activity Blacklists</atitle><jtitle>arXiv.org</jtitle><date>2019-04-24</date><risdate>2019</risdate><eissn>2331-8422</eissn><abstract>This paper focuses on reporting of Internet malicious activity (or mal-activity in short) by public blacklists with the objective of providing a systematic characterization of what has been reported over the years, and more importantly, the evolution of reported activities. Using an initial seed of 22 blacklists, covering the period from January 2007 to June 2017, we collect more than 51 million mal-activity reports involving 662K unique IP addresses worldwide. Leveraging the Wayback Machine, antivirus (AV) tool reports and several additional public datasets (e.g., BGP Route Views and Internet registries) we enrich the data with historical meta-information including geo-locations (countries), autonomous system (AS) numbers and types of mal-activity. Furthermore, we use the initially labelled dataset of approx 1.57 million mal-activities (obtained from public blacklists) to train a machine learning classifier to classify the remaining unlabeled dataset of approx 44 million mal-activities obtained through additional sources. We make our unique collected dataset (and scripts used) publicly available for further research. The main contributions of the paper are a novel means of report collection, with a machine learning approach to classify reported activities, characterization of the dataset and, most importantly, temporal analysis of mal-activity reporting behavior. Inspired by P2P behavior modeling, our analysis shows that some classes of mal-activities (e.g., phishing) and a small number of mal-activity sources are persistent, suggesting that either blacklist-based prevention systems are ineffective or have unreasonably long update periods. Our analysis also indicates that resources can be better utilized by focusing on heavy mal-activity contributors, which constitute the bulk of mal-activities.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext |
| identifier | EISSN: 2331-8422 |
| ispartof | arXiv.org, 2019-04 |
| issn | 2331-8422 |
| language | eng |
| recordid | cdi_proquest_journals_2214607948 |
| source | Free E- Journals |
| subjects | Artificial intelligence Blacklisting Classification Datasets Internet IP (Internet Protocol) Machine learning Phishing |
| title | A Decade of Mal-Activity Reporting: A Retrospective Analysis of Internet Malicious Activity Blacklists |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-27T17%3A04%3A26IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=document&rft.atitle=A%20Decade%20of%20Mal-Activity%20Reporting:%20A%20Retrospective%20Analysis%20of%20Internet%20Malicious%20Activity%20Blacklists&rft.jtitle=arXiv.org&rft.au=Benjamin%20Zi%20Hao%20Zhao&rft.date=2019-04-24&rft.eissn=2331-8422&rft_id=info:doi/&rft_dat=%3Cproquest%3E2214607948%3C/proquest%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2214607948&rft_id=info:pmid/&rfr_iscdi=true |