Predicting Zero-Day Malicious IP Addresses
| Title | Predicting Zero-Day Malicious IP Addresses |
| Publication Type | Conference Paper |
| Year of Publication | 2017 |
| Authors | Niakanlahiji, Amirreza, Pritom, Mir Mehedi, Chu, Bei-Tseng, Al-Shaer, Ehab |
| Conference Name | Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense |
| Publisher | ACM |
| Conference Location | New York, NY, USA |
| ISBN Number | 978-1-4503-5203-1 |
| Keywords | composability, defense, malicious ip prediction, Metrics, pubcrawl, Resiliency, Sandboxing, Zero day attacks, zero day malware prediction |
| Abstract | Blacklisting IP addresses is an important part of enterprise security today. Malware infections and Advanced Persistent Threats can be detected when blacklisted IP addresses are contacted. It can also thwart phishing attacks by blocking suspicious websites. An unknown binary file may be executed in a sandbox by a modern firewall. It is blocked if it attempts to contact a blacklisted IP address. However, today's providers of IP blacklists are based on observed malicious activities, collected from multiple sources around the world. Attackers can evade those reactive IP blacklist defense by using IP addresses that have not been recently engaged in malicious activities. In this paper, we report an approach that can predict IP addresses that are likely to be used in malicious activities in the near future. Our evaluation shows that this approach can detect 88% of zero-day malware instances missed by top five antivirus products. It can also block 68% of phishing websites before reported by Phishtank. |
| URL | https://dl.acm.org/citation.cfm?doid=3140368.3140369 |
| DOI | 10.1145/3140368.3140369 |
| Citation Key | niakanlahiji_predicting_2017 |