Abstract image of a woman sitting on books and studying on a laptop

Malicious Topologies of IPv4

Bob Rudis, profile picture
Bob Rudis

The document discusses the use of internet-scale data science in cybersecurity, emphasizing the importance of improved security data and machine learning for effective threat detection. It covers the tools and methodologies being used, such as Rapid7's Sonar for internet-wide surveys and various data types like SSL certificates and IP address information. Additionally, it addresses the patterns of malicious activity in IPv4 hierarchies and presents strategies for enhancing security through better data practices.

Internet
1 of 42
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Malicious Topologies of IPv4 and Other Adventures in Internet-Scale Data Science Suchin Gururangan Bob Rudis
 Rapid7 Data Science
Quick Bios Suchin Gururangan @ssgrn suchin.co Data Scientist Bob Rudis @hrbrmstr rud.is [Master]Chief Data Scientist

 Delivering Security Data & Analytics 
 that revolutionize the practice of cyber security 37%
 Fortune 1000 5,100+
 Customers 800+
 Employees 99
 Countries Threat Exposure Management Incident Detection and Response Security Advisory Services Rapid7
R7 Data Science + Labs We have an incredible team of Red teamers Data Scientists Developers
WIRED IBM Watson Brings AI Wonders to Cybersecurity Why Machine Learning Is Our Last Hope for Cybersecurity Fortune Datanami MIT builds AI system that can detect 85% of cyberattacks Business Insider Machine learning is fueling a cyber arms race
Machine learning algorithms are only as good as the data they are trained on.
Location Identification Facial Recognition Object Recognition
ModelPixels
URLs SSL Certs Webshells malicious/benign? anomalous?
URLs SSL Certs Webshells Feature Engineering ? Model
Most security data is inconsistent short-lived adversarial biased lacking ground truth
Let's get better security data.
Data science is not just machine learning.
The place for security data science? Separate signal from noise Finding and visualizing trends Cluster hosts into groups filtering visualization organization
Internet-Scale
Internet-Scale is big
Internet-Scale is generalizable
Internet-Scale is structured
Malicious Topologies of IPv4
Malicious Topologies of IPv4
Malicious Topologies of IPv4
Malicious Topologies of IPv4
See trends and develop context for micro-scale attacks More data! Why Internet-Scale Data Science?
Internet-Scale Tools
Sonar Internet-wide surveys across entire public IPV4 and a wide variety of services and protocols. Started in Nov 2013 by HD Moore
Sonar Data 443/TCP SSL Certificates 80/TCP HTTP Get/IP vhosts Reverse DNS Forward DNS UDP Probes (uPnP, IPMI, NetBIOS, etc.) POP, IMAP, SMTP
443/TCP SSL Certs (weekly scans) ~25M SSL Certs, ~ 55GB in < 4 hours 80/TCP HTTP Get Requests (bi-weekly scans) Reverse DNS (bi-weekly scans) ~60-65M Web servers, ~1.7 TB in < 10 hours ~1.1B Records, ~50 GB < 24 hours What's out there?
Heisenberg Low-interaction, cloud-based RDP honeypots deployed across the world Over 334 days, recorded: 221203 different password attempts from 5076 distinct IP addresses across 119 different countries
Malicious Topologies of IPv4
Other data • BGP Archives • Blacklists: CleanMX, phishtank, malwaredomains
Malicious Topology of IPV4 • How to apply Internet-scale structure to phishing attacks? • How can this structure help us identify malicious areas of the Internet?
IPV4 Hierarchy IP Subnet AS 127.0.0.1 127.0.0/24 AS10
source: xkcd
Malicious Topologies of IPv4
Malicious Topologies of IPv4
Malicious Autonomous Systems
AS Fragmentation 20.1.0/23 20.1.0/2320.1.2/23 20.1.2/24 20.1.2/24 20.1.0/2420.1.0/24 Tree Depth Fragmentation = 1 - Tree Depth / # Nodes Subnet Tree
Malicious AS Topology Size 80-95th percentile in IPv4 Fragmentation 10-20% higher Malicious Topology Benign Topology - subnet Composition 50-60% XX-small subnets
Subnet Category ARIN Fee Subnet Prefix XX-Small $500.00 < /22 X-Small $1,000.00 /22 - /20 Small $2,000.00 /20 - /18 Medium $4,000.00 /18 - /16 Large $8,000.00 /16 - /14 X-Large $16,000.00 /14 - /12 XX-Large $32,000.00 > /12
• Very few ASes host a disproportionate amount of malicious activity • Smaller subnets and ASes are becoming more ubiquitous in IPv4 • Malicious ASes are likely large and deeply fragmented Recap
With Internet-Scale security data... • We develop more informed context and bounds on local malicious activity • We make effective security ML more of a future possibility
How can I get started? • sonar.labs.rapid7.com and scans.io • blacklists: CleanMX, Phishtank, Malwaredomains • BGP archives - routeviews project • Heisenberg data coming soon

More Related Content

PDF
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Josh Sokol
 
PDF
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
IBMGovernmentCA
 
PDF
CSF18 - Incident Response in the Cloud - Yuri Diogenes
NCCOMMS
 
PDF
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
NCCOMMS
 
PDF
CSF18 - Guarding Against the Unknown - Rafael Narezzi
NCCOMMS
 
PPTX
Base Metal Forensics
Napier University
 
PPTX
Futuristic data mining technologies for cyber security
Pankaj Choudhary
 
PDF
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
NCCOMMS
 
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Josh Sokol
 
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
IBMGovernmentCA
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
NCCOMMS
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
NCCOMMS
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
NCCOMMS
 
Base Metal Forensics
Napier University
 
Futuristic data mining technologies for cyber security
Pankaj Choudhary
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
NCCOMMS
 

What's hot (20)

PDF
JAKU Botnet Analysis
Napier University
 
PDF
Confusion and deception new tools for data protection
Priyanka Aash
 
PPTX
Past, Present & Future of Credentials Theft
Lavi Lazarovitz
 
PPTX
Presentation1
Abhishek Malhotra
 
PPTX
tatget attack
Imrana Yari
 
PDF
CSF18 - For Your Ears Only - Sasha Kranjac
NCCOMMS
 
PDF
Disrupt Hackers With Robust User Authentication
Intel IT Center
 
PPTX
GDPR: Protecting Your Data
Ulf Mattsson
 
PPTX
Cybersecurity is the Future of Computing
David Fry
 
PPTX
Don't Rely on Software Alone. Protect Endpoints with Hardware-Enhanced Security.
Intel IT Center
 
PPTX
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 
PDF
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE - ATT&CKcon
 
PDF
End-To-End Asymmetric Encryption of Biomedical Data In-Transit and At-Rest
Ryan M Harrison
 
PDF
Enterprise security: ransomware in enterprise and corporate entities
Quick Heal Technologies Ltd.
 
PPTX
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Vasile
 
PPTX
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
PPTX
Insider theft detection
SumanthKommineni
 
PDF
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
Priyanka Aash
 
DOCX
Zero-Day Vulnerability and Heuristic Analysis
Ahmed Banafa
 
PPTX
News Bytes - December 2015
n|u - The Open Security Community
 
JAKU Botnet Analysis
Napier University
 
Confusion and deception new tools for data protection
Priyanka Aash
 
Past, Present & Future of Credentials Theft
Lavi Lazarovitz
 
Presentation1
Abhishek Malhotra
 
tatget attack
Imrana Yari
 
CSF18 - For Your Ears Only - Sasha Kranjac
NCCOMMS
 
Disrupt Hackers With Robust User Authentication
Intel IT Center
 
GDPR: Protecting Your Data
Ulf Mattsson
 
Cybersecurity is the Future of Computing
David Fry
 
Don't Rely on Software Alone. Protect Endpoints with Hardware-Enhanced Security.
Intel IT Center
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE - ATT&CKcon
 
End-To-End Asymmetric Encryption of Biomedical Data In-Transit and At-Rest
Ryan M Harrison
 
Enterprise security: ransomware in enterprise and corporate entities
Quick Heal Technologies Ltd.
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Vasile
 
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
Insider theft detection
SumanthKommineni
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
Priyanka Aash
 
Zero-Day Vulnerability and Heuristic Analysis
Ahmed Banafa
 
News Bytes - December 2015
n|u - The Open Security Community
 
Ad

Similar to Malicious Topologies of IPv4 (20)

PDF
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
Tiago Henriques
 
PDF
BSides Lisbon - Data science, machine learning and cybersecurity
Tiago Henriques
 
PDF
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Alex Pinto
 
PPTX
Hunting Botnets with Zmap
HeadlessZeke
 
PPTX
Hadoop / Spark on Malware Expression
MapR Technologies
 
PPTX
The Background Noise of the Internet
Andrew Morris
 
PPTX
Recon like a pro
Nirmalthapa24
 
PDF
Securerank ping-opendns
Ping Yan
 
PPTX
DNS Security, is it enough?
Zscaler
 
PDF
Big Data Approaches to Cloud Security
Paul Morse
 
PDF
Uncovering and Visualizing Malicious Infrastructure
Andrea Scarfo
 
PDF
CNIT 40: 4: Monitoring and detecting security breaches
Sam Bowne
 
PDF
Hitbkl 2012
F _
 
PDF
deftcon 2015 - Dave Piscitello - DNS Traffic Monitoring
Deft Association
 
PDF
Reliability & Scale in AWS while letting you sleep through the night
Jos Boumans
 
PPTX
What's new in​ CEHv11?
EC-Council
 
PDF
OSINT for Attack and Defense
Andrew McNicol
 
PDF
The Internet - By the numbers, presented at npNOG 11
APNIC
 
PPTX
Blue Teaming on a Budget of Zero
Kyle Bubp
 
PDF
CERT Data Science in Cybersecurity Symposium
Bob Rudis
 
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
Tiago Henriques
 
BSides Lisbon - Data science, machine learning and cybersecurity
Tiago Henriques
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Alex Pinto
 
Hunting Botnets with Zmap
HeadlessZeke
 
Hadoop / Spark on Malware Expression
MapR Technologies
 
The Background Noise of the Internet
Andrew Morris
 
Recon like a pro
Nirmalthapa24
 
Securerank ping-opendns
Ping Yan
 
DNS Security, is it enough?
Zscaler
 
Big Data Approaches to Cloud Security
Paul Morse
 
Uncovering and Visualizing Malicious Infrastructure
Andrea Scarfo
 
CNIT 40: 4: Monitoring and detecting security breaches
Sam Bowne
 
Hitbkl 2012
F _
 
deftcon 2015 - Dave Piscitello - DNS Traffic Monitoring
Deft Association
 
Reliability & Scale in AWS while letting you sleep through the night
Jos Boumans
 
What's new in​ CEHv11?
EC-Council
 
OSINT for Attack and Defense
Andrew McNicol
 
The Internet - By the numbers, presented at npNOG 11
APNIC
 
Blue Teaming on a Budget of Zero
Kyle Bubp
 
CERT Data Science in Cybersecurity Symposium
Bob Rudis
 
Ad

Recently uploaded (20)

PDF
Alethe Consulting Corporate Profile and Solution Aproach
debashisrakshit2025
 
PDF
Uptota Investor Deck - Where Africa Meets Blockchain
jjc123linkedin
 
PPTX
1402_iCSC_-_RESTful_Web_APIs_--_Josef_Hammer.pptx
mwnorman1
 
PDF
Containerization lab dddddddddddddddmanual.pdf
muler161921
 
PPTX
Cyber Hygine IN organizations in MSME or
paramkiet
 
PPTX
The-Importance-of-School-Sanitation.pptx
shinjanmandal111
 
PDF
Top 8 Trusted Sources to Buy Verified Cash App Accounts.pdf
How To Buy Verified Cash App Accounts
 
PPTX
TITLE DEFENSE entitle the impact of social media on education
AgustoJerizMarfil
 
PDF
mera desh ae watn.(a source of motivation and patriotism to the youth of the ...
DtMalhonSharma
 
PDF
BIOCHEM CH2 OVERVIEW OF MICROBIOLOGY.pdf
tbasharababneh
 
PPTX
artificialintelligenceai1-copy-210604123353.pptx
b45r14
 
PPT
12 Things That Make People Trust a Website Instantly
Shethil Ahammed
 
PDF
Exploring The Internet Of Things(IOT).ppt
rakeshk19831911
 
PDF
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
 
PPTX
module 1-Part 1.pptxdddddddddddddddddddddddddddddddddddd
KevinSeelu
 
PPTX
KSS ON CYBERSECURITY INCIDENT RESPONSE AND PLANNING MANAGEMENT.pptx
Cashmir Pangandaman
 
PPTX
Top Website Bugs That Hurt User Experience – And How Expert Web Design Fixes
e-Definers Technology
 
PDF
si manuel quezon at mga nagawa sa bansang pilipinas
LizaDeVeraFloresLaya
 
PPTX
AI_Cyberattack_Solutions AI AI AI AI .pptx
zayadeen2003
 
PPT
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
Alethe Consulting Corporate Profile and Solution Aproach
debashisrakshit2025
 
Uptota Investor Deck - Where Africa Meets Blockchain
jjc123linkedin
 
1402_iCSC_-_RESTful_Web_APIs_--_Josef_Hammer.pptx
mwnorman1
 
Containerization lab dddddddddddddddmanual.pdf
muler161921
 
Cyber Hygine IN organizations in MSME or
paramkiet
 
The-Importance-of-School-Sanitation.pptx
shinjanmandal111
 
Top 8 Trusted Sources to Buy Verified Cash App Accounts.pdf
How To Buy Verified Cash App Accounts
 
TITLE DEFENSE entitle the impact of social media on education
AgustoJerizMarfil
 
mera desh ae watn.(a source of motivation and patriotism to the youth of the ...
DtMalhonSharma
 
BIOCHEM CH2 OVERVIEW OF MICROBIOLOGY.pdf
tbasharababneh
 
artificialintelligenceai1-copy-210604123353.pptx
b45r14
 
12 Things That Make People Trust a Website Instantly
Shethil Ahammed
 
Exploring The Internet Of Things(IOT).ppt
rakeshk19831911
 
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
 
module 1-Part 1.pptxdddddddddddddddddddddddddddddddddddd
KevinSeelu
 
KSS ON CYBERSECURITY INCIDENT RESPONSE AND PLANNING MANAGEMENT.pptx
Cashmir Pangandaman
 
Top Website Bugs That Hurt User Experience – And How Expert Web Design Fixes
e-Definers Technology
 
si manuel quezon at mga nagawa sa bansang pilipinas
LizaDeVeraFloresLaya
 
AI_Cyberattack_Solutions AI AI AI AI .pptx
zayadeen2003
 
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 

Malicious Topologies of IPv4