Detecting malicious IP addresses is essential to defend against different malicious activities. This includes phishing attacks, cloud computing abuse, and fraudulent transactions. It is necessary to analyze user event logs and derive information about malicious hosts. This knowledge is also useful for remedy strategies.
What is IP reputation filtering?
Using user activity logs, the present specification describes techniques for determining customized IP-address properties. These properties can be used to train a model that can detect malicious IP addresses. The model can be derived from other systems’ features and fed back to the system to further analyze malicious events.
To identify users, the system will examine the history of an individual’s IP address to determine the number of days that a particular IP address has been used. This allows the system to identify correlated groups of users, which are likely controlled by the same attacker.
If the group is suspicious, the system can take action on the entire group. This may include blocking all malicious activities from dedicated malicious hosts. The system can also analyze users that login together on the same IP. This helps enhance the analysis confidence.
If there is a large number of users with the same IP, it can be more difficult to track an attacker. It can also be difficult to know what activities are happening on a given IP.
For example, if a group of users attends a conference, there are likely to be a variety of actions performed by each user. A typical user might post a single comment or have several posts on a forum. However, a user might have different registration and login counts.