14 May 2015 ASN reputation system model
Author Affiliations +
Network security monitoring is currently challenged by its reliance on human analysts and the inability for tools to generate indications and warnings for previously unknown attacks. We propose a reputation system based on IP address set membership within the Autonomous System Number (ASN) system. Essentially, a metric generated based on the historic behavior, or misbehavior, of nodes within a given ASN can be used to predict future behavior and provide a mechanism to locate network activity requiring inspection. This will provide reinforcement of notifications and warnings and lead to inspection for ASNs known to be problematic even if initial inspection leads to interpretation of the event as innocuous. We developed proof of concept capabilities to generate the IP address to ASN set membership and analyze the impact of the results. These results clearly show that while some ASNs are one-offs with individual or small numbers of misbehaving IP addresses, there are definitive ASNs with a history of long term and wide spread misbehaving IP addresses. These ASNs with long histories are what we are especially interested in and will provide an additional correlation metric for the human analyst and lead to new tools to aid remediation of these IP address blocks.
© (2015) COPYRIGHT Society of Photo-Optical Instrumentation Engineers (SPIE). Downloading of the abstract is permitted for personal use only.
Steve Hutchinson, Steve Hutchinson, Robert F. Erbacher, Robert F. Erbacher, "ASN reputation system model", Proc. SPIE 9458, Cyber Sensing 2015, 94580A (14 May 2015); doi: 10.1117/12.2177464; https://doi.org/10.1117/12.2177464

Back to Top