AIP Algorithm
Attacker IP Prioritizer of the Aposemat Project
The Goal
With the advent of 5G just around the corner, the need for security specifically for Internet of Things(IoT) devices is greater than ever. Many IoT devices are exposed directly to the internet currently, but when 5G arrives, this number is going to skyrocket. With this in mind, the team at the Aposemat IoT lab started the Attacker IP Prioritizer(AIP) project. This project is focused on developing an algorithm that outputs a resource-friendly IP blacklist, designed to be used to protect IoT devices. It updates every 24 hours using data collected from the honeypots in our IoT lab, and uses the collected traffic to assign scores to each IP. The IPs with the highest scores, meaning the IPs with the most malicious activity, are put on the blacklist. Thus we ensure that the malicious IPs targeting IoT are blacklisted, while also making sure that the list stays small, thus making it IoT friendly.
Our Published Blacklist
The Attacker IP Prioritization Blacklist, or AIP Blacklist, is the blacklist of IP addresses generated from the attacks made on the honeypots in our IoT lab using the AIP algorithm. This blacklist forgets inactive IPs, and is updated with new data every 24 hours. It is designed to be smaller and easier to process, making it especially fit for use in IoT devices that have small CPU’s and not much storage space. There are three blacklists currently in our public data sets. Each one looks at the same data in a slightly different way, therefore prioritizing certain IPs over others.
Image 1
AIP_historical_blacklist_prioritized_by_repeated_attackers: Shown in Image 1, this blacklist is designed to prioritize the consistent and aggressive IPs from the data we collect over time. The file highlighted above is today’s copy of this blacklist. We have a file that is updated every day with the data from the last 24 hours. We use the AIP algorithm software to rate the IPs in that file prioritizing the IPs that have been historically attacking out honeypots on a regular basis. In order for an IP to be blacklisted, it must achieve a score higher than a certain threshold, a threshold which we decided upon through data analysis.
Image 11
AIP_blacklist_for_IPs_seen_last_24_hours: Shown in image 11, this blacklist is designed to look at only the new IPs that are seen in the last 24 hours, and rate them according to how much traffic they produce. The file highlighted above is today’s copy of this blacklist.
Image 111
AIP_historical_blacklist_prioritized_by_newest_attackers: Shown in image 111, this blacklist is run on the same large data set that the first blacklist is run on, but with one key difference. This blacklist prioritizes new and aggressive IPs over consistent ones. In the case of the first blacklist, as long as an IP attacks every day, its score will increase over time, and it will remain on the list. With this blacklist, the older an IP gets, the more its score will decrease in order to make room for the more recently seen IPs that are attacking our honeypots.
All three blacklists that is generated by this program are available in the Stratosphere Labs public data-sets.
We have also published a blog which gets deeper into how to the program works. The blog can can be found here.
The algorithm itself is published as a tool here.
For information about recent updates to the tool, see the following blog-post[1].
[1] https://www.stratosphereips.org/blog/2020/7/31/the-new-and-improved-attacker-ip-prioritizer