BlackEye: automatic IP blacklisting using machine learning from security logs

Dooyong Jeon, Byungchul Tak

Research output: Contribution to journalArticlepeer-review

5 Scopus citations

Abstract

Blacklisting of malicious IP address is a primary technique commonly used for safeguarding mission-critical IT systems. The decision to blacklist an IP address requires careful examination of various aspects of packet traffic data as well as the behavioral history. Most of the current security monitoring for IP blacklisting heavily relies on the domain expertise from experienced specialists. Although there are efforts to apply machine-learning (ML) techniques to this problem, we are yet to see the mature solution. To mitigate these challenges and to gain better understanding of the problem, we have designed the BlackEye framework in which we can apply various ML techniques and produce models for accurate blacklisting. From our analysis results, we learn that multi-staged method that combines the data cleansing and the classification via logistic regression or random forest produces the best results. Our evaluation on the real-world data shows that it can reduce the the incorrect blacklisting by nearly 90% when compared to the performance of experts. More over, our proposed model performed well in terms of the time-to-blacklist by curtailing the period of malicious IP address in activity by 27 days on average.

Original languageEnglish
Pages (from-to)937-948
Number of pages12
JournalWireless Networks
Volume28
Issue number2
DOIs
StatePublished - Feb 2022

Keywords

  • Blacklisting
  • Linear regression
  • Machine learning
  • Security logs

Fingerprint

Dive into the research topics of 'BlackEye: automatic IP blacklisting using machine learning from security logs'. Together they form a unique fingerprint.

Cite this