Home / Industry

Enriching Intrusion Detection and Prevention Systems with IP and Domain Intelligence

Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs), collectively called "intrusion detection and prevention systems (IDPSs)," monitor network traffic to stave off unauthorized access. Roughly speaking, an IDS detects possible malicious network activities, while an IPS stops malicious traffic from entering and possibly damaging a network.

To successfully provide protection, IDPSs inspect and analyze each data packet. If necessary, the systems would then alert security administrators. Depending on how they are configured, IDPSs can stop an attack by dropping the malicious packet, resetting the connection, or blocking network traffic.

Like any other cybersecurity solution, IDPSs' effectiveness lies in the prompt and correct detection of possible malicious activities. IP and domain intelligence can provide additional data points for IDPSs to base their detection techniques.

IP- and Domain-Based Detection

One technique IDPSs use is to look for known exploits or activities that are similar or associated with an already-identified attack. This detection technique is signature-based since it looks for previously identified signatures or codes used by attackers.

However, attackers are not only known to reuse their codes, they also use the same IP and domain infrastructure on different targets. To illustrate, we obtained the top 10 most widely reported IP addresses on 5 January 2021 from AbuseIPDB. We then tabulated the number of unique reports and unique users for each IP address since the first time it was reported.

IP AddressNumber of Unique ReportsNumber of Unique Users
45[.]155[.]205[.]869,977402
45[.]155[.]205[.]879,665382
221[.]181[.]185[.]13517,732341
221[.]181[.]185[.]2917,661348
221[.]181[.]185[.]13615,921336
221[.]181[.]185[.]14313,768315
221[.]181[.]185[.]1817,603346
221[.]181[.]185[.]14813,780313
221[.]181[.]185[.]1917,405341
221[.]181[.]185[.]19917,335338

Since IDPSs inspect network packets, they could also examine the IP address within each packet and use IP intelligence sources to check for associations with malicious IP addresses. The IP addresses in the table above, for instance, belong to two IP netblocks according to IP Netblocks API. The first two IP addresses belong to IP netblock 45[.]155[.]205[.]0 — 45[.]155[.]205[.]255, while all the others belong to 221[.]181[.]184[.]0 — 221[.]181[.]191[.]255.

As such, IDPSs could be configured to analyze packets that contain IP addresses belonging to the IP netblocks associated with malicious activity.

What's more, an IP address found in the packet header could also be associated with malicious domains and should be blocked or, at the very least, reported to security administrators. One way to find out is to use Reverse IP/DNS Lookup. For instance, the IP address 156[.]254[.]105[.]3 may not raise any alert, as it hasn't been reported in blacklist sites, such as AbuseIPDB and VirusTotal.

However, Reverse IP/DNS Lookup revealed that it is associated with five domain names, including tisone360[.]com, which is related to the Darkhotel APT group. IDPSs could better protect networks by blocking packets containing such IP addresses.

Anomaly-Based Detection

Another technique most IDPSs use is anomaly detection, which aims to capture abnormal network activities. An additional criterion would be to look at the IP geolocation of the packet header. Is the source IP address located in a region the company has no dealings with? Or can it be traced to a high-risk location?

If the packet's IP geolocation lies in a region not previously seen in the network, the IDPS can alert security administrators so the packet can be further scrutinized. On the other hand, if the network activity is located in a region where cyber attackers abound, blocking the traffic may be wise.


Cybersecurity solutions, which include IDSs and IPSs, continue to evolve to adapt to the increasing sophistication of cyber attacks. Adding more sources, such as IP intelligence tools, can widen the scope of detection.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Cybercrime

Sponsored byThreat Intelligence Platform

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byIPv4.Global

Whois

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias