Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs), collectively called “intrusion detection and prevention systems (IDPSs),” monitor network traffic to stave off unauthorized access. Roughly speaking, an IDS detects possible malicious network activities, while an IPS stops malicious traffic from entering and possibly damaging a network.

To successfully provide protection, IDPSs inspect and analyze each data packet. If necessary, the systems would then alert security administrators. Depending on how they are configured, IDPSs can stop an attack by dropping the malicious packet, resetting the connection, or blocking network traffic.

Like any other cybersecurity solution, IDPSs’ effectiveness lies in the prompt and correct detection of possible malicious activities. IP and domain intelligence can provide additional data points for IDPSs to base their detection techniques.

IP- and Domain-Based Detection

One technique IDPSs use is to look for known exploits or activities that are similar or associated with an already-identified attack. This detection technique is signature-based since it looks for previously identified signatures or codes used by attackers.

However, attackers are not only known to reuse their codes, they also use the same IP and domain infrastructure on different targets. To illustrate, we obtained the top 10 most widely reported IP addresses on 5 January 2021 from AbuseIPDB. We then tabulated the number of unique reports and unique users for each IP address since the first time it was reported.

Since IDPSs inspect network packets, they could also examine the IP address within each packet and use IP intelligence sources to check for associations with malicious IP addresses. The IP addresses in the table above, for instance, belong to two IP netblocks according to IP Netblocks API. The first two IP addresses belong to IP netblock 45[.]155[.]205[.]0—45[.]155[.]205[.]255, while all the others belong to 221[.]181[.]184[.]0—221[.]181[.]191[.]255.

As such, IDPSs could be configured to analyze packets that contain IP addresses belonging to the IP netblocks associated with malicious activity.

What’s more, an IP address found in the packet header could also be associated with malicious domains and should be blocked or, at the very least, reported to security administrators. One way to find out is to use Reverse IP/DNS Lookup. For instance, the IP address 156[.]254[.]105[.]3 may not raise any alert, as it hasn’t been reported in blacklist sites, such as AbuseIPDB and VirusTotal.

However, Reverse IP/DNS Lookup revealed that it is associated with five domain names, including tisone360[.]com, which is related to the Darkhotel APT group. IDPSs could better protect networks by blocking packets containing such IP addresses.

Anomaly-Based Detection

Another technique most IDPSs use is anomaly detection, which aims to capture abnormal network activities. An additional criterion would be to look at the IP geolocation of the packet header. Is the source IP address located in a region the company has no dealings with? Or can it be traced to a high-risk location?

If the packet’s IP geolocation lies in a region not previously seen in the network, the IDPS can alert security administrators so the packet can be further scrutinized. On the other hand, if the network activity is located in a region where cyber attackers abound, blocking the traffic may be wise.

Cybersecurity solutions, which include IDSs and IPSs, continue to evolve to adapt to the increasing sophistication of cyber attacks. Adding more sources, such as IP intelligence tools, can widen the scope of detection.