IP Geolocation through Reverse DNS

IP Geolocation databases are widely used in online services to map end-user IP addresses to their geographical location. However, they use proprietary geolocation methods, and in some cases they have poor accuracy. We propose a systematic approach to use reverse DNS hostnames for geolocating IP addresses, with a focus on end-user IP addresses as opposed to router IPs. Our method is designed to be combined with other geolocation data sources. We cast the task as a machine learning problem where, for a given hostname, we first generate a list of potential location candidates, and then we classify each hostname and candidate pair using a binary classifier to determine which location candidates are plausible. Finally, we rank the remaining candidates by confidence (class probability) and break ties by population count. We evaluate our approach against three state-of-the-art academic baselines and two state-of-the-art commercial IP geolocation databases. We show that our work significantly outperforms the academic baselines and is complementary and competitive with commercial databases. To aid reproducibility, we open source our entire approach and make it available to the academic community.

Identifying the Use of Anonymising Proxies to Conceal Source IP Addresses

The detection of unauthorised users can be problematic for techniques that are available at present if the nefarious actors are using identity hiding tools such as anonymising proxies or Virtual Private Networks (VPNs). This work presents computational models to address the limitations currently experienced in detecting VPN traffic. The experiments conducted to classify OpenVPN usage found that the Neural Network was able to correctly identify the VPN traffic with an overall accuracy of 93.71%. These results demonstrate a significant advancement in the detection of unauthorised user access with evidence showing that there could be further advances for research in this field particularly in the application of business security where the detection of VPN usage is important to an organization.

Cyber-attack detection via non-linear prediction of IP addresses: an innovative big data analytics approach

Computer network systems are often subject to several types of attacks. For example, an excessive traffic load sent to a web server for making it unusable is the main technique introduced by the Distributed Denial of Service (DDoS) attack. A well-known method for detecting attacks consists in analyzing the sequence of source IP addresses for detecting possible anomalies. With the aim of predicting the next IP address, the Probability Density Function of the IP address sequence is estimated. Anomalous requests are detected via predicting source’s IP addresses in future accesses to the server. Thus, when an access to the server occurs, the server accepts only the requests from the predicted IP addresses and it blocks all the others. The approaches used to estimate the Probability Density Function of IP addresses range from the sequence of IP addresses seen previously and stored in a database to address clustering, for instance via the K-Means algorithm. Instead, the sequence of IP addresses is considered as a numerical sequence in this paper, and non-linear analysis of this numerical sequence is applied. In particular, we exploited non-linear analysis based on Volterra Kernels and Hammerstein models. The experiments carried out with datasets of source IP address sequences show that the prediction errors obtained with Hammerstein models are smaller than those obtained both with the Volterra Kernels and with the sequence clustering based on the K-Means algorithm.

Towards Enhancing the Endpoint Security using Moving Target Defense (Shuffle-based Approach) in Software Defined Networking

Static IP addresses make the network vulnerable to different attacks and once the machines are compromised, any sensitive information within the network can be spoofed. Moving Target Defense (MTD) provides an efficient mechanism for proactive security by constantly changing different system attributes. Software Defined Networks (SDNs) provide greater flexibility in designing security solutions due to their centralized management and programming capabilities. In this paper, a mechanism for the protection of endpoint security is developed using IP address host shuffling. In the proposed approach, the real IP address of the host is masked and a virtual IP address is assigned. The virtual IPs are mined from the pool of unassigned IP addresses. The address pool is created using a pseudo-random number generator to guarantee high randomness. This approach helps in invalidating the intelligence gathered by the adversaries through the changes in the network configuration that will disturb attack execution, eventually leading to attack failure. Transparency is attained via preserving the actual IP intact and mapping a virtual IP to it. The proposed solution is implemented using the RYU Controller and Mininet. The efficient results obtained from the experiments substantiate the effectiveness of the MTD approach for enhancing endpoint security.

Pengembangan Metode Autentikasi pada Sistem Presensi Berbasis Aplikasi Mobile

Research has been carried out on a mobile-based presence system authentication method using MAC addresses, BSSID and IP addresses for (Wi-Fi) networks. This study aims to develop an authentication method on the attendance system that meets two authentication requirements, namely the suitability of employee identity and location suitability, so that the attendance process becomes easy, effective, fast, and can reduce fraud. The employee's identity can be obtained from the MAC address of the smartphone that has been previously registered, while the employee's location during the attendance process can be confirmed to be in the company environment by checking the BSSID data and IP of the Wi-Fi network connected to the smartphone. The data is then compared with MAC address data from all Wi-Fi networks installed in the company area. RAD is used as a development model because it is simple and fast. Overall, employee identification and site checking as authentication of the developed system went well. Other than that, every function on the system works well. Furthermore, the results of the user experience evaluation using the UEQ questionnaire received an average score above 0.8 on 6 scales. This shows that the system has attractiveness, perspicuity, efficiency, dependability, stimulation and novelty.

Oblivious DNS over HTTPS (ODoH): A Practical Privacy Enhancement to DNS

The Internet’s Domain Name System (DNS) responds to client hostname queries with corresponding IP addresses and records. Traditional DNS is unencrypted and leaks user information to on-lookers. Recent efforts to secure DNS using DNS over TLS (DoT) and DNS over HTTPS (DoH) have been gaining traction, ostensibly protecting DNS messages from third parties. However, the small number of available public large-scale DoT and DoH resolvers has reinforced DNS privacy concerns, specifically that DNS operators could use query contents and client IP addresses to link activities with identities. Oblivious DNS over HTTPS (ODoH) safeguards against these problems. In this paper we implement and deploy interoperable instantiations of the protocol, construct a corresponding formal model and analysis, and evaluate the protocols’ performance with wide-scale measurements. Results suggest that ODoH is a practical privacy-enhancing replacement for DNS.

Retrospective IP Address Geolocation for Geography-Aware Internet Services

The paper deals with the locations of IP addresses that were used in the past. This retrospective geolocation suffers from continuous changes in the Internet space and a limited availability of past IP location databases. I analyse the retrospective geolocation of IPv4 and IPv6 addresses over five years. An approach is also introduced to handle missing past IP geolocation databases. The results show that it is safe to retrospectively locate IP addresses by a couple of years, but there are differences between IPv4 and IPv6. The described parametric model of location lifetime allows us to estimate the time when the address location changed in the past. The retrospective geolocation of IP addresses has a broad range of applications, including social studies, system analyses, and security investigations. Two longitudinal use cases with the applied results are discussed. The first deals with geotargeted online content. The second deals with identity theft prevention in e-commerce.