Research uncovers ‘bad neighbourhoods’ on the internet

Research into so-called ‘bad neighbourhoods on the internet could provide a foundation for tackling e-crime and establishing a solid global security strategy for governments and industry.

Mar 28, 2013
By Paul Jacques
Picture: Police Scotland

Research into so-called ‘bad neighbourhoods on the internet could provide a foundation for tackling e-crime and establishing a solid global security strategy for governments and industry.

A study by the University of Twente’s Centre for Telematics and Information Technology (CTIT) found that of the 42,000 internet service providers (ISPs) analysed, just 20 were found to be responsible for nearly half of all the internet addresses that send spam.

Researcher Giovane César Moreira Moura, an internet security specialist, focused on the cluster of malicious hosts on the internet – ‘bad neighborhoods’ – to determine emerging patterns. The aim was to employ these patterns to advance state-of-the-art network security and intrusion detection.

In his PhD thesis, Mr Moura explained that these bad neighbourhoods, which often correspond to certain geographical areas, are the source of a great deal of spam, phishing or other ‘undesirable activity’.

“Just like in the real world, the internet has bad neighbourhoods whose streets are not safe and where crime rates are higher than in other districts,” he said.

He carried out the first systematic investigation of malicious hosts by monitoring and analysing network data. His main conclusion is that malicious activity is indeed concentrated in limited zones – areas in which the IP addresses show strong similarities per ISP, or even per country.

For instance, he found that 62 per cent of the addresses at one ISP were related to spam.

“This knowledge can be used to link security measures to specific ISPs,” he said.

He added: “It is also interesting to note that different types of activities are associated with different parts of the world. For instance, spam comes mainly from southern Asian countries, while phishing occurs primarily in the US and other developed countries. The reason for the latter is that these countries are home to most data centres and cloud-computing providers.

“It is also important to distinguish between individual IP addresses that launch one-off attacks and a whole ‘bad neighbourhood’ that almost always launches repeated attacks. This information is very useful in terms of establishing a security strategy.”

Related News

Copyright © 2021 Police Professional