Skip to content
/ AIP Public

The Attacker IP Prioritizer(AIP) dynamically generates resource-friendly IPv4 blocklists from Zeek network flows.

www.stratosphereips.org

License

GPL-3.0 license
32 stars 9 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

stratosphereips/AIP

BranchesTags

Repository files navigation

Attacker IP Prioritization (AIP) Tool

Python CI Tests CodeQL Docker Hub CI Docker GHCR CI

Docker Pulls GitHub issues GitHub issues-closed GitHub open-pull-requests GitHub pull-requests closed

The Attacker IP Prioritization (AIP) is a tool to generate efficient and economic IP blocklists based on network traffic captured from honeypot networks.

With the advent of 5G, IoT devices are directly connected often without firewall protection. Therefore we need blocklists that are small, efficient and economic. The AIP structure is shown below.

Description of the AIP pipeline

AIP Models

Each AIP model generates its own blocklist based on a specific criteria. The main models are:

  1. Prioritize New (PN)
    • Focuses on IPs that are new or have not been seen frequently in previous data.
    • Useful to identify emerging attackers that are starting to target a network.
  2. Prioritize Consistent (PC)
    • Focuses on IPs that have consistently attacked over time in previous data.
    • Useful to identify persistent attackers that continuously target a network.
  3. Alpha
    • Provides a baseline identifying all attackers seen in the last 24 hours.
    • Useful to compare the effectiveness of other models.
  4. Alpha7
    • Provides a baseline identifying all attackers seen in the last 7 days.
    • Useful to further compare the effectiveness of other models.
  5. Random Forest
    • Focuses on IPs that are more likely to attack in the future.
    • A more experimental approach to increase blocklist efficiency.

AIP Docker

The best way to run AIP right now is using Docker.

Usage

AIP will automatically attempt to run all the models using the available data. Assuming the Zeek data is located in its usual location:

:~$ cd AIP
:~$ docker run --rm -v /opt/zeek/logs/:/home/aip/AIP/data/raw:ro -v ${PWD}/data/:/home/aip/AIP/data/:rw --name aip stratosphereips/aip:latest bin/aip

To run AIP for a specific day:

:~$ cd AIP
:~$ docker run --rm -v /opt/zeek/logs/:/home/aip/AIP/data/raw:ro -v ${PWD}/data/:/home/aip/AIP/data/:rw --name aip stratosphereips/aip:latest bin/aip YYYY-MM-DD

License

The Stratosphere AIP tool is licensed under GNU General Public License v3.0.

About

This tool was developed at the Stratosphere Laboratory at the Czech Technical University in Prague. This is part of the Stratosphere blocklist generation project.

This tool was originally born from the bachelor thesis of Thomas O'Hara, The Attacker IP Prioritizer: An IoT Optimized Blacklisting Algorithm (2021).

About

The Attacker IP Prioritizer(AIP) dynamically generates resource-friendly IPv4 blocklists from Zeek network flows.

www.stratosphereips.org

Topics

blocklist blocklists threat-intelligence honeypots network-attacks network-traffic-analysis network-flows netflows

Resources

Readme

License

GPL-3.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

32 stars

Watchers

4 watching

Forks

9 forks
Report repository

Releases 2

v3.0.0 Latest
Oct 30, 2024
+ 1 release

Packages

 
 
 

Contributors 6

Languages