A new machine learning system has been developed by MIT’s Computer Science and Artificial Intelligence Lab (CSAIL) that can detect IP hijackers.
MIT trained the system to identify about 800 suspicious networks related to IP hijacking, which is where hackers send malware or spam to people to get their identification or steal data and even cryptocurrency. The team found that some of those suspicious networks had been hijacking IP addresses for years.
“Network operators normally have to handle such incidents reactively and on a case-by-case basis, making it easy for cybercriminals to continue to thrive,” said Cecilia Testart, an MIT graduate student. “This is a key first step in being able to shed light on serial hijackers’ behavior and proactively defend against their attacks.”
The system can flag networks using key characteristics such as a volatile change in activity where the IP address seems to disappear; the use of multiple address blocks of IP; and using IP addresses from multiple countries.
To better pinpoint serial attacks, the group pulled data from years of network operator mailing lists, taken every five minutes from the global routing table. They were able to observe particular qualities of malicious actors and then trained a machine learning model to automatically identify such behaviors.
Researchers found a challenge in developing the system because IP hijacks can often be human error or network operators could use these same characteristics to fend off distributed denial-of-service (DDoS) attacks, where huge amounts of traffic go to their network.
As a result, the team had to manually jump in to identify false positives, which happened about 20% of the time when a case was identified.
Moving forward, researchers want the system to require minimal human supervision and eventually be deployed into production environments.
Testart said as businesses and people continue to rely on the internet for critical transactions, IP hijacking will only get worse. New security measures could help prevent or reduce the damage caused by these attacks.
