Evaluating Reputation of Internet Entities

  • Václav Bartoš
  • Jan Kořenek
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9701)


Security monitoring tools, such as honeypots, IDS, behavioral analysis or anomaly detection systems, generate large amounts of security events or alerts. These alerts are often shared within some communities using various alert sharing systems. Our research is focused on analysis of the huge amount of data present in these systems. In this work we focus on summarizing all alerts and other information known about a network entity into a measure called reputation score expressing the level of threat the entity poses. Computation of the reputation score is based on estimating probability of future attacks caused by the entity.


Anomaly Detection Malicious Activity Reputation Score Network Entity Security Event 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This research was supported by Security Research grant no. VI20162019029 in project Shaing and analysis of security events in Czech republic granted by Ministry of the Interior of the Czech republic. It was also partially supported from IT4Innovations excellence in science project (IT4I XS – LQ1602) and by Brno University of Technology grant no. FIT-S-14-2297.


  1. 1.
    Bartoš, V.: Analysis of alerts reported to Warden. Technical report 1/2016, CESNET, February 2016Google Scholar
  2. 2.
    Bartoš, V., Žádník, M.: An analysis of correlations of intrusion alerts in anNREN. In: 19th International Workshop on Computer-Aided Modeling Analysis and Design of Communication Links and Networks (CAMAD), pp. 305–309. IEEE, December 2014Google Scholar
  3. 3.
    Shue, C.A., et al.: Abnormally malicious autonomous systems and their internet connectivity. IEEE/ACM Trans. Netw. 20(1), 220–230 (2012)CrossRefGoogle Scholar
  4. 4.
    Cambridge English Dictionary: reputation. Accessed January 14, 2016
  5. 5.
    CESNET: Warden – alert sharing system.
  6. 6.
    ENISA: Standards and tools for exchange and processing of actionable information, November 2014Google Scholar
  7. 7.
    Gokcen, Y., Foroushani, V., Heywood, A.: Can we identify NAT behavior by analyzing traffic flows? In: Security and Privacy Workshops (SPW), pp. 132–139. IEEE, May 2014Google Scholar
  8. 8.
    Merriam-Webster Dictionary: Reputation. Accessed on January 14, 2016
  9. 9.
    Moreira Moura, G.C., Sadre, R., Pras, A.: Internet bad neighborhoods temporal behavior. In: Network Operations and Management Symposium (NOMS), pp. 1–9. IEEE, May 2014Google Scholar
  10. 10.
    Moreira Moura, G.C.: Internet bad neighborhoods. Ph.D. thesis, University of Twente, Enschede.
  11. 11.
    Moreira Moura, G.C., et al.: How dynamic is the ISPs address space? Towards internet-wide DHCP churn estimation. In: 14th International Conference on Networking. IFIP, May 2015Google Scholar
  12. 12.
    Vu, L., Turaga, D., Parthasarathy, S.: Impact of DHCP churn on network characterization. SIGMETRICS Perform. Eval. Rev. 42(1), 587–588 (2014)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  1. 1.Faculty of Information TechnologyBrno University of TechnologyBrnoCzech Republic
  2. 2.CESNET a.l.e.PragueCzech Republic

Personalised recommendations