Aposemat Attacker IP Prioritization Blacklist

The Attacker IP Prioritization Blacklist, or AIP Blacklist, is a blacklist of IP addresses generated from the attacks made on the honeypots in our IoT lab.

The AIP project was created because in our investigation of botnets we needed a way to look at the thousands of IPs attacking our honeypots and decide quickly which ones are the most active and therefore the most interesting to our different research paths. We were trying to investigate the relationship between organized cyber-crime groups (example: FancyBear) and the rise of the Internet of Things (IoT), and we needed a way to list the IPs we had from most active and likely to be connected to an organized group to least. The plan was to sort the IPs from a statistical point of view, and then compare the rated IPs to our more technical and in depth IP research, which involved using web investigation tools like VirusTotal, PassiveTotal, Shodan, Machinae, Reputation Authority and others. We had a large amount of data, and we wanted a simple way to prioritize which IPs seemed the most interesting.

This gradually grew into a much more ambitious project that aimed at designing a program that could generate this type of list in a more continuous fashion by being constantly fed new data from some source. Now the AIP program is much more advanced, and we will continue to work on modules on updates in the future.

The blacklist that is generated by this program is available here.

There will be a blog posted to this page about how it works for those who may want more information.