Estimating the number of hosts corresponding to an intrusion alert while preserving privacy

• We develop a probabilistic model of host-to-address bindings.
• We apply this model to intrusion alerts and ping responses.
• We estimate that more than 80% of malicious addresses are dynamic.
• We conclude that such aliasing renders static blacklisting ineffective.

An inherent feature of IP addresses is the aliasing that arises due to dynamic address allocation. This creates a significant barrier to the estimation of the malicious host population from a set of intrusion alerts. In this paper, we propose a method for estimating the number of malicious hosts that may have bound to an alerted address, based on the correlation of different data sets that were collected independently and a probabilistic model of host-to-address bindings. We analysed a two week trace of real-world intrusion alerts along with a global survey of ping responses, and inferred that over 80% of malicious addresses were bound to multiple hosts. Such aliasing effects highlight the inaccuracy of assuming static bindings between hosts and addresses when exact host identification is not possible due to privacy protection. However, our method demonstrates that reliable inferences can still be made when a sufficient overlap exists between the correlated data sets.