Beneath the Facade of IP Leasing: Graph-Based Approach for Identifying Malicious IP Blocks

With the depletion of IPv4 address resources, the prevalence of IPv4 address leasing services by hosting providers has surged. These services allow users to rent IP blocks, offering an affordable and flexible solution compared to traditional IP address allocation. Unfortunately, this convenience has led to an increase in abuse, with illegal users renting IP blocks to host malicious content such as phishing sites and spam services. To mitigate the issue of IP abuse, some research focuses on individual IP identification for point-wise blacklisting. However, this approach leads to a game of whack-a-mole, where blacklisted IPs become transient due to content migration within the IP block. Other studies take a block perspective, recognizing and classifying IP blocks. This enables the discovery of potentially malicious IPs within the block, effectively countering service migration issues. However, existing IP block identification methods face challenges as they rely on specific WHOIS fields, which are sometimes not updated in real-time, leading to inaccuracies. In terms of classification, methods rely on limited statistical features, overlooking vital relationships between IP blocks, making them susceptible to evasion. To address these challenges, we propose BlockFinder, a two-stage framework. The first stage leverages the temporal and spatial stability of services to identify blocks of varying sizes. In the second stage, we introduce an innovative IP block classification model that integrates global node and local subgraph representations to comprehensively learn the graph structure, thereby enhancing evasion difficulty. Experimental results show that our approach achieves state-of-the-art performance.