TK researchers, in collaboration with partners from the University of Maryland, Hasso Plattner Institute and CAIDA had their paper accepted at this years NDSS Symposium. It is a known problem, that IP addresses are a poor long-term identifier, as they are frequently reassigned by ISPs. Consequently, counting bot infections based on IP addresses, which are oftentimes the only available identifier, can be highly inaccurate. To address this, the high level idea of our paper is to leverage knowledge about the IP assignment durations, e.g., IPs are reassigned every 24h, to estimate the number of bots. In this oversimplified scenario, this allows us to determine, that seven IP addresses observed over seven days are likely just one bot. For more details and how it works in practice check out our paper or reach out to us.
Leon Böck, Dave Levin, Ramakrishna Padmanabhan, Christian Doerr, and Max Mühlhäuser. 2023. How to Count Bots in Logitudinal Datasets of IP Addresses. In 30th Annual Network and Distributed System Security Symposium (NDSS) 2023 [to appear].