aip
The Attacker IP Prioritizer(AIP) dynamically generates resource-friendly IPv4 blocklists from Zeek network flows.
Science Score: 44.0%
This score indicates how likely this project is to be science-related based on various indicators:
-
✓CITATION.cff file
Found CITATION.cff file -
✓codemeta.json file
Found codemeta.json file -
✓.zenodo.json file
Found .zenodo.json file -
○DOI references
-
○Academic publication links
-
○Academic email domains
-
○Institutional organization owner
-
○JOSS paper metadata
-
○Scientific vocabulary similarity
Low similarity (8.5%) to scientific vocabulary
Keywords
Repository
The Attacker IP Prioritizer(AIP) dynamically generates resource-friendly IPv4 blocklists from Zeek network flows.
Basic Info
- Host: GitHub
- Owner: stratosphereips
- License: gpl-3.0
- Language: Python
- Default Branch: main
- Homepage: https://www.stratosphereips.org
- Size: 121 MB
Statistics
- Stars: 30
- Watchers: 4
- Forks: 9
- Open Issues: 17
- Releases: 2
Topics
Metadata Files
README.md
Attacker IP Prioritization (AIP) Tool
The Attacker IP Prioritization (AIP) is a tool to generate efficient and economic IP blocklists based on network traffic captured from honeypot networks.
With the advent of 5G, IoT devices are directly connected often without firewall protection. Therefore we need blocklists that are small, efficient and economic. The AIP structure is shown below.

AIP Models
Each AIP model generates its own blocklist based on a specific criteria. The main models are:
- Prioritize New (PN)
- Focuses on IPs that are new or have not been seen frequently in previous data.
- Useful to identify emerging attackers that are starting to target a network.
- Prioritize Consistent (PC)
- Focuses on IPs that have consistently attacked over time in previous data.
- Useful to identify persistent attackers that continuously target a network.
- Alpha
- Provides a baseline identifying all attackers seen in the last 24 hours.
- Useful to compare the effectiveness of other models.
- Alpha7
- Provides a baseline identifying all attackers seen in the last 7 days.
- Useful to further compare the effectiveness of other models.
- Random Forest
- Focuses on IPs that are more likely to attack in the future.
- A more experimental approach to increase blocklist efficiency.
AIP Docker
The best way to run AIP right now is using Docker.
Usage
AIP will automatically attempt to run all the models using the available data. Assuming the Zeek data is located in its usual location:
bash
:~$ cd AIP
:~$ docker run --rm -v /opt/zeek/logs/:/home/aip/AIP/data/raw:ro -v ${PWD}/data/:/home/aip/AIP/data/:rw --name aip stratosphereips/aip:latest bin/aip
To run AIP for a specific day:
bash
:~$ cd AIP
:~$ docker run --rm -v /opt/zeek/logs/:/home/aip/AIP/data/raw:ro -v ${PWD}/data/:/home/aip/AIP/data/:rw --name aip stratosphereips/aip:latest bin/aip YYYY-MM-DD
License
The Stratosphere AIP tool is licensed under GNU General Public License v3.0.
About
This tool was developed at the Stratosphere Laboratory at the Czech Technical University in Prague. This is part of the Stratosphere blocklist generation project.
This tool was originally born from the bachelor thesis of Thomas O'Hara, The Attacker IP Prioritizer: An IoT Optimized Blacklisting Algorithm (2021).
Owner
- Name: Stratosphere IPS
- Login: stratosphereips
- Kind: organization
- Location: Prague
- Website: https://www.stratosphereips.org
- Twitter: StratosphereIPS
- Repositories: 25
- Profile: https://github.com/stratosphereips
Cybersecurity Research Laboratory at the Czech Technical University in Prague. Creators of Slips, a free software machine learning-based behavioral IDS/IPS.
Citation (CITATION.cff)
cff-version: 1.2.0
title: "Stratosphere AIP: Attacker IP Prioritizer"
message: 'If you use this software, please cite it as specified below.'
url: "https://github.com/stratosphereips/AIP"
type: software
authors:
- given-names: Thomas
family-names: O'Hara
- given-names: Joaquin
family-names: Bogado
orcid: 'https://orcid.org/0000-0001-9491-5698'
- given-names: Veronica
family-names: Valeros
email: valerver@fel.cvut.cz
affiliation: >-
Stratosphere Laboratory, AIC, FEL, Czech
Technical University in Prague
orcid: 'https://orcid.org/0000-0003-2554-3231'
- given-names: Sebastian
family-names: Garcia
email: garciseb@fel.cvut.cz
affiliation: >-
Stratosphere Laboratory, AIC, FEL, Czech
Technical University in Prague
orcid: 'https://orcid.org/0000-0001-6238-9910'
GitHub Events
Total
- Create event: 21
- Release event: 2
- Issues event: 41
- Watch event: 4
- Delete event: 29
- Issue comment event: 27
- Push event: 46
- Pull request event: 39
Last Year
- Create event: 21
- Release event: 2
- Issues event: 41
- Watch event: 4
- Delete event: 29
- Issue comment event: 27
- Push event: 46
- Pull request event: 39
Dependencies
- click
- git
- joblib
- matplotlib
- pandas
- pathlib
- pip
- pytest
- python
- python-dotenv
- maxminddb ==2.2.0
- netaddr ==0.8.0
- maxminddb ==2.2.0
- netaddr ==0.8.0
- ipython *
- maxminddb ==2.2.0
- netaddr ==0.8.0
- sklearn *
- maxminddb *
- netaddr *
- ubuntu focal build