Detecting VPNs/proxies by analyzing their attack patterns over time
10-16, 11:30–11:50 (Europe/Luxembourg), Salle Europe

At Crowdsec we receive a lot of signals of users detecting attacks using our open source intrusion prevention system. We used these signals to detect whether attackers are behind anonymization services such as proxies or VPNs. We show that by monitoring changes in attack behavior over time we can reliably detect proxies and VPNs and use this data to improve our threat intelligence.

Crowdsec is an open source intrusion detection system which uses a crowdsourcing approach to collect threat intelligence from the community and to return a distilled version of the resulting data as an ip blocklist that is relevant and up to date to the community.
Recently, we have started improving our threat intelligence by enriching it with various additional information on malicious ips. One of these projects involved setting up a machine learning system that detects whether a given attacker is using an anonymization service such as a proxy or a vpn. In this talk we show:
* How we define attack patterns for each ip
* How we monitor the evolution of attack patterns over time and how we can use this to detect anonymization.

We also present other findings that we discovered on the way and hope that our results could help threat researchers even if they don't have access to data as exhaustive as the crowdsec CTI.

My name is Emanuel Seemann and I have been working as a Data Scientist at Crowdsec since 2022.
I have a degree in pure mathematics from ETH Zürich and got into programming by writing minecraft mods as a kid. Since then I have been hacking away at various coding projects in a variety of different languages. When I'm not behind my computer you can sometimes find me on the lake in a sailing boat.

This speaker also appears in: