Visual-Interactive Identification of Anomalous IP-Block Behavior Using Geo-IP Data

Routing of network packets from one computer to another is the backbone of the internet and impacts the everyday life of many people. Although, this is a fully automated process it has many security issues. IP hijacks and misconfigurations occur very often and are difficult to detect. In the past visual analytics approaches aimed at detecting these phenomenons but only a few of these integrated geographical references. Geo-IP data is being used mostly as a lookup table which is an undervaluation of its capabilities. In this paper we present a visual-interactive system which only relies on Geo-IP data to create more awareness for this data source. We show that looking at Geo-IP data over time in combination with owner and location information of IP blocks already reveals suspicious cases. Together with our design study we also contribute a pre-processing algorithm for the Maxmind GeoIP2 City and ISP databases, to motivate the community to integrate this data source in future approaches.