Understanding Abusix Classifications
For each IP address in the Guardian Intel data set, a classification key is included in the Abusix Visualizer and the Abusix APIs. The following explains how Abusix classifies IPs within the Internet Scanner Intelligence data set.
Classification Criteria
Malicious
An IP address earns a malicious classification based on its assigned tags, which reflect observed behaviors detected by Abusix. These tags capture real-world activity, highlighting whether an IP has engaged in suspicious or harmful actions. Certain Abusix tags indicate “malicious” intent, flagging behaviors linked to cyber threats. If an IP address isn’t classified as benign and carries at least one malicious tag, it is officially categorized as malicious, ensuring proactive threat detection and network security.
Suspicious
Traffic flagged as suspicious by Abusix falls in the gray area between benign and outright malicious activity. Unlike random internet background noise, this type of traffic involves systematic probing, scanning, or enumeration, signaling potential reconnaissance efforts. While not an immediate threat, this classification provides valuable contextual intelligence, helping security teams stay ahead of emerging risks without triggering unnecessary alarms.
Characteristics of Suspicious Traffic
Suspicious traffic indicates reconnaissance activity that may precede an attack. Common behaviors include:
- Targeted scanning for vulnerabilities without active exploitation, such as port scans
- Unsolicited connection attempts from unidentified sources
- Service enumeration using debug parameters
- Attempts to discover remote access points
- Traffic from unknown IPs not associated with legitimate scanning services
**Abusix Additionally Scrutinize These Behaviors **
- The abuse contact associated with the IP is not valid/usable
- A couple of misconfigurations that signal potential for spam (newly observed IPs, invalid return-path, hitting “recycled” spamtraps)
Investigation Context
When Abusix labels traffic as suspicious, it signals potential reconnaissance rather than an immediate threat. This classification is useful for:
• Correlating with other security incidents
• Identifying patterns of behavior over time
• Assessing potential targeted threats
Usage Guidelines for Security Teams
To effectively leverage suspicious traffic data, security teams should:
• Incorporate it into existing investigations
• Analyze it alongside other threat intelligence sources
• Monitor for escalating behavior that may indicate an impending attack
• Cross-reference with targeted traffic reports to identify coordinated efforts
By tracking and contextualizing suspicious activity, organizations can enhance their security posture and proactively mitigate risks.
Unknown
IPs that don’t meet the strict criteria for Malicious or Suspicious classifications are labeled as Unknown. Since the first three categories undergo rigorous vetting, any IP engaged in internet scanning or probing but lacking clear intent falls into this Unknown classification. This ensures a balanced approach to threat intelligence, capturing unclassified activity without prematurely categorizing it as harmful.