For each IP address in the Guardian Intel data set, a classification key is included in the Abusix Visualizer and the Abusix APIs. The following explains how Abusix classifies IPs within the Internet Scanner Intelligence data set.
An IP address earns a malicious classification based on its assigned tags, which reflect observed behaviors detected by Abusix. These tags capture real-world activity, highlighting whether an IP has engaged in suspicious or harmful actions. Certain Abusix tags indicate “malicious” intent, flagging behaviors linked to cyber threats. If an IP address isn’t classified as benign and carries at least one malicious tag, it is officially categorized as malicious, ensuring proactive threat detection and network security.
Traffic flagged as suspicious by Abusix falls in the gray area between benign and outright malicious activity. Unlike random internet background noise, this type of traffic involves systematic probing, scanning, or enumeration, signaling potential reconnaissance efforts. While not an immediate threat, this classification provides valuable contextual intelligence, helping security teams stay ahead of emerging risks without triggering unnecessary alarms.
When Abusix labels traffic as suspicious, it signals potential reconnaissance rather than an immediate threat. This classification is useful for:• Correlating with other security incidents• Identifying patterns of behavior over time• Assessing potential targeted threats
To effectively leverage suspicious traffic data, security teams should:• Incorporate it into existing investigations• Analyze it alongside other threat intelligence sources• Monitor for escalating behavior that may indicate an impending attack• Cross-reference with targeted traffic reports to identify coordinated effortsBy tracking and contextualizing suspicious activity, organizations can enhance their security posture and proactively mitigate risks.
IPs that don’t meet the strict criteria for Malicious or Suspicious classifications are labeled as Unknown. Since the first three categories undergo rigorous vetting, any IP engaged in internet scanning or probing but lacking clear intent falls into this Unknown classification. This ensures a balanced approach to threat intelligence, capturing unclassified activity without prematurely categorizing it as harmful.