Effective granularity in Internet badhood detection: Detection rate, Precision and Implementation performance

New malicious nodes appear everyday on the Internet. Previous studies have shown that these nodes are not randomly distributed on the Internet; similar to the high density of criminal activities in real world bad neighborhoods, there exist Internet bad neighborhoods. Two common features to draw the local network boundaries within Internet and hence identifying the bad neighborhoods are fixed /24 IP prefix and dynamic Border Gateway Protocol (BGP) IP prefix. The main difference between these two features is the size of the underlying neighborhood and hence the granularity in the measurement of malicious activity. In this study, by analyzing a dataset of Command and Control servers and botnets, we show that BGP prefix is preferred in identifying bad neighborhoods because it offers 8% better detection rate in identifying new malicious nodes.