If you are a Criminal IP and Spunk user, here’s good news! The Criminal IP and Splunk integrated app that integrates the log analysis platform Splunk dashboard and the Criminal IP FDS (Fraud Detection System) API function has been released.

You can now download Criminal IP FDS from Splunkbase and monitor real-time logs of enterprises’ fraudulent transactions and abusing users from the Splunk dashboard.

Splunkbase에 출시된 Criminal IP 스플렁크 통합 앱
Criminal IP, Splunk Integrated app Released on Splunkbase

What is FDS (Fraud Detection System)?

FDS stands for Fraud Detection System, which is a security system that blocks malicious activity and identifies users who attempt fraudulent transactions based on abnormal payment patterns.

This means that the system is capable of identifying users who access services with malicious intent. FDS aims to protect services and users in everyday activities like logging in, getting a subscription, or financial transactions.

IP Intelligence  Makes Criminal IP FDS Different

FDS needs to be able to detect malicious users and activities in real-time. However, there are a lot of issues with the existing FDS detection process. 

Issues With the Existing FDS 

  1. Building FDS requires a vast number of logs.
  2. Many companies do not have a system for recording logs themselves.
  3. Log analysis and learning take a long time.

FDS That Applies IP Intelligence 

To compensate for the aforementioned FDS issues, Criminal IP FDS proposed a method to utilize IP intelligence in its system. Malicious users attempt to connect and abuse through infected or bypassed IP addresses. Therefore, it is possible to determine the maliciousness of the user attempting to pay or log in with just one access IP address without performing complex log analysis like the traditional FDS. In fact, Criminal IP FDS makes the same or more detections than analyzing the entire activity log in a much shorter period of time. 

The Following Shows How Criminal IP Identifies Malicious Users

For example, let’s say a user is attempting to bypass the connection through a VPN IP address. When this user accesses to a service that has Criminal IP FDS integrated in, the network security automatically activates Criminal IP APIs. If the API results are identified as a VPN IP, results are sent to the network security device, and it can be used to block the user’s connection. 

Criminal IP FDS Malicious User Identification Process
Criminal IP FDS Malicious User Identification Process

FDS Real-Time Monitoring Through Criminal IP, Splunk Integrated App

Splunk is a software that searches, monitors, and analyzes big data through web interfaces. Criminal IP, Splunk integrated app lets you see the real-time log status of malicious users detected on your services immediately. 

Number of Detected IP and Location Information Per Day

  • Today Query Count: Number of query requested by users (Graph below showing changes.)
  • Today Total Detection: Number of IPs that are detected to be VPN, Tor, Scanner, Hosting, Proxy IP or given a critical or dangerous score
  • Country: National statistics of detected IPs
  • Query IP World Map: Location information of detected IPs
Splunk 대시보드에서 확인한 Criminal IP FDS 모니터링 화면, 일일 탐지된 IP 개수와 위치정보를 나타낸다
Splunk Dashboard Showing Criminal IP FDS Monitoring Screen, Number of Detected IP and Location Information Per Day

Risks and Details of Connected and Malicious IPs

  • Score Table: Table graph showing score, number, and percentage of detected IPs
  • IP Score: Score pie chart of detected IPs
  • IP Status: Number and percentage of detected IP addresses that have been blacklisted
  • Top 10 AS_Name: Top 10 AS_Name of IP addresses that accessed the system within a certain period
  • Top 10 Dirty IP: List of top 10 abnormal IP addresses that accessed the system a minimum of three times in a given period
  • Dirty IP Detection: Complete list of details of IP addresses that are considered threats within a certain period
Splunk 대시보드에서 확인한 Criminal IP FDS 모니터링 화면, 접속한 IP의 위험도와 악성 IP의 상세정보를 나타낸다
Criminal IP FDS Monitoring Screen on Splunk Dashboard, Risks and Details of Connected IP Shown

Filtered Information About Accessed IP

  • Search Table: Provides a complete list of details of all detected IP addresses over a set period, allowing filtered searches using category and keywords
Criminal IP 스플렁크 통합 앱의 모니터링 화면, 접속한 IP 주소에 대해 필터링한 정보를 확인할 수 있다
Monitoring Screen of Criminal IP, Splunk Integrated app, Filtered Information about Accessed IP Shown

Splunk Dashboard and Criminal IP Search Engine Interconnected

Clicking the detected IP addresses on the Criminal IP, Splunk integrated app will allow you to view details of detected IP addresses on Criminal IP’s page. Furthermore, the IP addresses are assigned a tag based on the information on Criminal IP’s IP intelligence database. Clicking on the tags will lead you to the keyword search on Criminal IP. 

List of Tags Provided:

  • mobile: Mobile IP address
  • snort: IP address determined to be malicious by Snort
  • vpn: VPN IP address
  • tor: Tor IP address
  • scanner: Scanner IP address
  • hosting: Hosting IP address
  • proxy: Proxy IP address

How to Download Criminal IP, Splunk Integrated App

  1. Download Criminal IP FDS from Splunkbase
  2. Restart Splunk when the ‘Restart’ message comes up
  3. Create a ‘idx_cip_fds’ index
  4. Go to https://www.criminalip.io/, make an account and create an API key
  5. Use API on Criminal IP and create a log file in json format
    • {“datetime”: “2022-09-28 13:46:34”, “ip_score”: “Moderate”, “IP”: “223.38.40.211”, “country”: “Korea”, “as_name”: “SK Telecom”, “mobile”: true, “tag_category”: “mobile, vpn”, “ip_category”: “ddos (Medium), tor”}
    • Detailed User Guide: ( Criminal IP FDS Usage Guide.pdf )
    • Github Linkhttps://github.com/criminalip/CIP-FDS
  6. Check Criminal IP FDS on the dashboard.

If you have any questions or inquiries on how to use or download Criminal IP FDS Splunk app, please do not hesitate to contact us at support@aispera.com.
To find out more about detecting malicious users and network intruders using Criminal IP API, please refer to our article VPN Detection: Finding Unwelcomed Guests on Your Network


Source: Criminal IP (https://www.criminalip.io)

Related Article: