Scott Register
VP, Product Management

Security through Visibility: The Rap Sheet Database

June 2, 2016 by Scott Register

Adversaries to enterprise IT security continue to pose real and increasingly sophisticated hidden threats. To help customers win this battle, Ixia has maintained a security research team, the Application and Threat Intelligence (ATI) Research Center, for over a decade. We supply security test gear to the world’s leading firewall and IPS vendors. The ATI Research Center conducts analysis of tens of thousands of malware types, communication techniques, and obfuscation methods. But this security research has until recently been available only to equipment manufacturers, but has now been made available to production enterprise networks in the ThreatARMOR product and its Rap Sheet database.

Ixia’s ThreatARMOR, a security performance enhancer which automatically eliminates known bad IP addresses and unwanted geo-location traffic, relies on a database built and maintained by the ATI Research Center. Data is collected from a variety of sources, analyzed, validated, and inserted into the database where it is used to block communications to and from malicious sites. By blocking all communications involving known-bad IP addresses and untrusted countries, ThreatARMOR allows network security tools and operations teams to be much more efficient, enabling them to detect active breaches by screening out the background security noise.

A large number of different raw data feeds of candidate IP addresses are fed into the ATI Research Center’s analytics system, and IP addresses are added to the blocking database only after they have been individually validated by Ixia and found to host malicious activity. These feeds include:

  • Open-source and commercial Threat Intelligence feeds
  • Scanning results
  • Honeypots
  • SPAM
  • Binary analysis
  • Sandboxing

Malicious Activity Documented on “Rap Sheets”

All of the potentially bad IP addresses from these data sources are fed into an analysis engine which finds proof of malicious activity, documents it in the form of Rap Sheets, and continually re-scans the sites to determine if they’ve been cleaned up. Rap Sheets are provided for many different types of malicious site. These currently include:

  • Malware/Virus – a site which is found to be distributing binaries which are found to be malicious by the ATI Research Center
  • Phishing – a site which masquerades as a valid or trusted site, tricking a user into supplying sensitive information or downloading malicious code
  • Botnet – a botnet is an orchestrated army of infected hosts, under the direction of a botnet controller, which leak sensitive data and attack other sites. ThreatARMOR blocks the instructions sent by the botnet controller and outbound data leakage.
  • Exploit – to find companies vulnerable to attack, hackers conduct automated reconnaissance, looking for unpatched or insecure services reachable from the Internet. ThreatARMOR blocks these reconnaissance connections.
  • Hijacked – hijacked IP ranges are stolen from their legitimate owners and used for nefarious purposes.


A Sample Rap Sheet is depicted here.

The Rap Sheets are available for every single IP address in the ThreatARMOR blocking database. This provides 100% assurance that a site is blocked for a valid reason and alleviates any concerns about false positives. By blocking these known-bad sites, ThreatARMOR can significantly reduce the number of attacks confronting next-gen firewalls and IPS/IDS devices, and are responsible for the “alert fatigue” from SIEMs which overwhelms security operations teams and prevents detection of active breaches.

A white paper is available here to learn more about the ATI Research Center and the Rap Sheets.