Internet Protocol Geolocation: Development of a Delay-Based Hybrid Methodology for Locating the Geographic Location of a Network Node

Internet Protocol Geolocation (IP Geolocation), the process of determining the approximate geographic location of an IP addressable node, has proven useful in a wide variety of commercial applications. Commercial applications of IP Geolocation include market research, redirection for performance enhancement, restricting content, and combating fraud. The potential for military applications include securing remote access via geographic authentication, intelligence collection, and cyber attack attribution. IP Geolocation methods can be divided into three basic categories based upon what information is used to determine the geographic location of the given IP address: 1) Information contained in databases, 2) information that is leaked during connections with the IP of interest, and 3) network-based routing and timing information. This thesis focuses upon an analysis in the third category: delay-based methods. Specifically, a comparative analysis of the three existing delay-based IP Geolocation methods: Upperbound Multilateration (UBM), Constraint Based Geolocation (CBG), and Time to Location Heuristic (TTLH) is conducted. Based upon analysis of the results, a new hybrid methodology is proposed that combines the three existing methods to improve the accuracy when conducting IP Geolocation. Simulations results showed that the new hybrid methodology TTLH method improved the success rate from 80.15% to 91.66% when compared to the shotgun TTLH method

IP Geolocation in Metropolitan Areas

In this thesis, we propose a robust methodology to geolocate a target IP Address in a metropolitan area. We model the problem as a Pattern Recognition problem and present algorithms that can extract patterns and match them for inferring the geographic location of target's IP Address. The first algorithm is a relatively non-invasive method called Pattern Based Geolocation (PBG) which models the distribution of Round Trip Times (RTTs) to a target and matches them to that of the nearby landmarks to deduce the target's location. PBG builds Probability Mass Functions (PMFs) to model the distribution of RTTs. For comparing PMFs, we propose a novel `Shifted Symmetrized Divergence' distance metric which is a modified form of Kullback-Leibler divergence. It is symmetric as well as invariant to shifts. PBG algorithm works in almost stealth mode and leaves almost undetectable signature in network traffic. The second algorithm, Perturbation Augmented PBG (PAPBG), gives a higher resolution in the location estimate using additional perturbation traffic. The goal of this algorithm is to induce a stronger signature of background traffic in the vicinity of the target, and then detect it in the RTT sequences collected. At the cost of being intrusive, this algorithm improves the resolution of PBG by approximately 20-40%. We evaluate the performance of PBG and PAPBG on real data collected from 20 machines distributed over 700 square miles large Washington-Baltimore metropolitan area. We compare the performance of the proposed algorithms with existing measurement based geolocation techniques. Our experiments show that PBG shows marked improvements over current techniques and can geolocate a target IP address to within 2-4 miles of its actual location. And by sending an additional traffic in the network PAPBG improves the resolution to within 1-3 miles

Smartphone-based geolocation of Internet hosts

The location of Internet hosts is frequently used in distributed applications and networking services. Examples include customized advertising, distribution of content, and position-based security. Unfortunately the relationship between an IP address and its position is in general very weak. This motivates the study of measurement-based IP geolocation techniques, where the position of the target host is actively estimated using the delays between a number of landmarks and the target itself. This paper discusses an IP geolocation method based on crowdsourcing where the smartphones of users operate as landmarks. Since smartphones rely on wireless connections, a specific delay-distance model was derived to capture the characteristics of this novel operating scenario

METROPOLITAN AREA NETWORK IP GEOLOCATION THROUGH WAVELET TECHNIQUES

IP geolocation is the process of finding the geographic locations of Internet hosts. We will focus on Internet hosts in metropolitan area network(MAN). The Internet hosts will be under the same Internet service provider(ISP). Machines in close geographic distance will share almost identical network infrastructure due to having the same ISP. We propose two MAN IP geolocation techniques that are based on wavelets, e.g. wavelet density estimation and wavelet time-frequency analysis. Wavelet density estimation looks for similarity among RTT distributions of nearby machines. To achieve this, wavelet density estimation utilizes wavelets as orthonormal basis in L2(R) to construct estimated probability density functions(pdfs) of RTT distributions. A symmetrized version of Kullback-Leibler divergence is devised to measure the similarity between two estimated pdfs. The second technique, wavelet time-frequency analysis, explores a common pattern in frequency content evolutions over time of the RTT sequences of nearby machines. Wavelet time-frequency analysis employs wavelets to analyze frequency contents of RTT sequences over short time-intervals. Sudden rises of frequency content in RTT sequences can then be detected. We evaluate the performance of these two MAN IP geolocation techniques with data sets collected from our testbed. With these data sets, we analyze the effects of RTT sample size, RTT probing rate and landmark distribution to the performance of the techniques

Longitudinal Study of an IP Geolocation Database

IP geolocation - the process of mapping network identifiers to physical locations - has myriad applications. We examine a large collection of snapshots from a popular geolocation database and take a first look at its longitudinal properties. We define metrics of IP geo-persistence, prevalence, coverage, and movement, and analyse 10 years of geolocation data at different location granularities. Across different classes of IP addresses, we find that significant location differences can exist even between successive instances of the database - a previously underappreciated source of potential error when using geolocation data: 47% of end users IP addresses move by more than 40 km in 2019. To assess the sensitivity of research results to the instance of the geo database, we reproduce prior research that depended on geolocation lookups. In this case study, which analyses geolocation database performance on routers, we demonstrate impact of these temporal effects: median distance from ground truth shifted from 167 km to 40 km when using a two months apart snapshot. Based on our findings, we make recommendations for best practices when using geolocation databases in order to best encourage reproducibility and sound measurement.Comment: Technical Report related to a paper appeared in Network Traffic Measurement and Analysis Conference (TMA 2021