Janeja, VandanaSainani, Henanksha2021-01-292021-01-292018-01-0111871http://hdl.handle.net/11603/20743We propose a novel approach to assess the reputation of an IP address in network usage data by augmenting the network features with meta-features such as geospatial knowledge. While there is abundant literature on geospatial data mining, limited attention is given to geolocation in the realm of cybersecurity applications. We present experimental results that highlight the importance of geospatial knowledge in augmenting network anomalies and compare several traditional clustering methods with a clustering technique called unified clustering that overcomes the problems of using both continuous and categorical attributes in clustering. Thus, the contributions in this paper are three folds. First, we show that the approach of combining traditional network observables with geospatial observables presents a more robust and unique IP reputation scoring model; Second, this study provides an empirical validation of applying unified clustering approach for data with heterogeneous attributes in the cybersecurity domain to have better well-formed clusters. Third, we have devised a reputation scoring model for an IP address by applying unified clustering on a combined dataset that encompasses network & geospatial information; This research study has implications for anomaly detection for cyber security applications, especially when there is limited information about the network session or there is a lack of historical data for the network observables.application:pdfclusteringcybersecuritygeographical contextIP address scoreIP reputationsituational awarenessText