Data and methodology

Multiple viewpoints, one analyst-ready picture.

IPContext combines observed activity, network metadata and historical changes to help explain what has been seen from an IP address and how that behaviour compares with nearby infrastructure.

H

Honeypots

A distributed honeypot network across universities, ISPs, hosting providers and data centres is planned to show where activity is being observed and whether it correlates across environments.

B

BGP and location

Routing and location data can provide ownership, network, ASN and change context. Where changes are seen, the platform aims to make them visible rather than hiding them behind a static label.

S

Subnet context

Analysts often need to know whether one IP is unusual or part of a wider range of similar activity. Subnet-level grouping helps answer that question.

Residential pooling model

Residential IP addressing can make attribution and location difficult. The research goal is to provide better context than a single city-level geolocation lookup by monitoring hostnames and grouping stable patterns over time.

The model is expected to group observations into /24 networks, measure how long hostnames remain in consistent bands, and expose confidence rather than pretending the answer is perfect.

Research note

Methods will evolve

Different ISPs and countries assign residential IPs in different ways. Some allocations are stable, some rotate frequently, and some vary by product. IPContext will document methodology and update it as testing improves.

What the event trail should show

The snapshot is only useful when the underlying evidence is visible.

Observation time

When the activity was seen, including enough detail to separate current behaviour from stale history.

Activity type

Scanning, authentication attempts, DHT participation, service probing or other event categories.

Sensor context

Whether observations came from data centre, ISP, university or other sensor environments.

Correlation

Whether activity was isolated to one viewpoint or present across multiple honeypots and networks.

Provide data to IPContext.io

If you operate a honeypot, data centre, ISP network, research sensor or other useful source of IP activity, IPContext would like to hear from you. The aim is to make useful context available to as many defenders and researchers as possible while preserving source clarity and data quality.