IP Mapping with ggplot2

Here’s a quick way to plot AlienVault’s geolocated reputation data on a map.

This bit gets the data:

library(tidyr)
library(dplyr)
library(scales)
library(ggplot2)
library(ggthemes)
library(maps)
library(mapproj)
library(rgdal)

url <- "http://reputation.alienvault.com/reputation.data"
fil <- "reputation.data"

if (!file.exists(fil)) download.file(url, fil)

This bit reads it in and cleans it up a bit:

geo <- read.table("reputation.data", sep="#", 
                  col.names=c("ip", "risk", "rep", "type", "cc", "region", "coords", "n"),
                  stringsAsFactors=FALSE, comment.char="")

geo <- separate(geo, coords, into=c("lat", "lon"), sep=",", convert=TRUE) 

You can see what it looks like:

head(geo)

##                ip risk rep           type cc  region     lat      lon n
## 1  203.121.165.16    6   5            C&C TH         15.0000 100.0000 2
## 2     46.4.123.15    4   2 Malicious Host DE         51.0000   9.0000 3
## 3   61.67.129.145    6   5            C&C TW  Taipei 25.0392 121.5250 2
## 4 222.124.202.178    9   5            C&C ID Jakarta -6.1744 106.8294 2
## 5  62.209.195.186    6   5            C&C CZ Karvina 49.8568  18.5469 2
## 6 210.253.108.243    6   4            C&C JP         35.6900 139.6900 2

This bit aggregates the geolcated data (which shows the imprecision of geolocating IP addresses):

bulk <- count(geo, lon, lat)

This bit reads in the map data and gets it ready to use:

url <- "http://naciscdn.org/naturalearth/110m/cultural/ne_110m_admin_0_countries.zip"
fil <- "ne110.zip"
if (!file.exists(fil)) download.file(url, fil)
unzip(fil, exdir="nearth")

ogrListLayers("nearth/ne_110m_admin_0_countries.shp")

## [1] "ne_110m_admin_0_countries"
## attr(,"driver")
## [1] "ESRI Shapefile"
## attr(,"nlayers")
## [1] 1

world <- readOGR("nearth/ne_110m_admin_0_countries.shp", "ne_110m_admin_0_countries", verbose=FALSE)
world <- subset(world, admin != "Antarctica")

world_map <- fortify(world, region="admin")

This bit makes the map. The circles are click-able and will show the # of IPs that were mapped to that address

gg <- ggplot()
gg <- gg + geom_map(data=world_map, map=world_map,
                    aes(x=long, y=lat, map_id=id),
                    color="#7f7f7f", fill="#eeeeee", size=0.25)
gg <- gg + geom_point(data=bulk, aes(x=lon, y=lat, size=n),
                      color="steelblue", fill="#FFFFFF00", shape=21, alpha=0.75)
gg <- gg + coord_map("gall", lat0=0)
gg <- gg + ggthemes::theme_map()
gg