Internet background radiation (IBR) is a type of unproductive traffic which has been used for years in the network security and management fields. Traditionally, IBR can be obtained by darknets. Nevertheless, the deployment of darknets typically requires large dark address blocks which are hard to acquire and also potentially detectable and avoidable. To address the issue, this article proposes an algorithm to extract IBR from raw traffic in live networks. The algorithm is based on the notions of grey spaces, one-way flows and behavior learning and has a better performance than previous work. On one hand, the algorithm obtains IBR destined to both inactive addresses and active addresses, resulting a lower missing rate compared with algorithms based on inactive addresses. On the other hand, the algorithm employs a behavior learning mechanism. Although the metric "recall" decreases slightly, "precision" increases from about 93% to above 99% in contrast to algorithms based on one-way flows. After applying the algorithm to a live network consisting of about 1.28 million IP addresses, the study analyzes the extracted IBR from several aspects. Results show that more than 70% of the inbound flows are IBR flows in the past two years' data samples and this should draw enough attention from related research. Finally, several cases suggest the important role the live networks' IBR traffic plays in the network security and management fields.