Article

Researchers reveal new blacklisting method

Marcia Savage

Researchers unveiled a new approach to Internet blacklisting that promises to protect corporate networks from malicious attackers better than traditional blacklist methods.

The service, called highly predictive blacklisting (HPB), was introduced at the USENIX Security Symposium in San Jose by Jian Zhang, Phillip Porras, program director at SRI International, and Johannes Ullrich, chief research officer at the SANS Institute.

Blacklisting is a long-time Internet defensive practice to protect networks, but the researchers said their system uses a novel technique to fortify firewalls with more relevant attack data. "Our intent is to yield individualized blacklists that not only produce significantly higher hit rates, but that also incorporate source addresses that pose the greatest potential threat," the researchers wrote.

At USENIX the researchers discussed the results of testing the system last year, using more than 700 million log entries produced by the DShield data center, a large-scale security log sharing project operated by the SANS Institute's Internet Storm Center.

Traditional blacklists fall into two categories, Porras said in a phone interview. There are blacklists generated from large-scale alert repositories, which consist of the top Internet offenders, while a local blacklist is based solely on an individual network's activity. Local blacklists don't give organizations the ability to be proactive because they only capture attackers

    Requires Free Membership to View

that have pounded the local network. Global lists give a company the ability to spot a potential attack source, but sometimes the company doesn't encounter those sources, said Porras.

"In reality, those lists have a fairly low probability of success. They won't provide you with proactive protection in practice," Porras said. "We want a system that can recognize attackers before they can saturate the Internet. We want to give you the ability to incorporate bad actors even if you've never seen them before."

Highly predictive blacklists use a link analysis algorithm similar to Google's PageRank system to produce customized blacklists for DShield contributors. By comparing contributors' firewall logs and searching for overlap, HPBs rank each attacker based on an estimation of the probability that the attacker will hit the contributor's network in the future.

"We call networks that share significant attacker overlap correlated victims," Zhang, a developer of the algorithm, said in a prepared statement. "We have demonstrated that we can exploit the relationships between networks that have been attacked by similar Internet sources as a means for predicting which attack sources are likely to attack which networks in the future."

HPBs incorporate automated log pre-filtering to remove unreliable alert data and a severity analysis phase that examines the degree to which an attacker's alerts match those of common malware propagation patterns.

Testing results showed that for more than 80 %of DShield contributors, HPBs showed higher hit counts, or attack sources that were actually encountered during a multiday testing window compared to global and local blacklists, the researchers wrote in their paper.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: