Researchers unveiled a new approach to Internet blacklisting that promises to protect corporate networks from malicious
attackers better than traditional blacklist methods.
The service, called highly predictive blacklisting (HPB), was introduced at the USENIX Security Symposium in San Jose by Jian Zhang, Phillip Porras, program director at SRI International, and Johannes Ullrich, chief research officer at the SANS Institute.
Blacklisting is a long-time Internet defensive practice to protect networks, but the researchers said their system uses a novel technique to fortify firewalls with more relevant attack data. "Our intent is to yield individualized blacklists that not only produce significantly higher hit rates, but that also incorporate source addresses that pose the greatest potential threat," the researchers wrote.
At USENIX the researchers discussed the results of testing the system last year, using more than 700 million log entries produced by the DShield data center, a large-scale security log sharing project operated by the SANS Institute's Internet Storm Center.
Traditional blacklists fall into two categories, Porras said in a phone interview. There are blacklists generated from large-scale alert repositories, which consist of the top Internet offenders, while a local blacklist is based solely on an individual network's activity. Local blacklists don't give organizations the ability to be proactive because they only capture attackers that have pounded the local network. Global lists give a company the ability to spot a potential attack source, but sometimes the company doesn't encounter those sources, said Porras.
"In reality, those lists have a fairly low probability of success. They won't provide you with proactive protection in practice," Porras said. "We want a system that can recognize attackers before they can saturate the Internet. We want to give you the ability to incorporate bad actors even if you've never seen them before."
Highly predictive blacklists use a link analysis algorithm similar to Google's PageRank system to produce customized blacklists for DShield contributors. By comparing contributors' firewall logs and searching for overlap, HPBs rank each attacker based on an estimation of the probability that the attacker will hit the contributor's network in the future.
"We call networks that share significant attacker overlap correlated victims," Zhang, a developer of the algorithm, said in a prepared statement. "We have demonstrated that we can exploit the relationships between networks that have been attacked by similar Internet sources as a means for predicting which attack sources are likely to attack which networks in the future."
HPBs incorporate automated log pre-filtering to remove unreliable alert data and a severity analysis phase that examines the degree to which an attacker's alerts match those of common malware propagation patterns.
Testing results showed that for more than 80 %of DShield contributors, HPBs showed higher hit counts, or attack sources that were actually encountered during a multiday testing window compared to global and local blacklists, the researchers wrote in their paper.