Highly Predictive Blacklisting

The notion of blacklisting communication sources has been a well-established defensive measure since the ori- gins of the Internet community. In particular, the prac- tice of compiling and sharing lists of the worst offenders of unwanted traffic is a blacklisting strategy that has re- mained virtually unquestioned over many years. But do the individuals who incorporate such blacklists into their perimeter defenses benefit from the blacklisting contents as much as they could from other list-generation strate- gies? In this paper, we will argue that there exist better alternative blacklist generation strategies that can pro- duce higher-quality results for an individual network. In particular, we introduce a blacklisting system based on a relevance ranking scheme borrowed from the link- analysis community. The system produces customized blacklists for individuals who choose to contribute data to a centralized log-sharing infrastructure. The ranking scheme measures how closely related an attack source is to a contributor, using that attacker's history and the con- tributor's recent log production patterns. The blacklisting system also integrates substantive log prefiltering and a severity metric that captures the degree to which an at- tacker's alert patterns match those of common malware- propagation behavior. Our intent is to yield individual- ized blacklists that not only produce significantly higher hit rates, but that also incorporate source addresses that pose the greatest potential threat. We tested our scheme on a corpus of over 700 million log entries produced from the DShield data center and the result shows that our blacklists not only enhance hit counts but also can proactively incorporate attacker addresses in a timely fashion. An early form of our system have been fielded to DShield contributors over the last year.