Attacks/Breaches
8/28/2009
03:52 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Filtering Network Attacks With A 'Netflix' Method

University of California at Irvine researchers devise new model for blacklisting network attackers

Researchers have come up with a new method of blacklisting spam, distributed denial-of-service (DDoS) attacks, worms, and other network attacks that, in part, was inspired by Netflix's movie ratings recommendation system.

The so-called predictive blacklisting method proposed by University of California-Irvine researchers employs a combination of factors to improve blacklisting, such as trends in the times of attacks, geographical locations and IP address blocks, and any "connections" between the attacker and the victim, such as if an attacker had hit a victim's network before.

The blacklisting method "formalizes the blacklisting problem" when it comes to predicting the sources of attacks, says Athina Markopoulou, an assistant professor at UC-Irvine and a member of the research team.

Markopoulou and her team found that their method improves predictive blacklisting, accurately predicting up to 70 percent of attacks. "The hit-count of our combined method improves the hit-count of the state of the art for every single day," she says. "The improvement, depending on the day, is up to 70 percent, and 57 percent on average."

The method draws from Netflix's prediction system for unknown movie ratings, which uses known movie ratings to draw conclusions. "Our prediction system predicts future attackers based on past security logs," Markopoulou says.

Security experts say this new blacklisting method is mainly theoretical at this point -- there's no code or prototype -- but it could ultimately provide a way to minimize spam and other network-borne malicious traffic.

It's unlikely a mathematical algorithm can consistently predict a hacker's activity, says Robert Graham, CEO of Errata Security.

"[The UC-Irvine researchers] are trying to figure out how to find desktops sending out spam and to blacklist them. This is a filtering technique to cut down the noise," Graham says. "The thing is, they're trying to solve, with math, an issue of how people decide to attack the Net...But, ultimately, hackers do weird stuff. They will constantly do things outside the powers of [a mathematical prediction]. It has value in that it could cut down the noise. But you could never eliminate the noise."

Carey Nachenberg, a Symantec fellow for the security technology and response group, says the method basically sends a subset of blacklists to the potential victim versus a universal blacklist. "This is more academic," he says. "We already have blacklists we distribute to customers...it's not a big problem to have a universal blacklist [for anti-spam or IPS]," he contends.

Markopoulou says the method could be applied to security logs gathered by firewalls and IDSes, for instance, and an enterprise could better defend against attacks using this method. "An accurate blacklist predicts the attack sources that will attack the enterprise in the future. The enterprise can use this blacklist to proactively block these sources or to inspect in more detail traffic coming from those sources," she says.

In their paper (PDF), the researchers provide details about their test methodology and the algorithms they deployed. They tested their algorithms using hundreds of millions of logs from hundreds of networks gathered from a one-month period.

Markopoulou says the next step is for the research team to improve the prediction rate of the blacklisting approach. "Second, we want to understand what an attacker could do to evade our prediction method," she says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.