Attacks/Breaches
8/28/2009
03:52 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Filtering Network Attacks With A 'Netflix' Method

University of California at Irvine researchers devise new model for blacklisting network attackers

Researchers have come up with a new method of blacklisting spam, distributed denial-of-service (DDoS) attacks, worms, and other network attacks that, in part, was inspired by Netflix's movie ratings recommendation system.

The so-called predictive blacklisting method proposed by University of California-Irvine researchers employs a combination of factors to improve blacklisting, such as trends in the times of attacks, geographical locations and IP address blocks, and any "connections" between the attacker and the victim, such as if an attacker had hit a victim's network before.

The blacklisting method "formalizes the blacklisting problem" when it comes to predicting the sources of attacks, says Athina Markopoulou, an assistant professor at UC-Irvine and a member of the research team.

Markopoulou and her team found that their method improves predictive blacklisting, accurately predicting up to 70 percent of attacks. "The hit-count of our combined method improves the hit-count of the state of the art for every single day," she says. "The improvement, depending on the day, is up to 70 percent, and 57 percent on average."

The method draws from Netflix's prediction system for unknown movie ratings, which uses known movie ratings to draw conclusions. "Our prediction system predicts future attackers based on past security logs," Markopoulou says.

Security experts say this new blacklisting method is mainly theoretical at this point -- there's no code or prototype -- but it could ultimately provide a way to minimize spam and other network-borne malicious traffic.

It's unlikely a mathematical algorithm can consistently predict a hacker's activity, says Robert Graham, CEO of Errata Security.

"[The UC-Irvine researchers] are trying to figure out how to find desktops sending out spam and to blacklist them. This is a filtering technique to cut down the noise," Graham says. "The thing is, they're trying to solve, with math, an issue of how people decide to attack the Net...But, ultimately, hackers do weird stuff. They will constantly do things outside the powers of [a mathematical prediction]. It has value in that it could cut down the noise. But you could never eliminate the noise."

Carey Nachenberg, a Symantec fellow for the security technology and response group, says the method basically sends a subset of blacklists to the potential victim versus a universal blacklist. "This is more academic," he says. "We already have blacklists we distribute to customers...it's not a big problem to have a universal blacklist [for anti-spam or IPS]," he contends.

Markopoulou says the method could be applied to security logs gathered by firewalls and IDSes, for instance, and an enterprise could better defend against attacks using this method. "An accurate blacklist predicts the attack sources that will attack the enterprise in the future. The enterprise can use this blacklist to proactively block these sources or to inspect in more detail traffic coming from those sources," she says.

In their paper (PDF), the researchers provide details about their test methodology and the algorithms they deployed. They tested their algorithms using hundreds of millions of logs from hundreds of networks gathered from a one-month period.

Markopoulou says the next step is for the research team to improve the prediction rate of the blacklisting approach. "Second, we want to understand what an attacker could do to evade our prediction method," she says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2012-0871
Published: 2014-04-18
The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/.

CVE-2012-6646
Published: 2014-04-18
F-Secure Anti-Virus, Safe Anywhere, and PSB Workstation Security before 11500 for Mac OS X allows local users to disable the Mac OS X firewall via unspecified vectors.

CVE-2013-4279
Published: 2014-04-18
imapsync 1.564 and earlier performs a release check by default, which sends sensitive information (imapsync, operating system, and Perl version) to the developer's site.

Best of the Web