Attacks/Breaches
8/28/2009
03:52 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Filtering Network Attacks With A 'Netflix' Method

University of California at Irvine researchers devise new model for blacklisting network attackers

Researchers have come up with a new method of blacklisting spam, distributed denial-of-service (DDoS) attacks, worms, and other network attacks that, in part, was inspired by Netflix's movie ratings recommendation system.

The so-called predictive blacklisting method proposed by University of California-Irvine researchers employs a combination of factors to improve blacklisting, such as trends in the times of attacks, geographical locations and IP address blocks, and any "connections" between the attacker and the victim, such as if an attacker had hit a victim's network before.

The blacklisting method "formalizes the blacklisting problem" when it comes to predicting the sources of attacks, says Athina Markopoulou, an assistant professor at UC-Irvine and a member of the research team.

Markopoulou and her team found that their method improves predictive blacklisting, accurately predicting up to 70 percent of attacks. "The hit-count of our combined method improves the hit-count of the state of the art for every single day," she says. "The improvement, depending on the day, is up to 70 percent, and 57 percent on average."

The method draws from Netflix's prediction system for unknown movie ratings, which uses known movie ratings to draw conclusions. "Our prediction system predicts future attackers based on past security logs," Markopoulou says.

Security experts say this new blacklisting method is mainly theoretical at this point -- there's no code or prototype -- but it could ultimately provide a way to minimize spam and other network-borne malicious traffic.

It's unlikely a mathematical algorithm can consistently predict a hacker's activity, says Robert Graham, CEO of Errata Security.

"[The UC-Irvine researchers] are trying to figure out how to find desktops sending out spam and to blacklist them. This is a filtering technique to cut down the noise," Graham says. "The thing is, they're trying to solve, with math, an issue of how people decide to attack the Net...But, ultimately, hackers do weird stuff. They will constantly do things outside the powers of [a mathematical prediction]. It has value in that it could cut down the noise. But you could never eliminate the noise."

Carey Nachenberg, a Symantec fellow for the security technology and response group, says the method basically sends a subset of blacklists to the potential victim versus a universal blacklist. "This is more academic," he says. "We already have blacklists we distribute to customers...it's not a big problem to have a universal blacklist [for anti-spam or IPS]," he contends.

Markopoulou says the method could be applied to security logs gathered by firewalls and IDSes, for instance, and an enterprise could better defend against attacks using this method. "An accurate blacklist predicts the attack sources that will attack the enterprise in the future. The enterprise can use this blacklist to proactively block these sources or to inspect in more detail traffic coming from those sources," she says.

In their paper (PDF), the researchers provide details about their test methodology and the algorithms they deployed. They tested their algorithms using hundreds of millions of logs from hundreds of networks gathered from a one-month period.

Markopoulou says the next step is for the research team to improve the prediction rate of the blacklisting approach. "Second, we want to understand what an attacker could do to evade our prediction method," she says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5211
Published: 2015-01-27
Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response.

CVE-2014-8154
Published: 2015-01-27
The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overf...

CVE-2014-9197
Published: 2015-01-27
The Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware before 1.60 IR 04 stores rde.jar under the web root with insufficient access control, which allows remote attackers to obtain sensitive setup and configuration information via a direct request.

CVE-2014-9198
Published: 2015-01-27
The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session.

CVE-2014-9646
Published: 2015-01-27
Unquoted Windows search path vulnerability in the GoogleChromeDistribution::DoPostUninstallOperations function in installer/util/google_chrome_distribution.cc in the uninstall-survey feature in Google Chrome before 40.0.2214.91 allows local users to gain privileges via a Trojan horse program in the ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.