Dark Reading

Researchers have come up with a new method of blacklisting spam, distributed denial-of-service (DDoS) attacks, worms, and other network attacks that, in part, was inspired by Netflix's movie ratings recommendation system.

The so-called predictive blacklisting method proposed by University of California-Irvine researchers employs a combination of factors to improve blacklisting, such as trends in the times of attacks, geographical locations and IP address blocks, and any "connections" between the attacker and the victim, such as if an attacker had hit a victim's network before.

The blacklisting method "formalizes the blacklisting problem" when it comes to predicting the sources of attacks, says Athina Markopoulou, an assistant professor at UC-Irvine and a member of the research team.

Markopoulou and her team found that their method improves predictive blacklisting, accurately predicting up to 70 percent of attacks. "The hit-count of our combined method improves the hit-count of the state of the art for every single day," she says. "The improvement, depending on the day, is up to 70 percent, and 57 percent on average."

The method draws from Netflix's prediction system for unknown movie ratings, which uses known movie ratings to draw conclusions. "Our prediction system predicts future attackers based on past security logs," Markopoulou says.

Security experts say this new blacklisting method is mainly theoretical at this point -- there's no code or prototype -- but it could ultimately provide a way to minimize spam and other network-borne malicious traffic.

It's unlikely a mathematical algorithm can consistently predict a hacker's activity, says Robert Graham, CEO of Errata Security.

"[The UC-Irvine researchers] are trying to figure out how to find desktops sending out spam and to blacklist them. This is a filtering technique to cut down the noise," Graham says. "The thing is, they're trying to solve, with math, an issue of how people decide to attack the Net...But, ultimately, hackers do weird stuff. They will constantly do things outside the powers of [a mathematical prediction]. It has value in that it could cut down the noise. But you could never eliminate the noise."

Carey Nachenberg, a Symantec fellow for the security technology and response group, says the method basically sends a subset of blacklists to the potential victim versus a universal blacklist. "This is more academic," he says. "We already have blacklists we distribute to customers...it's not a big problem to have a universal blacklist [for anti-spam or IPS]," he contends.

Markopoulou says the method could be applied to security logs gathered by firewalls and IDSes, for instance, and an enterprise could better defend against attacks using this method. "An accurate blacklist predicts the attack sources that will attack the enterprise in the future. The enterprise can use this blacklist to proactively block these sources or to inspect in more detail traffic coming from those sources," she says.

In their paper (PDF), the researchers provide details about their test methodology and the algorithms they deployed. They tested their algorithms using hundreds of millions of logs from hundreds of networks gathered from a one-month period.

Markopoulou says the next step is for the research team to improve the prediction rate of the blacklisting approach. "Second, we want to understand what an attacker could do to evade our prediction method," she says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.