Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/28/2009
03:52 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Filtering Network Attacks With A 'Netflix' Method

University of California at Irvine researchers devise new model for blacklisting network attackers

Researchers have come up with a new method of blacklisting spam, distributed denial-of-service (DDoS) attacks, worms, and other network attacks that, in part, was inspired by Netflix's movie ratings recommendation system.

The so-called predictive blacklisting method proposed by University of California-Irvine researchers employs a combination of factors to improve blacklisting, such as trends in the times of attacks, geographical locations and IP address blocks, and any "connections" between the attacker and the victim, such as if an attacker had hit a victim's network before.

The blacklisting method "formalizes the blacklisting problem" when it comes to predicting the sources of attacks, says Athina Markopoulou, an assistant professor at UC-Irvine and a member of the research team.

Markopoulou and her team found that their method improves predictive blacklisting, accurately predicting up to 70 percent of attacks. "The hit-count of our combined method improves the hit-count of the state of the art for every single day," she says. "The improvement, depending on the day, is up to 70 percent, and 57 percent on average."

The method draws from Netflix's prediction system for unknown movie ratings, which uses known movie ratings to draw conclusions. "Our prediction system predicts future attackers based on past security logs," Markopoulou says.

Security experts say this new blacklisting method is mainly theoretical at this point -- there's no code or prototype -- but it could ultimately provide a way to minimize spam and other network-borne malicious traffic.

It's unlikely a mathematical algorithm can consistently predict a hacker's activity, says Robert Graham, CEO of Errata Security.

"[The UC-Irvine researchers] are trying to figure out how to find desktops sending out spam and to blacklist them. This is a filtering technique to cut down the noise," Graham says. "The thing is, they're trying to solve, with math, an issue of how people decide to attack the Net...But, ultimately, hackers do weird stuff. They will constantly do things outside the powers of [a mathematical prediction]. It has value in that it could cut down the noise. But you could never eliminate the noise."

Carey Nachenberg, a Symantec fellow for the security technology and response group, says the method basically sends a subset of blacklists to the potential victim versus a universal blacklist. "This is more academic," he says. "We already have blacklists we distribute to customers...it's not a big problem to have a universal blacklist [for anti-spam or IPS]," he contends.

Markopoulou says the method could be applied to security logs gathered by firewalls and IDSes, for instance, and an enterprise could better defend against attacks using this method. "An accurate blacklist predicts the attack sources that will attack the enterprise in the future. The enterprise can use this blacklist to proactively block these sources or to inspect in more detail traffic coming from those sources," she says.

In their paper (PDF), the researchers provide details about their test methodology and the algorithms they deployed. They tested their algorithms using hundreds of millions of logs from hundreds of networks gathered from a one-month period.

Markopoulou says the next step is for the research team to improve the prediction rate of the blacklisting approach. "Second, we want to understand what an attacker could do to evade our prediction method," she says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
GDPR Enforcement Loosens Amid Pandemic
Seth Rosenblatt, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4306
PUBLISHED: 2020-05-29
IBM Planning Analytics Local 2.0.0 through 2.0.9 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 17...
CVE-2020-4352
PUBLISHED: 2020-05-29
IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege escalation attack when running in restricted mode. IBM X-Force ID: 178427.
CVE-2020-4490
PUBLISHED: 2020-05-29
IBM Business Automation Workflow 18 and 19, and IBM Business Process Manager 8.0, 8.5, and 8.6 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a vitcim to a phishing site. IBM X-Force ID: 18...
CVE-2020-5572
PUBLISHED: 2020-05-29
Android App 'Mailwise for Android' 1.0.0 to 1.0.1 allows an attacker to obtain credential information registered in the product via unspecified vectors.
CVE-2020-5573
PUBLISHED: 2020-05-29
Android App 'kintone mobile for Android' 1.0.0 to 2.5 allows an attacker to obtain credential information registered in the product via unspecified vectors.