Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Create Highly Predictive Blacklists

Posted by samzenpus on from the evil-detector dept.

Grablets writes "Using a link analysis algorithm similar to Google PageRank, researchers at the SANS Institute and SRI International have created a new Internet network defense service that rethinks the way network blacklists are formulated and distributed. The service, called Highly Predictive Blacklisting, exploits the relationships between networks that have been attacked by similar Internet sources as a means for predicting which attack sources are likely to attack which networks in the future. A free experimental version is currently available."

2 of 71 comments (clear)

  1. Not really that "predictive". by khasim · · Score: 4, Informative

    They take X firewall logs ...

    Then they look for matches in attacking IP addresses between the logs ...

    And if any IP addresses appear in log A (which is very similar to log B) ... then those IP addresses are "predicted" as being possible to attack the firewall from which log B was obtained.

    Logical - yes.
    Predictive - no.

    1. Re:Not really that "predictive". by elnico · · Score: 5, Informative

      Logical - yes.
      Predictive - no.

      So if this isn't predictive, what is? Would you rather they develop an algorithm that identifies blacklist-worthy addresses before they make their first attack?

      The application of this algorithm actually seems pretty clever. It captures the fact that "true" attackers mostly attack "true" (that is, weak or high profile) targets, whereas those targets are mostly attacked by "true" attackers. Thus some isolated attack by a never-before-detected attacker on a never-before-attacked target has very little predictive potential in the eyes of the algorithm, whereas even just a few attacks by a never-before-seen attacker on several oft-attacked targets raises a huge red flag.