Researchers Create Highly Predictive Blacklists

← Back to Stories (view on slashdot.org)

Researchers Create Highly Predictive Blacklists

Posted by samzenpus on Wednesday July 23, 2008 @02:32PM from the evil-detector dept.

Grablets writes "Using a link analysis algorithm similar to Google PageRank, researchers at the SANS Institute and SRI International have created a new Internet network defense service that rethinks the way network blacklists are formulated and distributed. The service, called Highly Predictive Blacklisting, exploits the relationships between networks that have been attacked by similar Internet sources as a means for predicting which attack sources are likely to attack which networks in the future. A free experimental version is currently available."

10 of 71 comments (clear)

Min score:

Reason:

Sort:

Re:Not really that "predictive". by twatter · 2008-07-23 14:47 · Score: 4, Insightful

I agree, but the key here is to ensure that there are no false positives, which have been traditionally the biggest problem with blacklists.
If they figure that out, I don't care what kind of statistical approach they are using, as long as it works.
I think someone from MIT (maybe three or four years ago during the height of the problems with Spamhaus?) tried this before, but I don't remember if it got anywhere. Maybe this is an ofshoot from that.
In the meantime... SpamAssasin with whitelists, which is the best of worse worlds.
Hmm... by FlyingSquidStudios · 2008-07-23 14:50 · Score: 3, Insightful

This sounds ripe for abuse. For example, a heavy censorship nation like China could use this to block critical sites that they claim are 'attacking' them far more efficiently than their current human-based censoring.

--
http://twitter.com/OLDTELEGRAM
1. Re:Hmm... by tukang · 2008-07-23 15:10 · Score: 2, Insightful
  
  This sounds ripe for abuse. For example, a heavy censorship nation like China could use this to block critical sites that they claim are 'attacking' them far more efficiently than their current human-based censoring.
  How is it more efficient for China to tell this software that a particular site is 'attacking' them than to block the site at their great firewall and be done with it?
Probably a bad idea. by Jane+Q.+Public · 2008-07-23 15:12 · Score: 4, Insightful

The problem with ANY "predictive" statistics (like racial profiling, for one glaring example) is that even when they become accurate enough to produce useful information, they tend to produce too many false positives.

And often (again using racial profiling as a good example), even a few false positives are too many.
1. Re:Probably a bad idea. by caffeinemessiah · 2008-07-23 16:22 · Score: 2, Insightful
  
  The problem with ANY "predictive" statistics (like racial profiling, for one glaring example) is that even when they become accurate enough to produce useful information, they tend to produce too many false positives.
  
  That is an overly general statement. If that were the case, we wouldn't have any reliable spam filters. There are many statistical methodologies (including ensembles of methodologies) applied carefully to different types of domains that produce excellent and usable false positive rates. Indiscriminate use of statistical learning, and the subsequent failure at a given task, does not invalidate the method or its applicability for the task.
  
  --
  An old-timer with old-timey ideas.
Babies out with the bath water. by LostCluster · 2008-07-23 15:22 · Score: 5, Insightful

This isn't going to work in the real world. Too many users you want to hear from at an ISP won't like it when the virus-victim spammers gets their whole network preventatively banned.
Stop fixing the mail protocols we have today. It's time to replace with some form of sender authentication.
1. Re:Babies out with the bath water. by totally+bogus+dude · 2008-07-23 21:47 · Score: 2, Insightful
  
  I don't think it's privacy that needs to be sacrificed, but ease of access. All the popular instant messaging systems, forum and blog software etc. are subject to spam. If it was harder to obtain an address on these services, it would be much harder for spammers to abuse them.
  On the other hand, ease of access is one of their primary benefits. An additional hurdle for SMTP is the lack of centralised controls, which is an important thing for any de facto standard communication tool to have.
Re:Not really that "predictive". by Mad+Hughagi · 2008-07-23 15:24 · Score: 2, Insightful

It's pretty easy to get false positives depending on how you configure SpamAssasin.

--
UBU
Re:Not really that "predictive". by LostCluster · 2008-07-23 15:34 · Score: 4, Insightful

That worked back in the say when you could say "Syracuse Unversity's gotten hit with the latest worm. So, don't trust any mail that comes from 128.230.x.x." but these days mail comes from one address per organization or household. Most corperations expose only one mail server IP address to the world, and some smaller companies have hundred-user systems and only one IP to show for it. So, who you're next to doesn't hold much water in predicting whether the message is spam.
Re:Not really that "predictive". by kamochan · 2008-07-23 19:11 · Score: 2, Insightful

So if this isn't predictive, what is? Would you rather they develop an algorithm that identifies blacklist-worthy addresses before they make their first attack?
I invented just such a thing. I blocked the entire comcast network and a couple of big Chinese ISPs in my DSL firewall. Reduced ssh login attempts and spam significantly.
Predictive - very.
Collateral victims - nobody I'd care about.