Predicting Malicious Web Attacks

KentuckyFC writes "Recommendation systems attempt to guess what books, movies, or news people are likely to be interested in. Companies such as Amazon, Google, and Netflix have developed algorithms to mine vast databases looking for correlations that they then use to recommend new items. Now a team of computer scientists has used some of the same filtering techniques to predict the origin of malicious Web attacks so that they can be blacklisted in advance. The team mined a database of hundreds of millions of security logs looking for correlations between victims. The correlations were then used to produce a predictive blacklist of potential attackers. The team says its algorithm is up to 70 per cent more successful at predicting the origin of attacks than current state-of-the-art predictive blacklisting."

Minority Report

[SilverHatHacker]

Wonderful. It's Minority Report for the internet.
What about false positives? Can they be held responsible for blacklisting an innocent site?

Did I read this right...

[bigredradio]

recommendation systems may soon be providing you not only with books and movie tips but a happier surfing experience too

I am a little weary of making my surfing experience happier by allowing the system to do my thinking for me. Just think, "clippy" for the browser.

Re:No doubt useful

[vertinox]

What is "true security" against the main threat of the modern era: social engineering?

Social engineering will always be a problem but there is a simple fix. Restrict the user on damage they can do on their own given the worse case circumstances and you will also end up with the same prevention of malware in the process.

Speaking of which... Why does a web page ever need to communicate with the OS to make file changes to the OS? Why?! Why I ask?!

This is a flawed premise and will solve 99% of the problems we face with internet security.

The OS must sandbox the browser and its add-ons between it and the OS.

In fact... Why stop there... The OS must be sandboxes between it and the user.

Basically true security is basically given the users and OS like the iPhone and patting them on the back and say "have a nice day".

"But I want to use my legacy apps?" they say...

"Well I want a pony!" you reply "But you'll just have to deal with a limited OS because we can't have nice things because they keep installing viruses on their machine!"

How do you protect a user that will click on the user account control pop-up as many times as is required to install that cool "weather forecasting" program that sits in his task tray?

Require the "weather forecasting" app to submit an approval to a central repository like the iPhone.

See where I am leading you...

Seriously... In the future the average user will put up with an OS like the iPhone and they'll be happy because it just works or appears to and the admins of the world will be happy because people aren't screwing things up with bot nets.

Win7 and IE8 might be a big step in that direction but we'll have to see.

Re:No doubt useful

[hairyfeet]

And if you just take the PCs away from the silly users and lock them away in safes they'll be 100% secure! Seriously sandboxing is a bandaid on a bullet wound, and is as much bullshit as "as long as they can't get root its okay". Well, no its not. If I have control over your network connection why would I give a shit if it is sandboxed or not? As long as I can get the user to visit my site and load up my malware I can spew spam, I can DDOS, etc. Just like if you get a hold of the local user account you can infect all their files (which is all they give a shit about anyway) and it doesn't matter if you have root or not. if the user can do it then so can you if you have the same privileges.

Which bring me to your other point: education. Allow me to say, as someone who has been selling, building, and repairing machines for home users and SOHO and SMB customers for nearly 15 years what I think of that...BWA HA HA HA HA HA HA! It will NEVER ever work! Do you know why? Because the malware guy is smarter than your user. He will ALWAYS be smarter than your user, and will win in a battle of wits every single time. Because I have seen time and time again where a user has boned his system doing something dodgy where they KNEW it was dodgy, but the carrot was just too good to resist!

Pretty much the only way to stop malware is to take away all rights and privileges the user has, basically giving them a locked down thin client. Because for every user you have that you might be able to educate you have 1000+ that will never understand and just get a glassed over look on their face when you try to explain. I also believe that JavaScript and the way sites are more and more using it instead of actually designing their websites correctly, as well as the same problem with sites being entirely flash based, will come back to bite us in the ass like ActiveX did. I believe that third party code running on websites will eventually either need to be banned, or a way to sanitize the code before it ever runs will have to be built into browsers.

But even with all that the "Velmas" of this world, who will click on anything if you wave the right carrot, in her case anything that said "screensaver" or "cute", will bite you in the ass. All we can do is try to minimize the damage they can cause and clean up the messes afterward. To quote Forest Gump "Stupid is as stupid does" and with nearly every job and multiple home machines in the average household you just can't eliminate stupid.