Predicting Malicious Web Attacks

← Back to Stories (view on slashdot.org)

Predicting Malicious Web Attacks

Posted by kdawson on Tuesday August 18, 2009 @08:13AM from the you-will-begin-ddosing-me-in-three-two-one dept.

KentuckyFC writes "Recommendation systems attempt to guess what books, movies, or news people are likely to be interested in. Companies such as Amazon, Google, and Netflix have developed algorithms to mine vast databases looking for correlations that they then use to recommend new items. Now a team of computer scientists has used some of the same filtering techniques to predict the origin of malicious Web attacks so that they can be blacklisted in advance. The team mined a database of hundreds of millions of security logs looking for correlations between victims. The correlations were then used to produce a predictive blacklist of potential attackers. The team says its algorithm is up to 70 per cent more successful at predicting the origin of attacks than current state-of-the-art predictive blacklisting."

19 of 82 comments (clear)

Min score:

Reason:

Sort:

No doubt useful by Enderandrew · 2009-08-18 08:16 · Score: 3, Insightful

But this is still treating the symptom as opposed to the core problem, which is poor security in OS and app design.
Microsoft is starting to come around on this to an extent (not running as administrator), but shouldn't we be more concerned about true security?

--
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
1. Re:No doubt useful by dyingtolive · 2009-08-18 08:19 · Score: 3, Insightful
  
  Why do both have to be mutually exclusive? Why can't the problem be approached from both sides by different groups whose skillsets are appropriate for what they're doing?
  
  --
  Support the EFF and Creative Commons. The war is coming, and they're supporting you...
2. Re:No doubt useful by Shakrai · 2009-08-18 08:23 · Score: 4, Insightful
  
  but shouldn't we be more concerned about true security?
  What is "true security" against the main threat of the modern era: social engineering? How does your operating system protect you from from responding to that e-mail you've just received from your long lost uncle in Nigeria? How do you protect a user that will click on the user account control pop-up as many times as is required to install that cool "weather forecasting" program that sits in his task tray?
  Or were you referring to "true security" in the context of firearms, expendable redshirts and moats filled with laser wielding sharks? ;)
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
3. Re:No doubt useful by vertinox · 2009-08-18 08:36 · Score: 2, Interesting
  
  What is "true security" against the main threat of the modern era: social engineering?
  Social engineering will always be a problem but there is a simple fix. Restrict the user on damage they can do on their own given the worse case circumstances and you will also end up with the same prevention of malware in the process.
  Speaking of which... Why does a web page ever need to communicate with the OS to make file changes to the OS? Why?! Why I ask?!
  This is a flawed premise and will solve 99% of the problems we face with internet security.
  The OS must sandbox the browser and its add-ons between it and the OS.
  In fact... Why stop there... The OS must be sandboxes between it and the user.
  Basically true security is basically given the users and OS like the iPhone and patting them on the back and say "have a nice day".
  "But I want to use my legacy apps?" they say...
  "Well I want a pony!" you reply "But you'll just have to deal with a limited OS because we can't have nice things because they keep installing viruses on their machine!"
  How do you protect a user that will click on the user account control pop-up as many times as is required to install that cool "weather forecasting" program that sits in his task tray?
  Require the "weather forecasting" app to submit an approval to a central repository like the iPhone.
  See where I am leading you...
  Seriously... In the future the average user will put up with an OS like the iPhone and they'll be happy because it just works or appears to and the admins of the world will be happy because people aren't screwing things up with bot nets.
  Win7 and IE8 might be a big step in that direction but we'll have to see.
  
  --
  "I am the king of the Romans, and am superior to rules of grammar!"
  -Sigismund, Holy Roman Emperor (1368-1437)
4. Re:No doubt useful by Lord+Ender · 2009-08-18 08:59 · Score: 3, Insightful
  
  "True security" is a fantasy. No such thing exists, nor will it ever.
  We should be concerned with balancing risk reduction with its cost. We should not be concerned with your silly fantasy.
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
5. Re:No doubt useful by dave562 · 2009-08-18 10:20 · Score: 2, Insightful
  
  I think the underlying issue has come from the fact that people have been more focused on making computers do what they want them to do, and not focused on making them do it securely. It's great to sit on the sidelines and talk about how it should have been done better/smarter/more securely in the first place. That perspective does not take into account the reality that computers are relatively new and new functionality comes out almost every day. To consider another aspect of security, we've been living in buildings for over two thousand years and we're still finding ways to make buildings more secure, and dealing with robberies and other similar breaches of security. If, as a species we haven't perfected securing our living spaces in over two millenia, how can we expect ourselves to secure our computer systems in the space of a couple of decades?
6. Re:No doubt useful by hairyfeet · 2009-08-18 12:58 · Score: 2, Interesting
  
  And if you just take the PCs away from the silly users and lock them away in safes they'll be 100% secure! Seriously sandboxing is a bandaid on a bullet wound, and is as much bullshit as "as long as they can't get root its okay". Well, no its not. If I have control over your network connection why would I give a shit if it is sandboxed or not? As long as I can get the user to visit my site and load up my malware I can spew spam, I can DDOS, etc. Just like if you get a hold of the local user account you can infect all their files (which is all they give a shit about anyway) and it doesn't matter if you have root or not. if the user can do it then so can you if you have the same privileges.
  Which bring me to your other point: education. Allow me to say, as someone who has been selling, building, and repairing machines for home users and SOHO and SMB customers for nearly 15 years what I think of that...BWA HA HA HA HA HA HA! It will NEVER ever work! Do you know why? Because the malware guy is smarter than your user. He will ALWAYS be smarter than your user, and will win in a battle of wits every single time. Because I have seen time and time again where a user has boned his system doing something dodgy where they KNEW it was dodgy, but the carrot was just too good to resist!
  Pretty much the only way to stop malware is to take away all rights and privileges the user has, basically giving them a locked down thin client. Because for every user you have that you might be able to educate you have 1000+ that will never understand and just get a glassed over look on their face when you try to explain. I also believe that JavaScript and the way sites are more and more using it instead of actually designing their websites correctly, as well as the same problem with sites being entirely flash based, will come back to bite us in the ass like ActiveX did. I believe that third party code running on websites will eventually either need to be banned, or a way to sanitize the code before it ever runs will have to be built into browsers.
  But even with all that the "Velmas" of this world, who will click on anything if you wave the right carrot, in her case anything that said "screensaver" or "cute", will bite you in the ass. All we can do is try to minimize the damage they can cause and clean up the messes afterward. To quote Forest Gump "Stupid is as stupid does" and with nearly every job and multiple home machines in the average household you just can't eliminate stupid.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
Minority Report by SilverHatHacker · 2009-08-18 08:19 · Score: 2, Interesting

Wonderful. It's Minority Report for the internet.
What about false positives? Can they be held responsible for blacklisting an innocent site?

--
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
Finally a use for this technology by kabloom · 2009-08-18 08:19 · Score: 2, Funny

There's finally a use for this collaborative filtering technology.
Did I read this right... by bigredradio · 2009-08-18 08:24 · Score: 4, Interesting

recommendation systems may soon be providing you not only with books and movie tips but a happier surfing experience too
I am a little weary of making my surfing experience happier by allowing the system to do my thinking for me. Just think, "clippy" for the browser.

--
Flexible bare-metal recovery for Linux/UNIX
Umm... by johanwanderer · 2009-08-18 08:27 · Score: 2, Funny

... wouldn't blocking people's access in advance considered an attack in and of itself? So the service should simply block itself off and be done with it.
the new 404 by FudRucker · 2009-08-18 08:27 · Score: 2, Funny

Were sorry but you have been labeled an Internet Terrorist, your search for "PC + Game + Cheats" is a flagged keyword.

--
Politics is Treachery, Religion is Brainwashing
"People..." by natehoy · 2009-08-18 08:30 · Score: 5, Funny

"People who attacked this site ALSO attacked..."

--
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
1. Re:"People..." by operator_error · 2009-08-18 08:33 · Score: 2, Funny
  
  "Was this review helpful? Yes or no"
2. Re:"People..." by megamerican · 2009-08-18 08:59 · Score: 2, Informative
  
  Amazon should patent "1-click attacking"
  Ptech already has it patented!
  
  --
  If you have something that you dont want anyone to know, maybe you shouldnt be doing it in the first place -Eric Schmidt
The Article is obviously a fake by Tekfactory · 2009-08-18 08:37 · Score: 3, Insightful

Or greatly exaggerated...
"The team mined a database of hundreds of millions of security logs"
Nobody actually keeps security logs, certainly not hundreds of millions of somebodies.
The kind of people that DO keep security logs probably wouldn't hand them over either.
I call shenanigans
1. Re:The Article is obviously a fake by Red+Flayer · 2009-08-18 09:37 · Score: 2, Insightful
  
  Yes, they worded that poorly.
  
  Fixed:
  
  The team mined a database of hundreds of millions of security log entries
  
  Now it makes more sense, and is quite believable, no?
  
  --
  "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Meatware needed by pheared · 2009-08-18 08:45 · Score: 4, Insightful

This sounds great, but only if it requires human intervention to implement the block. I used to work in a NOC, and we would have loved to throw up a warning on the big screens that an attack is 80% likely from the following netblocks in the next N hours. That way we would have a strategy developed for defending before it even started and would be able to minimize downtime.
On the other hand, if you make this automatic you're going to piss off a lot of people very quickly because it's going to be wrong more often than you want.
1. Re:Meatware needed by twisteddk · 2009-08-18 09:05 · Score: 2, Insightful
  
  Exactly. Because even if it's true, and it's 70% more accurate... I've yet to see a predictive system that's even remotely accurate. It may predict say... 50% of the sources of an ongoing attack (assuming a collaborative effort to determine when attacks are happening, and that you're not the first one hit), but that's far from enough to prevent a DDoS attack. And if you "accidentally" block... Say Canada (which I've seen before), then that's a LOT of costumers you just pissed off, but hey... Doesn't matter, that DDoS attack would have blocked access anyway, so how would they notice ;)
  
  --
  --- To err is human... Am I more human than most ?