Using a link analysis algorithm similar to Google PageRank, researchers at the SANS Institute and SRI International have created a new Internet network defense service that completely revamps the way network blacklists are formulated and distributed.
The service, called Highly Predictive Blacklisting (.pdf), will be unveiled next week at the Usenix 17th Usenix Security Symposium. An experimental version is currently available for free to all DShield contributors.
Highly Predictive Blacklists (HPBs) represent a radically different approach to blacklist formulation. HPBs are derived uniquely per DShield contributor, and rank each attacker in the blacklist based on an estimation of the probability that the attacker will visit the contributor’s network in the future. The HPB algorithm exploits a correlation relationship observed when compiling firewall logs from thousands of Internet contributors.
The idea is to exploit the relationships between networks that have been attacked by similar Internet sources as a means for predicting which attack sources are likely to attack which networks in the future.
Much like Google PageRank, which is used to increase the relevance of search results, researchers say the new HPB service will employ a link analysis algorithm to cross-compare firewall logs of DShield contributors with one another in search of overlaps among the attackers they report. The attacker addresses included within an HPB are selected by favoring the inclusion of those attackers who have been encountered by other contributors who share degrees of overlap with the HPB owner.
DShield is the data collection engine behind the SANS Internet Storm Center (ISC).
* Image source: Wikimedia Commons (Creative Commons 2.5)