blag improving the accuracy of blacklists
play

BLAG: Improving the Accuracy of Blacklists Sivaram Ramanathan 1 , - PowerPoint PPT Presentation

Mar 04, 2023 •366 likes •1.18k views

BLAG: Improving the Accuracy of Blacklists Sivaram Ramanathan 1 , Jelena Mirkovic 1 and Minlan Yu 2 1 University of Southern California/Information Sciences Institute 2 Harvard University IP Blacklists IP Blacklists contain a list of known

  1. BLAG: Improving the Accuracy of Blacklists Sivaram Ramanathan 1 , Jelena Mirkovic 1 and Minlan Yu 2 1 University of Southern California/Information Sciences Institute 2 Harvard University

  2. IP Blacklists • IP Blacklists contain a list of known malicious IP addresses. • IP Blacklists are commonly used to aid more sophisticated defenses such as spam filters, IDS, etc. • IP blacklists can be used as an emergency response under a novel or large volumetric attack • Easy to implement as only IP addresses are checked and can be done at line rate. 2

  3. Problems with IP Blacklists Problems Fragmented information • Focus only on specific attack types with limited vantage points. 3

  4. Problems with IP Blacklists Problems Fragmented Snapshots in information time • Focus only on specific attack types with limited vantage points. • Historical blacklist data can capture reoffending malicious addresses. 4

  5. Problems with IP Blacklists Problems Fragmented Snapshots in Reactive information time • Focus only on specific attack types with limited vantage points. • Historical blacklist data can capture reoffending malicious addresses. • Addresses are added only after a malicious event is observed. 5

  6. Problems with IP Blacklists Problems Can we aggregate blacklists in a smart way to address these problems? Fragemented Snapshots in Reactive information time • Focus only on specific attack types with limited vantage points • Historical blacklist data can capture reoffending malicious addresses • Addresses are added only after a malicious event is observed 6

  7. Fragmented Information - offenders in one given attack Spam DDoS Malware Combined Blacklist Blacklist Blacklist Blacklist Blacklists miss many attacks 1,2 and may monitor only specific a type of attack. [1] Kührer, Marc, Christian Rossow, and Thorsten Holz. "Paint it black: Evaluating the effectiveness of malware blacklists." International Workshop on Recent Advances in Intrusion Detection. Springer, Cham, 2014. [2] Pitsillidis, Andreas, et al. "Taster's choice: a comparative analysis of spam feeds." Proceedings of the 2012 Internet Measurement Conference . ACM, 2012. 7

  8. Fragmented Information - offenders in one given attack Spam DDoS Malware Combined Blacklist Blacklist Blacklist Blacklist Blacklists miss many attacks 1,2 and may monitor only specific a type of attack. [1] Kührer, Marc, Christian Rossow, and Thorsten Holz. "Paint it black: Evaluating the effectiveness of malware blacklists." International Workshop on Recent Advances in Intrusion Detection. Springer, Cham, 2014. [2] Pitsillidis, Andreas, et al. "Taster's choice: a comparative analysis of spam feeds." Proceedings of the 2012 Internet Measurement Conference . ACM, 2012. 8

  9. Fragmented Information - offenders in one given attack Spam DDoS Malware Combined Blacklist Blacklist Blacklist Blacklist Compromised machines are constantly re-used for initiating different types of attacks over time. 9

  10. Fragmented Information - offenders in one given attack Spam DDoS Malware Combined Blacklist Blacklist Blacklist Blacklist Compromised machines are constantly re-used for initiating different types of attacks over time. A Possible solution: Combining different types of blacklists can improve attack coverage. 10

  11. Snapshots in Time - offenders in one given attack 1 Day 1 Month 3 Months 6 Months Historical blacklist data (union of all offenders over time) can further be useful to improve offender detection. 11

  12. Snapshots in Time - offenders in one given attack 1 Day 1 Month 3 Months 6 Months Historical blacklist data (union of all offenders over time) can further be useful to improve offender detection. 12

  13. Snapshots in Time - offenders in one given attack 1 Day 1 Month 3 Months 6 Months Historical blacklist data (union of all offenders over time) can further be useful to improve offender detection. 13

  14. - offenders in one given attack Careful Aggregation - legitimate clients of a given network during the same attack Spam DDoS Malware Combined Blacklist Blacklist Blacklist Blacklist Blacklists accuracy varies spatially • Blacklists are maintained by individuals or organizations that use proprietary algorithms to include or exclude an address. • Blacklists could list some legitimate addresses 14

  15. - offenders in one given attack Careful Aggregation - legitimate clients of a given network during the same attack Spam DDoS Malware Combined Blacklist Blacklist Blacklist Blacklist Combining blacklists can potentially amplify the number of misclassifications. 15

  16. - offenders in one given attack Careful Aggregation - legitimate clients of a given network during the same attack Spam DDoS Malware Combined Blacklist Blacklist Blacklist Blacklist l l l a a a c c c i i i r r r o o o t t t s s s i i i H H H Combining blacklists can further potentially amplify the number of misclassifications. 16

  17. - offenders in one given attack Careful Aggregation - legitimate clients of a given network during the same attack Spam DDoS Malware Combined Blacklist Blacklist Blacklist Blacklist l l l a a a c c c i i i r r r o o o Goal: Aggregate historical blacklists and reduce Many t t t s s s i i i H H H misclassifications misclassifications. across different testing scenarios! Combining historical blacklists can further potentially amplify the number of false positives 17

  18. Blacklists are Reactive - offenders in one given attack Spam DDoS Malware Combined Blacklist Blacklist Blacklist Blacklist Addresses are usually listed after an attack takes place, cannot be used for prevention. 18

  19. Blacklists are Reactive - offenders in one given attack Spam DDoS Malware Combined Blacklist Blacklist Blacklist Blacklist Addresses are usually listed after an attack takes place, cannot be used for prevention. Possible solution: we could list groups of addresses in the same subnet (IP prefixes), hoping to capture future attackers - expansion 1. 19 [1] Zhang, Jing, et al. "On the Mismanagement and Maliciousness of Networks." NDSS. 2014.

  20. - offenders in one given attack Careful Expansion - legitimate clients of a given network during the same attack Spam DDoS Malware Combined Blacklist Blacklist Blacklist Blacklist l l l a a a c c c i i i r r r o o o t t t s s s i i i H H H Expansion can further amplify misclassifications! 20

  21. - offenders in one given attack Careful Expansion - legitimate clients of a given network during the same attack Spam DDoS Malware Combined Blacklist Blacklist Blacklist Blacklist l l l a a a c c c i i i r r r o o o Goal: Expand some addresses into prefixes that do not cause t t t s s s i i i H H H more misclassifications. Expansion can further amplify misclassifications We need a better technique to combine blacklists efficiently and select some addresses to be expanded into prefixes. 21

  22. Outline • Introduction • Quantifying problems faced by blacklists • BLAG • Datasets • Evaluation • Summary 22

  23. How BLAG Works Aggregation .... 23

  24. How BLAG Works Aggregation .... 157 Blacklists 24

  25. How BLAG Works Estimate Aggregation misclassification .... 157 Blacklists 25

  26. How BLAG Works Estimate Aggregation misclassification .... Sample inbound traffic for a network 157 Blacklists 26

  27. How BLAG Works Estimate Aggregation misclassification .... Sample inbound traffic for a network 157 Blacklists Recommendation System 27

  28. How BLAG Works Estimate Selective Aggregation misclassification Expansion .... Sample inbound traffic for a network 157 Blacklists Recommendation System 28

  29. Aggregation of Blacklists • Historical blacklist data can be useful. • However, including addresses reported way back in the past can increase the misclassifications. • PRESTA 1 showed that recently listed addresses have a higher tendency to be malicious than older ones. • BLAG uses the same metric as that of PRESTA to assign a relevance score, based on when the address was listed in a blacklist • Recently listed addresses have a higher score. [1] West, Andrew G., et al. "Spam mitigation using spatio-temporal reputations from blacklist history." Proceedings of the 26th Annual Computer Security 29 Applications Conference. ACM, 2010.

  30. Aggregation of Blacklists: Relevance Scores • For address a listed in blacklist b , ' ()* +' ! ",$ = 2 , 30

  31. Aggregation of Blacklists: Relevance Scores • For address a listed in blacklist b , ' ()* +' ! ",$ = 2 , Where, • t is the current time 31

  32. Aggregation of Blacklists: Relevance Scores • For address a listed in blacklist b , ' ()* +' ! ",$ = 2 , Where, • t is the current time • t out is the last time when an address a was listed in blacklist b 32

  33. Aggregation of Blacklists: Relevance Scores • For address a listed in blacklist b , ' ()* +' ! ",$ = 2 , Where, • t is the current time • t out is the last time when an address a was listed in blacklist b • l is constant, which ensures that the score decays over time 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BroCon 17 Lightning Talks Blacklists Revisited Aashish Sharma asharma@lbl.gov Blacklists

BroCon 17 Lightning Talks Blacklists Revisited Aashish Sharma asharma@lbl.gov Blacklists

BroCon 17 Lightning Talks Blacklists Revisited Aashish Sharma asharma@lbl.gov Blacklists Revisited Lightening Talk BroCon, 2017 Problem Problem: Blocking Bad Badness keeps increasing on the internet How to manage blocking and more so

1.32k views • 70 slides
Improving on the Accuracy of a Genome Assembly Lecture 6:

Improving on the Accuracy of a Genome Assembly Lecture 6:

Improving on the Accuracy of a Genome Assembly Lecture 6: September 6, 2012 Review from Last Lecture Sample PreparaCon Fragments Sequencing Reads

1.06k views • 61 slides
ANALYTICAL N-BPM METHOD ANALYTICAL N-BPM METHOD IMPROVING ACCURACY AND ROBUSTNESS OF LINEAR

ANALYTICAL N-BPM METHOD ANALYTICAL N-BPM METHOD IMPROVING ACCURACY AND ROBUSTNESS OF LINEAR

ANALYTICAL N-BPM METHOD ANALYTICAL N-BPM METHOD IMPROVING ACCURACY AND ROBUSTNESS OF LINEAR OPTICS IMPROVING ACCURACY AND ROBUSTNESS OF LINEAR OPTICS MEASUREMENTS MEASUREMENTS PhD student at CERN and Andreas Wegscheider Hamburg University

357 views • 33 slides
Improving the accuracy of estimates for complex sampling in auditing 1 . Y. G. Berger 1 P. M.

Improving the accuracy of estimates for complex sampling in auditing 1 . Y. G. Berger 1 P. M.

Improving the accuracy of estimates for complex sampling in auditing 1 . Y. G. Berger 1 P. M. Chiodini 2 M. Zenga 2 1 University of Southampton (UK) 2 University of Milano-Bicocca (Italy) 14-06-2017 1The research leading to these results has

581 views • 26 slides
Improving the Accuracy of System Performance Estimation by Using Shards Nicola Ferro &

Improving the Accuracy of System Performance Estimation by Using Shards Nicola Ferro &

Improving the Accuracy of System Performance Estimation by Using Shards Nicola Ferro & Mark Sanderson 1 IR evaluation is noisy 1.00 0.80 0.60 0.40 0.20 0.00 1.00 0.80 0.60 0.40 0.20 0.00 2 ANOVA Data = Model + Error

560 views • 26 slides
Improving predictive accuracy using Smart-Data rather than Big-Data : A case study of soccer

Improving predictive accuracy using Smart-Data rather than Big-Data : A case study of soccer

Improving predictive accuracy using Smart-Data rather than Big-Data : A case study of soccer teams evolving performance Anthony Constantinou 1 and Norman Fenton 2 1. Post-Doctoral Researcher, School of EECS, Queen Mary University of London,

937 views • 54 slides
Improving Trace Accuracy through Data-Driven Configuration and Composition of Tracing Features

Improving Trace Accuracy through Data-Driven Configuration and Composition of Tracing Features

Improving Trace Accuracy through Data-Driven Configuration and Composition of Tracing Features Barleen Kaur COMP 762 What is traceability? Traces are navigable links between data held in software artifacts (like requirement document, design

757 views • 17 slides
Improving Bug Prediction Accuracy by Regularization and Hyperparameter Optimization Haidar Osman

Improving Bug Prediction Accuracy by Regularization and Hyperparameter Optimization Haidar Osman

Improving Bug Prediction Accuracy by Regularization and Hyperparameter Optimization Haidar Osman Mohammad Ghafari Oscar Nierstrasz 1 Improving Bug Prediction Accuracy by Regularization and Hyperparameter Optimization Haidar Osman Mohammad

348 views • 19 slides
Improving Accuracy in End-to-end Packet Loss Measurement * Joel Sommers, Paul Barford, Nick

Improving Accuracy in End-to-end Packet Loss Measurement * Joel Sommers, Paul Barford, Nick

Improving Accuracy in End-to-end Packet Loss Measurement * Joel Sommers, Paul Barford, Nick Duffield, Amos Ron University of Wisconsin-Madison * AT&T Labs-Research Background Understanding its basic characteristics is important

344 views • 22 slides
Characteriza*on of Blacklists and Tainted Network Traffic Jing Zhang

Characteriza*on of Blacklists and Tainted Network Traffic Jing Zhang

Characteriza*on of Blacklists and Tainted Network Traffic Jing Zhang 1 , Ari Chivukula 1 , Michael Bailey 1 , Manish Karir 2 , and Mingyan Liu 1 1 University of Michigan 2 Cyber Security Division, Department of

497 views • 24 slides
Manipulation of Stable Matchings the Depths Summary using Minimal Blacklists Yannai A.

Manipulation of Stable Matchings the Depths Summary using Minimal Blacklists Yannai A.

Background A Poll Results Overview A Peek Into Manipulation of Stable Matchings the Depths Summary using Minimal Blacklists Yannai A. Gonczarowski The Hebrew University of Jerusalem Microsoft Research July 29, 2014 Proc. of the 15 th ACM

1.42k views • 129 slides
Tax Havens ns Blacklists klists and similar lar regimes es in Iberoameric oamerica Chairman:

Tax Havens ns Blacklists klists and similar lar regimes es in Iberoameric oamerica Chairman:

Tax Havens ns Blacklists klists and similar lar regimes es in Iberoameric oamerica Chairman: Prof. Dr. Martin Wenz General Reporter: Andrs Bez Blacklisting Aim Protection of national tax base and tax revenue against Distortions

439 views • 14 slides
What companies unabridged keyword blacklists say about Chinese censorship of realtime chat

What companies unabridged keyword blacklists say about Chinese censorship of realtime chat

What companies unabridged keyword blacklists say about Chinese censorship of realtime chat Jeffrey Knockel, Dissertation Defense, December 2017 Committee Jedidiah Crandall (chair) Ronald Deibert Stephanie Forrest Jared Saia 1989

635 views • 45 slides
Clinical Data and Public Health Surveillance: Improving Accuracy Using a Statewide Master Patient

Clinical Data and Public Health Surveillance: Improving Accuracy Using a Statewide Master Patient

Clinical Data and Public Health Surveillance: Improving Accuracy Using a Statewide Master Patient Index Rachel Zucker, MPH September 13, 2016 What is CHORDS? The Colorado Health Observation Regional Data Service Facilitates

449 views • 22 slides
Duet Benchmarking Improving Measurement Accuracy in the Cloud Lubomr Bulej Franois Farquet

Duet Benchmarking Improving Measurement Accuracy in the Cloud Lubomr Bulej Franois Farquet

Duet Benchmarking Improving Measurement Accuracy in the Cloud Lubomr Bulej Franois Farquet Vojtch Hork Aleksandar Prokopec Petr Tma Software Regression Testing of Performance Common Testing Pipeline Write Check Write

357 views • 15 slides
Sisterhood Polygamy, Blacklists, and Mismatched in the Gale-Shapley Matching Algorithm Quotas

Sisterhood Polygamy, Blacklists, and Mismatched in the Gale-Shapley Matching Algorithm Quotas

Background Monogamous Case Sisterhood Polygamy, Blacklists, and Mismatched in the Gale-Shapley Matching Algorithm Quotas Yannai A. Gonczarowski Einstein Institute of Mathematics and Center for the Study of Rationality The Hebrew

709 views • 54 slides
Quite Simple Approaches for Authorship Attribution, Intrinsic Plagiarism Detection and Sexual

Quite Simple Approaches for Authorship Attribution, Intrinsic Plagiarism Detection and Sexual

Quite Simple Approaches for Authorship Attribution, Intrinsic Plagiarism Detection and Sexual Predator Identification Notebook for PAN at CLEF 2012 Anna Vartapetiance Dr. Lee Gillam Oh what a tangled web we weave, When first we practice to

307 views • 17 slides
FlowCAP2 Results: Challenges 1, 2, and 3 Nima Aghaeepour CIHR/MSFHR Strategic Training Program in

FlowCAP2 Results: Challenges 1, 2, and 3 Nima Aghaeepour CIHR/MSFHR Strategic Training Program in

FlowCAP2 Results: Challenges 1, 2, and 3 Nima Aghaeepour CIHR/MSFHR Strategic Training Program in Bioinformatics for Health Research, University of British Columbia Sep.22.2011 1 / 27 Problem Statement Binary Classification Goal: evaluate

2.49k views • 27 slides
Perkins V Comprehensive Local Needs Assessment Programs of Study Lee Chipps-Walton and Cathy

Perkins V Comprehensive Local Needs Assessment Programs of Study Lee Chipps-Walton and Cathy

Perkins V Comprehensive Local Needs Assessment Programs of Study Lee Chipps-Walton and Cathy Hammond Division of Career and Adult Education January 29, 2020 , 1 www.FLDOE.org In This Webinar We will cover Programs of Study:

597 views • 37 slides
Modeling Server-side Components with UML Junichi Suzuki, Ph.D. jxs@computer.org

Modeling Server-side Components with UML Junichi Suzuki, Ph.D. jxs@computer.org

Modeling Server-side Components with UML Junichi Suzuki, Ph.D. jxs@computer.org http://www.jks.la/jxs/ School of Information and Computer Science University of California, Irvine 1 Who am I? Research fellow, UC Irvine (2000-)

519 views • 21 slides
TheScienceofComputingand theEngineeringofSoftware TonyHoare

TheScienceofComputingand theEngineeringofSoftware TonyHoare

TheScienceofComputingand theEngineeringofSoftware TonyHoare QconConference 11March2009 1 Science Engineering purescientist engineeringscientist .......... scientificengineer

364 views • 22 slides
A tool for Bottleneck analysis and Performance Prediction for GPU-accelerated Applications S.

A tool for Bottleneck analysis and Performance Prediction for GPU-accelerated Applications S.

Motivation A Statistical Approach: BlackForest Implementation and Case Studies Conclusion A tool for Bottleneck analysis and Performance Prediction for GPU-accelerated Applications S. Madougou, A. Varbanescu, C. de Laat and R. van Nieuwpoort

810 views • 31 slides
Data Analytics A (Short) Tour Venkatesh-Prasad Ranganath http://about.me/rvprasad Click to edit

Data Analytics A (Short) Tour Venkatesh-Prasad Ranganath http://about.me/rvprasad Click to edit

Data Analytics A (Short) Tour Venkatesh-Prasad Ranganath http://about.me/rvprasad Click to edit Master title style Is it Analytics or Analysis? Analytics uses analysis to recommend actions or make decisions. Why Data Analysis? Confirm a

915 views • 55 slides
The Failure Trace Archive: Enabling Comparative Analysis of Diverse Distributed Systems Derrick

The Failure Trace Archive: Enabling Comparative Analysis of Diverse Distributed Systems Derrick

The Failure Trace Archive: Enabling Comparative Analysis of Diverse Distributed Systems Derrick Kondo 1 , Bahman Javadi 1 , Alexandru Iosup 2 , Dick Epema 2 2 TU Delft, The Netherlands 1 INRIA, France Motivation Push toward experimental

867 views • 75 slides

More recommend