research-article

On collaborative predictive blacklisting

Authors:

Luca Melis,

Apostolos Pyrgelis,

Emiliano De CristofaroAuthors Info & Claims

ACM SIGCOMM Computer Communication Review, Volume 48, Issue 5

Pages 9 - 20

https://doi.org/10.1145/3310165.3310168

Published: 28 January 2019 Publication History

Get Access

Abstract

Collaborative predictive blacklisting (CPB) allows to forecast future attack sources based on logs and alerts contributed by multiple organizations. Unfortunately, however, research on CPB has only focused on increasing the number of predicted attacks but has not considered the impact on false positives and false negatives. Moreover, sharing alerts is often hindered by confidentiality, trust, and liability issues, which motivates the need for privacy-preserving approaches to the problem. In this paper, we present a measurement study of state-of-the-art CPB techniques, aiming to shed light on the actual impact of collaboration. To this end, we reproduce and measure two systems: a non privacy-friendly one that uses a trusted coordinating party with access to all alerts [12] and a peer-to-peer one using privacy-preserving data sharing [8]. We show that, while collaboration boosts the number of predicted attacks, it also yields high false positives, ultimately leading to poor accuracy. This motivates us to present a hybrid approach, using a semi-trusted central entity, aiming to increase utility from collaboration while, at the same time, limiting information disclosure and false positives. This leads to a better trade-off of true and false positive rates, while at the same time addressing privacy concerns.

References

[1]

Symantec DeepSight. https://symc.ly/2rXxB1w.

Google Scholar

[2]

U.S. Anti-Bot Code of Conduct for Internet service providers: Barriers and Metrics Considerations {PDF}. https://is.gd/OgTCOG, 2013.

Google Scholar

[3]

Facebook ThreatExchange. https://threatexchange.fb.com, 2015.

Google Scholar

[4]

D. Chakrabarti, S. Papadimitriou, D. S. Modha, and C. Faloutsos. Fully automatic cross-associations. In ACM KDD, 2004.

Digital Library

Google Scholar

[5]

E. De Cristofaro, P. Gasti, and G. Tsudik. Fast and Private Computation of Cardinality of Set Intersection and Union. In CANS, 2012.

Crossref

Google Scholar

[6]

E. De Cristofaro and G. Tsudik. Practical private set intersection protocols with linear complexity. In Financial Cryptography and Data Security, 2010.

Digital Library

Google Scholar

[7]

E. De Cristofaro and G. Tsudik. Experimenting with fast private set intersection. In TRUST, 2012.

Digital Library

Google Scholar

[8]

J. Freudiger, E. De Cristofaro, and A. Brito. Controlled Data Sharing for Collaborative Predictive Blacklisting. In DIMVA, 2015.

Digital Library

Google Scholar

[9]

S. Kamara, P. Mohassel, M. Raykova, and S. Sadeghian. Scaling private set intersection to billion-element sets. In FC. 2014.

Google Scholar

[10]

S. Katti, B. Krishnamurthy, and D. Katabi. Collaborating against common enemies. In ACM IMC, 2005.

Digital Library

Google Scholar

[11]

L. Melis, G. Danezis, and E. De Cristofaro. Efficient Private Statistics with Succinct Sketches. In NDSS, 2016.

Crossref

Google Scholar

[12]

F. Soldo, A. Le, and A. Markopoulou. Predictive blacklisting as an implicit recommendation system. In INFOCOM, 2010.

Digital Library

Google Scholar

[13]

The White House. Executive order promoting private sector cybersecurity information sharing. http://1.usa.gov/1vISfBO, 2015.

Google Scholar

[14]

J. Zhang, P. A. Porras, and J. Ullrich. Highly predictive blacklisting. In USENIX, 2008.

Digital Library

Google Scholar

Cited By

View all

van Baarsen AStevens M(2024)Amortizing Circuit-PSI in the Multiple Sender/Receiver SettingIACR Communications in Cryptology10.62056/a0fhsgvtwOnline publication date: 7-Oct-2024
https://doi.org/10.62056/a0fhsgvtw
Chen XFeng WChen YGe NHe Y(2024)Access-Side DDoS Defense for Space-Air-Ground Integrated 6G V2X NetworksIEEE Open Journal of the Communications Society10.1109/OJCOMS.2024.33937525(2847-2868)Online publication date: 2024
https://doi.org/10.1109/OJCOMS.2024.3393752
Chakraborti AFanti GReiter MCalandrino JTroncoso C(2023)Distance-aware private set intersectionProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620256(319-336)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620256
Show More Cited By

Index Terms

On collaborative predictive blacklisting
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems
  2. Security services
    1. Privacy-preserving protocols

Recommendations

Highly predictive blacklisting
SS'08: Proceedings of the 17th conference on Security symposium

The notion of blacklisting communication sources has been a well-established defensive measure since the origins of the Internet community. In particular, the practice of compiling and sharing lists of the worst offenders of unwanted traffic is a ...
Formalizing Anonymous Blacklisting Systems
SP '11: Proceedings of the 2011 IEEE Symposium on Security and Privacy

Anonymous communications networks, such as Tor, help to solve the real and important problem of enabling users to communicate privately over the Internet. However, in doing so, anonymous communications networks introduce an entirely new problem for the ...
Controlled Data Sharing for Collaborative Predictive Blacklisting
DIMVA 2015: Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 9148

Although data sharing across organizations is often advocated as a promising way to enhance cybersecurity, collaborative initiatives are rarely put into practice owing to confidentiality, trust, and liability challenges. We investigate whether ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM SIGCOMM Computer Communication Review

ACM SIGCOMM Computer Communication Review Volume 48, Issue 5

October 2018

83 pages

ISSN:0146-4833

DOI:10.1145/3310165

Editor:
Olivier Bonaventure

Issue’s Table of Contents

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 January 2019

Published in SIGCOMM-CCR Volume 48, Issue 5

Check for updates

Badges

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
167
Total Downloads

Downloads (Last 12 months)33
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

van Baarsen AStevens M(2024)Amortizing Circuit-PSI in the Multiple Sender/Receiver SettingIACR Communications in Cryptology10.62056/a0fhsgvtwOnline publication date: 7-Oct-2024
https://doi.org/10.62056/a0fhsgvtw
Chen XFeng WChen YGe NHe Y(2024)Access-Side DDoS Defense for Space-Air-Ground Integrated 6G V2X NetworksIEEE Open Journal of the Communications Society10.1109/OJCOMS.2024.33937525(2847-2868)Online publication date: 2024
https://doi.org/10.1109/OJCOMS.2024.3393752
Chakraborti AFanti GReiter MCalandrino JTroncoso C(2023)Distance-aware private set intersectionProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620256(319-336)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620256
Šuľan SHusák M(2022)Limiting the Size of a Predictive Blacklist While Maintaining Sufficient AccuracyProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3539007(1-6)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3539007
Jeon DTak B(2022)BlackEye: automatic IP blacklisting using machine learning from security logsWireless Networks10.1007/s11276-019-02201-528:2(937-948)Online publication date: 1-Feb-2022
https://dl.acm.org/doi/10.1007/s11276-019-02201-5
Husák MBajtoš TKašpar JBou-Harb EČeleda P(2020)Predictive Cyber Situational Awareness and Personalized BlacklistingACM Transactions on Management Information Systems10.1145/338625011:4(1-16)Online publication date: 23-Sep-2020
https://dl.acm.org/doi/10.1145/3386250
Thang N(2020)Improving Efficiency of Web Application Firewall to Detect Code Injection Attacks with Random Forest Method and Analysis Attributes HTTP RequestProgramming and Computing Software10.1134/S036176882005007246:5(351-361)Online publication date: 1-Sep-2020
https://dl.acm.org/doi/10.1134/S0361768820050072
Saucez DIannone LBonaventure O(2019)Evaluating the artifacts of SIGCOMM papersACM SIGCOMM Computer Communication Review10.1145/3336937.333694449:2(44-47)Online publication date: 21-May-2019
https://dl.acm.org/doi/10.1145/3336937.3336944

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Highly predictive blacklisting

Formalizing Anonymous Blacklisting Systems

Controlled Data Sharing for Collaborative Predictive Blacklisting