1 / 14

Highly Predictive Blacklisting

This document explores the concept of Highly Predictive Blacklisting (HPB) as detailed in the work by Jian Zhang, Phillip Porras, and Johannes Ullrich. It discusses the GWOL (Global Worst Offender List) and LWOL (Local Worst Offender List) and how the proposed system can filter logs, remove invalid IP addresses, and leverage whitelists to improve security. It highlights the relevance ranking process for blacklisting and analyzes attack patterns and severities. The findings showcase superior prediction capabilities for identifying new attackers, ultimately contributing to more effective cybersecurity measures.

robert
Télécharger la présentation

Highly Predictive Blacklisting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Highly Predictive Blacklisting 5/10 黃瀚嶙

  2. Introduction • GWOL-global worst offender list • LWOL-local worst offender list • HPB -highly predictive blacklisting

  3. References • Highly Predictive Blacklisting Jian Zhang, Phillip Porras, and Johannes Ullrich. Highly predictive blacklisting. In Usenix Security Symposium, 2008.

  4. Blacklisting System-flow chart

  5. Blacklisting System -Prefiltering Logs • remove invalid or unassigned IP address space -like 10.x.x.x or 192.168.x.x • use the whitelist • exclude specific port -TCP 53 (DNS), 25 (SMTP), 80 (HTTP)…etc

  6. Blacklisting System -Relevance Ranking

  7. Blacklisting System -Relevance Ranking

  8. Blacklisting System -Relevance Ranking • relevance vector • Thers is a fast solution like • the rank of a source with respect to different contributors is different

  9. Blacklisting System -Attack Pattern Severity • cm:total num of attack port, cu :total num of unique port • wm, wu : the weight of Cm Cu • TC(s):unique target IP addresses connected to by attacker s. • malware severity score

  10. Blacklisting System -Blacklist Production • final blacklist for each contributor -k :relevance rank of the attacker -L:final list length

  11. Experiment Results-Hit Count Improvement • 1

  12. Experiment Results-Prediction of New Attacks • 1

  13. Experiment Results-Blacklist Length

  14. Conclusion • new attacker prediction quality • new system to generate blacklists

More Related