Highly predictive blacklisting
Download
1 / 14

Highly Predictive Blacklisting - PowerPoint PPT Presentation


  • 60 Views
  • Uploaded on

Highly Predictive Blacklisting. 5/10 黃瀚嶙. Introduction. GWOL-global worst offender list LWOL-local worst offender list HPB -highly predictive blacklisting. References. Highly Predictive Blacklisting

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Highly Predictive Blacklisting' - robert


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Introduction
Introduction

  • GWOL-global worst offender list

  • LWOL-local worst offender list

  • HPB -highly predictive blacklisting


References
References

  • Highly Predictive Blacklisting

    Jian Zhang, Phillip Porras, and Johannes Ullrich. Highly predictive blacklisting. In Usenix Security Symposium, 2008.



Blacklisting system prefiltering logs
Blacklisting System -Prefiltering Logs

  • remove invalid or unassigned IP address space

    -like 10.x.x.x or 192.168.x.x

  • use the whitelist

  • exclude specific port

    -TCP 53 (DNS), 25 (SMTP), 80 (HTTP)…etc


Blacklisting system relevance ranking
Blacklisting System -Relevance Ranking


Blacklisting system relevance ranking1
Blacklisting System -Relevance Ranking


Blacklisting system relevance ranking2
Blacklisting System -Relevance Ranking

  • relevance vector

  • Thers is a fast solution like

  • the rank of a source with respect to different contributors is different


Blacklisting system attack pattern severity
Blacklisting System -Attack Pattern Severity

  • cm:total num of attack port, cu :total num of unique port

  • wm, wu : the weight of Cm Cu

  • TC(s):unique target IP addresses connected to by attacker s.

  • malware severity score


Blacklisting system blacklist production
Blacklisting System -Blacklist Production

  • final blacklist for each contributor

    -k :relevance rank of the attacker

    -L:final list length


Experiment results hit count improvement
Experiment Results-Hit Count Improvement

  • 1


Experiment results prediction of new attacks
Experiment Results-Prediction of New Attacks

  • 1


Experiment results blacklist length
Experiment Results-Blacklist Length


Conclusion
Conclusion

  • new attacker prediction quality

  • new system to generate blacklists


ad