Luca Melis
Emiliano De Cristofaro
Abstract
Collaborative predictive blacklisting (CPB) allows to forecast future attack sources based on logs and alerts contributed by multiple organizations. Unfortunately, however, research on CPB has only focused on increasing the number of predicted attacks but has not considered the impact on false positives and false negatives. Moreover, sharing alerts is often hindered by confidentiality, trust, and liability issues, which motivates the need for privacy-preserving approaches to the problem. In this paper, we present a measurement study of state-of-the-art CPB techniques, aiming to shed light on the actual impact of collaboration. To this end, we reproduce and measure two systems: a non privacy-friendly one that uses a trusted coordinating party with access to all alerts [12] and a peer-to-peer one using privacy-preserving data sharing [8]. We show that, while collaboration boosts the number of predicted attacks, it also yields high false positives, ultimately leading to poor accuracy. This motivates us to present a hybrid approach, using a semi-trusted central entity, aiming to increase utility from collaboration while, at the same time, limiting information disclosure and false positives. This leads to a better trade-off of true and false positive rates, while at the same time addressing privacy concerns.
- Symantec DeepSight. https://symc.ly/2rXxB1w.Google Scholar
- U.S. Anti-Bot Code of Conduct for Internet service providers: Barriers and Metrics Considerations {PDF}. https://is.gd/OgTCOG, 2013.Google Scholar
- Facebook ThreatExchange. https://threatexchange.fb.com, 2015.Google Scholar
- D. Chakrabarti, S. Papadimitriou, D. S. Modha, and C. Faloutsos. Fully automatic cross-associations. In ACM KDD, 2004. Google ScholarDigital Library
- E. De Cristofaro, P. Gasti, and G. Tsudik. Fast and Private Computation of Cardinality of Set Intersection and Union. In CANS, 2012.Google ScholarCross Ref
- E. De Cristofaro and G. Tsudik. Practical private set intersection protocols with linear complexity. In Financial Cryptography and Data Security, 2010. Google ScholarDigital Library
- E. De Cristofaro and G. Tsudik. Experimenting with fast private set intersection. In TRUST, 2012. Google ScholarDigital Library
- J. Freudiger, E. De Cristofaro, and A. Brito. Controlled Data Sharing for Collaborative Predictive Blacklisting. In DIMVA, 2015. Google ScholarDigital Library
- S. Kamara, P. Mohassel, M. Raykova, and S. Sadeghian. Scaling private set intersection to billion-element sets. In FC. 2014.Google Scholar
- S. Katti, B. Krishnamurthy, and D. Katabi. Collaborating against common enemies. In ACM IMC, 2005. Google ScholarDigital Library
- L. Melis, G. Danezis, and E. De Cristofaro. Efficient Private Statistics with Succinct Sketches. In NDSS, 2016.Google ScholarCross Ref
- F. Soldo, A. Le, and A. Markopoulou. Predictive blacklisting as an implicit recommendation system. In INFOCOM, 2010. Google ScholarDigital Library
- The White House. Executive order promoting private sector cybersecurity information sharing. http://1.usa.gov/1vISfBO, 2015.Google Scholar
- J. Zhang, P. A. Porras, and J. Ullrich. Highly predictive blacklisting. In USENIX, 2008. Google ScholarDigital Library
Index Terms
- On collaborative predictive blacklisting
Recommendations
Highly predictive blacklisting
SS'08: Proceedings of the 17th conference on Security symposiumThe notion of blacklisting communication sources has been a well-established defensive measure since the origins of the Internet community. In particular, the practice of compiling and sharing lists of the worst offenders of unwanted traffic is a ...
Formalizing Anonymous Blacklisting Systems
SP '11: Proceedings of the 2011 IEEE Symposium on Security and PrivacyAnonymous communications networks, such as Tor, help to solve the real and important problem of enabling users to communicate privately over the Internet. However, in doing so, anonymous communications networks introduce an entirely new problem for the ...
Controlled Data Sharing for Collaborative Predictive Blacklisting
DIMVA 2015: Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 9148Although data sharing across organizations is often advocated as a promising way to enhance cybersecurity, collaborative initiatives are rarely put into practice owing to confidentiality, trust, and liability challenges. We investigate whether ...
Comments