Highly Predictive Blacklisting
To shield computer networks from cyber-attacks, SRI’s Highly Predictive Blacklisting (HPB) software analyzes millions of entries from worldwide volunteers participating in a firewall correlation system, and uses them to analyze attack trends. HPB is available for complimentary experimental use.
Blacklists have been used since the Internet's earliest days. Network administrators use generic blacklists to fortify their network firewalls against malicious attacks. SRI's HPB algorithm offers a radically different strategy than traditional methods by providing individualized lists of the most probable attackers likely to penetrate a network. This approach helps to fine-tune blacklists so network administrators can filter out the worst offenders.
HPB evaluates the overlaps in attacks at related network nodes through an analysis similar to calculations used to generate Internet search engine page rankings.
In more than 80 percent of cases, the HPB system has yielded a better hit rate in intercepting attack attempts than current blacklist approaches that are either more broadly global, or more reactive to repeated threats.
The Highly Predictive Blacklisting algorithm is a research prototype developed by SRI’s Computer Science Laboratory in collaboration with DShield.org: Jian Zhang (SRI), Phillip Porras (SRI), and Johannes Ullrich (DShield.org).
- Automated log prefiltering to screen out unreliable content
- Relevance ranking of attacks, reflecting the nature of the targets as well as the number of attack attempts
- Severity ranking based on comparing attack behavior to known malware propagation patterns
- A probability estimate for each contributor that fuses weighted relevance and severity scores