Shades of Grey: On the effectiveness of reputation-based blacklists

Sushant Sinha, Michael Bailey, Farnam Jahanian

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Malicious code, or malware, executed on compromised hosts provides a platform for a wide variety of attacks against the availability of the network and the privacy and confidentiality of its users. Unfortunately, the most popular techniques for detecting and preventing malware have been shown to be significantly flawed [11], and it is widely believed that a significant fraction of the Internet consists of malware infected machines [17]. In response, defenders have turned to coarse-grained, reputation-based techniques, such as real time blackhole lists, for blocking large numbers of potentially malicious hosts and network blocks. In this paper, we perform a preliminary study of a type of reputation-based blacklist, namely those used to block unsolicited email, or spam. We show that, for the network studied, these blacklists exhibit non-trivial false positives and false negatives. We investigate a number of possible causes for this low accuracy and discuss the implications for other types of reputation-based blacklists.

Original languageEnglish (US)
Title of host publication3rd International Conference on Malicious and Unwanted Software, MALWARE 2008
Pages57-64
Number of pages8
DOIs
StatePublished - Dec 1 2008
Externally publishedYes
Event3rd International Conference on Malicious and Unwanted Software, MALWARE 2008 - Alexandria, VA, United States
Duration: Oct 7 2008Oct 8 2008

Publication series

Name3rd International Conference on Malicious and Unwanted Software, MALWARE 2008

Other

Other3rd International Conference on Malicious and Unwanted Software, MALWARE 2008
CountryUnited States
CityAlexandria, VA
Period10/7/0810/8/08

ASJC Scopus subject areas

  • Software

Fingerprint Dive into the research topics of 'Shades of Grey: On the effectiveness of reputation-based blacklists'. Together they form a unique fingerprint.

Cite this