Shades of Grey: On the effectiveness of reputation-based blacklists

Sushant Sinha; Michael Bailey; Farnam Jahanian

doi:10.1109/MALWARE.2008.4690858

Shades of Grey: On the effectiveness of reputation-based blacklists

Sushant Sinha, Michael Bailey, Farnam Jahanian

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Malicious code, or malware, executed on compromised hosts provides a platform for a wide variety of attacks against the availability of the network and the privacy and confidentiality of its users. Unfortunately, the most popular techniques for detecting and preventing malware have been shown to be significantly flawed [11], and it is widely believed that a significant fraction of the Internet consists of malware infected machines [17]. In response, defenders have turned to coarse-grained, reputation-based techniques, such as real time blackhole lists, for blocking large numbers of potentially malicious hosts and network blocks. In this paper, we perform a preliminary study of a type of reputation-based blacklist, namely those used to block unsolicited email, or spam. We show that, for the network studied, these blacklists exhibit non-trivial false positives and false negatives. We investigate a number of possible causes for this low accuracy and discuss the implications for other types of reputation-based blacklists.

Original language	English (US)
Title of host publication	3rd International Conference on Malicious and Unwanted Software, MALWARE 2008
Pages	57-64
Number of pages	8
DOIs	https://doi.org/10.1109/MALWARE.2008.4690858
State	Published - 2008
Externally published	Yes
Event	3rd International Conference on Malicious and Unwanted Software, MALWARE 2008 - Alexandria, VA, United States Duration: Oct 7 2008 → Oct 8 2008

Publication series

Name	3rd International Conference on Malicious and Unwanted Software, MALWARE 2008

Other

Other	3rd International Conference on Malicious and Unwanted Software, MALWARE 2008
Country/Territory	United States
City	Alexandria, VA
Period	10/7/08 → 10/8/08

ASJC Scopus subject areas

Software

Online availability

10.1109/MALWARE.2008.4690858

Library availability

Discover UIUC Full Text

Cite this

Shades of Grey: On the effectiveness of reputation-based blacklists. / Sinha, Sushant; Bailey, Michael; Jahanian, Farnam.
3rd International Conference on Malicious and Unwanted Software, MALWARE 2008. 2008. p. 57-64 4690858 (3rd International Conference on Malicious and Unwanted Software, MALWARE 2008).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Sinha, S, Bailey, M & Jahanian, F 2008, Shades of Grey: On the effectiveness of reputation-based blacklists. in 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008., 4690858, 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008, pp. 57-64, 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008, Alexandria, VA, United States, 10/7/08. https://doi.org/10.1109/MALWARE.2008.4690858

@inproceedings{216b74965eae475fb53b387ec393d64e,

title = "Shades of Grey: On the effectiveness of reputation-based blacklists",

abstract = "Malicious code, or malware, executed on compromised hosts provides a platform for a wide variety of attacks against the availability of the network and the privacy and confidentiality of its users. Unfortunately, the most popular techniques for detecting and preventing malware have been shown to be significantly flawed [11], and it is widely believed that a significant fraction of the Internet consists of malware infected machines [17]. In response, defenders have turned to coarse-grained, reputation-based techniques, such as real time blackhole lists, for blocking large numbers of potentially malicious hosts and network blocks. In this paper, we perform a preliminary study of a type of reputation-based blacklist, namely those used to block unsolicited email, or spam. We show that, for the network studied, these blacklists exhibit non-trivial false positives and false negatives. We investigate a number of possible causes for this low accuracy and discuss the implications for other types of reputation-based blacklists.",

author = "Sushant Sinha and Michael Bailey and Farnam Jahanian",

year = "2008",

doi = "10.1109/MALWARE.2008.4690858",

language = "English (US)",

isbn = "9781424432899",

series = "3rd International Conference on Malicious and Unwanted Software, MALWARE 2008",

pages = "57--64",

booktitle = "3rd International Conference on Malicious and Unwanted Software, MALWARE 2008",

note = "3rd International Conference on Malicious and Unwanted Software, MALWARE 2008 ; Conference date: 07-10-2008 Through 08-10-2008",

}

TY - GEN

T1 - Shades of Grey

T2 - 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008

AU - Sinha, Sushant

AU - Bailey, Michael

AU - Jahanian, Farnam

PY - 2008

Y1 - 2008

N2 - Malicious code, or malware, executed on compromised hosts provides a platform for a wide variety of attacks against the availability of the network and the privacy and confidentiality of its users. Unfortunately, the most popular techniques for detecting and preventing malware have been shown to be significantly flawed [11], and it is widely believed that a significant fraction of the Internet consists of malware infected machines [17]. In response, defenders have turned to coarse-grained, reputation-based techniques, such as real time blackhole lists, for blocking large numbers of potentially malicious hosts and network blocks. In this paper, we perform a preliminary study of a type of reputation-based blacklist, namely those used to block unsolicited email, or spam. We show that, for the network studied, these blacklists exhibit non-trivial false positives and false negatives. We investigate a number of possible causes for this low accuracy and discuss the implications for other types of reputation-based blacklists.

AB - Malicious code, or malware, executed on compromised hosts provides a platform for a wide variety of attacks against the availability of the network and the privacy and confidentiality of its users. Unfortunately, the most popular techniques for detecting and preventing malware have been shown to be significantly flawed [11], and it is widely believed that a significant fraction of the Internet consists of malware infected machines [17]. In response, defenders have turned to coarse-grained, reputation-based techniques, such as real time blackhole lists, for blocking large numbers of potentially malicious hosts and network blocks. In this paper, we perform a preliminary study of a type of reputation-based blacklist, namely those used to block unsolicited email, or spam. We show that, for the network studied, these blacklists exhibit non-trivial false positives and false negatives. We investigate a number of possible causes for this low accuracy and discuss the implications for other types of reputation-based blacklists.

UR - http://www.scopus.com/inward/record.url?scp=58149096147&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=58149096147&partnerID=8YFLogxK

U2 - 10.1109/MALWARE.2008.4690858

DO - 10.1109/MALWARE.2008.4690858

M3 - Conference contribution

AN - SCOPUS:58149096147

SN - 9781424432899

T3 - 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008

SP - 57

EP - 64

BT - 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008

Y2 - 7 October 2008 through 8 October 2008

ER -

Shades of Grey: On the effectiveness of reputation-based blacklists

Abstract

Publication series

Other

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this