[Dshield] New DShield Feature: Highly Predictive Blacklists

Pete Cap peteoutside at yahoo.com
Tue Apr 17 23:19:39 GMT 2007

"Johannes B. Ullrich" <jullrich at sans.org> wrote: 
I am happy to announce an exciting new feature to DShield submitters.
Based on some research done by SRI International, we came up with an
algorithm to create better blacklists.

The short one paragraph summary: The algorithm compares your submissions
to others and finds groups of similar submitters. Next, it will generate
blacklists based on how close you are to these other submitters.

In other simulations, these blacklists have been far superior to regular
"global worst offender" or "local worst offender" lists.

For details, see http://www.dshield.org/hpbinfo.html

Johannes Ullrich                        http://isc.sans.org

Woohoo!  Sounds like an application of association rules mining.  There are lots of other, similar applications, like the noted Google PageRank, but also Amazon.com recommendations or market research data gathered by supermarkets (market basket analysis).  These algorithms can be highly predictive--if you are getting portscanned a lot on port 31337, then your blacklist should include as many other "know 31337 scanners" as possible.

I'm really glad to see security professionals take advantage of technology like this.

Best regards,

Ahhh...imagining that irresistible "new car" smell?
 Check outnew cars at Yahoo! Autos.

More information about the list mailing list