Collaborative approaches to network defense are increasingly used to predict and speed up detection of attacks. In this paper, we focus on highly predictive blacklisting, i.e., forecasting attack sources based on alerts contributed by multiple organizations. While collaboration allows to discover groups of correlated attacks targeting similar victims, it also raises important security and privacy challenges. We propose a scalable privacy-friendly system, featuring a semi-trusted authority that clusters organizations based on the similarity of their logs. Entities in the same cluster then securely share relevant logs and can build more accurate predictive blacklists. We present an extensive set of measurements using real-world alerts from DShield.org and show that available centralized algorithms for predictive blacklisting actually achieve poor accuracy as they increase the number of false positives and negatives. Then, we demonstrate that minimizing/optimizing information shared across organizations improves the quality of predictions as privacy protection does not actually limit this improvement. In fact, our methods markedly outperform non privacy-preserving tools both in terms of precision and recall.
from cs.AI updates on arXiv.org http://ift.tt/1NtM7Aq
via IFTTT
No comments:
Post a Comment