Near-Optimal Blacklisting

TL;DR

This paper introduces HIPER, an efficient algorithm for optimally blacklisting malicious agents in shared resource systems, balancing the risks of false positives and malicious costs.

Contribution

The paper presents HIPER, a near-optimal blacklisting algorithm, and derives three additional algorithms via Markov decision process reduction, with theoretical and experimental validation.

Findings

HIPER performs close to the full MDP solution in experiments.

HIPER is theoretically near-optimal.

Algorithms effectively balance false positives and malicious costs.

Abstract

Many applications involve agents sharing a resource, such as networks or services. When agents are honest, the system functions well and there is a net profit. Unfortunately, some agents may be malicious, but it may be hard to detect them. We consider the intrusion response problem of how to permanently blacklist agents, in order to maximise expected profit. This is not trivial, as blacklisting may erroneously expel honest agents. Conversely, while we gain information by allowing an agent to remain, we may incur a cost due to malicious behaviour. We present an efficient algorithm (HIPER) for making near-optimal decisions for this problem. Additionally, we derive three algorithms by reducing the problem to a Markov decision process (MDP). Theoretically, we show that HIPER is near-optimal. Experimentally, its performance is close to that of the full MDP solution, when the (stronger) requirements of the latter are met.