Building and Measuring Privacy-Preserving Predictive Blacklists

TL;DR

This paper analyzes collaborative predictive blacklisting systems, highlighting privacy issues and proposing a new privacy-preserving approach that improves prediction accuracy and scalability for multiple organizations.

Contribution

It provides a comprehensive measurement analysis of existing systems and introduces a novel privacy-preserving method that enhances prediction quality and scalability.

Findings

Collaboration impacts both false positives and false negatives.

The proposed approach reduces information disclosure.

System scales effectively to many organizations.

Abstract

(Withdrawn) Collaborative security initiatives are increasingly often advocated to improve timeliness and effectiveness of threat mitigation. Among these, collaborative predictive blacklisting (CPB) aims to forecast attack sources based on alerts contributed by multiple organizations that might be targeted in similar ways. Alas, CPB proposals thus far have only focused on improving hit counts, but overlooked the impact of collaboration on false positives and false negatives. Moreover, sharing threat intelligence often prompts important privacy, confidentiality, and liability issues. In this paper, we first provide a comprehensive measurement analysis of two state-of-the-art CPB systems: one that uses a trusted central party to collect alerts [Soldo et al., Infocom'10] and a peer-to-peer one relying on controlled data sharing [Freudiger et al., DIMVA'15], studying the impact of collaboration on both correct and incorrect predictions. Then, we present a novel privacy-friendly approach that significantly improves over previous work, achieving a better balance of true and false positive rates, while minimizing information disclosure. Finally, we present an extension that allows our system to scale to very large numbers of organizations.