On Collaborative Predictive Blacklisting

TL;DR

This paper evaluates current collaborative predictive blacklisting techniques, revealing that increased collaboration raises false positives, and proposes a hybrid privacy-preserving approach to improve accuracy and privacy balance.

Contribution

The paper provides a measurement study of existing CPB systems and introduces a hybrid approach that balances collaboration benefits with privacy and accuracy considerations.

Findings

Collaboration increases predicted attacks but also false positives.

Current systems have poor accuracy due to high false positives.

The hybrid approach improves the trade-off between true and false positives.

Abstract

Collaborative predictive blacklisting (CPB) allows to forecast future attack sources based on logs and alerts contributed by multiple organizations. Unfortunately, however, research on CPB has only focused on increasing the number of predicted attacks but has not considered the impact on false positives and false negatives. Moreover, sharing alerts is often hindered by confidentiality, trust, and liability issues, which motivates the need for privacy-preserving approaches to the problem. In this paper, we present a measurement study of state-of-the-art CPB techniques, aiming to shed light on the actual impact of collaboration. To this end, we reproduce and measure two systems: a non privacy-friendly one that uses a trusted coordinating party with access to all alerts (Soldo et al., 2010) and a peer-to-peer one using privacy-preserving data sharing (Freudiger et al., 2015). We show that, while collaboration boosts the number of predicted attacks, it also yields high false positives, ultimately leading to poor accuracy. This motivates us to present a hybrid approach, using a semi-trusted central entity, aiming to increase utility from collaboration while, at the same time, limiting information disclosure and false positives. This leads to a better trade-off of true and false positive rates, while at the same time addressing privacy concerns.