A Robust Algorithm for Predicting Attacks Using Collaborative Security Logs

Abstract

As networks become ubiquitous in our daily lives, users rely more on networks for exchanging data and communication. However, numerous new and sophisticated attacks that endanger security of users have been reported. In practice, blacklisting illicit sources has been a fundamental defense strategy in recent years. In this paper, we propose a predictor that is based on the observations from a centralized log-sharing infrastructure. Our observations include the direct relation between attackers and victims, victim similarities, and attacker correlations. We compile a customized blacklist for each Dshield.org contributor using a weighted function of direct and indirect relations between victims and attackers. This list not only offers a significantly higher prediction ratio, but also includes source addresses with potentially higher threats. We evaluate our predictor using two months of malicious activities acquired from Dshield.org. The experimental results demonstrate a significant improvement over previous algorithms.