Assessing usefulness of blacklists without the ground truth

Egon Kidmose, Kristian Gausel, Søren Brandbyge, Jens Myrup Pedersen

Publikation: Bidrag til bog/antologi/rapport/konference proceedingKonferenceartikel i proceedingForskningpeer review

Resumé

Domain name blacklists are used to detect malicious activity on the Internet.
Unfortunately, no set of blacklists is known to encompass all malicious domains, reflecting an ongoing struggle for defenders to keep up with attackers, who are often motivated by either criminal financial gain or strategic goals.
The result is that practitioners struggle to assess the value of using blacklists, and researchers introduce errors when using blacklists as ground truth.
We define the ground truth for blacklists to be the set of all currently malicious domains and explore the problem of assessing the accuracy and coverage.
Where existing work depends on an oracle or some ground truth, this work describes how blacklists can be analysed without this dependency.
Another common approach is to implicitly sample blacklists, where our analysis covers all entries found in the blacklists.
To evaluate the proposed method 31 blacklists have been collected every hour for 56 days, containing a total of 1,006,266 unique blacklisted domain names.
The results show that blacklists are very different when considering changes over time.
We conclude that it is important to consider the aspect of time when assessing the usefulness of a blacklist.
OriginalsprogEngelsk
TitelImage Processing and Communications Challenges 10
Antal sider8
ForlagSpringer
Publikationsdato2018
Sider216-223
ISBN (Trykt)978-3-030-03657-7
ISBN (Elektronisk)978-3-030-03658-4
DOI
StatusUdgivet - 2018
Begivenhed10th International Conference on Image Processing & Communications - Bydgoszcz, Polen
Varighed: 14 nov. 201816 nov. 2018

Konference

Konference10th International Conference on Image Processing & Communications
LandPolen
ByBydgoszcz
Periode14/11/201816/11/2018
NavnAdvances in Intelligent Systems and Computing
Vol/bind892
ISSN2194-5357

Fingerprint

Internet

Citer dette

Kidmose, E., Gausel, K., Brandbyge, S., & Pedersen, J. M. (2018). Assessing usefulness of blacklists without the ground truth. I Image Processing and Communications Challenges 10 (s. 216-223). Springer. Advances in Intelligent Systems and Computing, Bind. 892 https://doi.org/10.1007/978-3-030-03658-4_26
Kidmose, Egon ; Gausel, Kristian ; Brandbyge, Søren ; Pedersen, Jens Myrup. / Assessing usefulness of blacklists without the ground truth. Image Processing and Communications Challenges 10. Springer, 2018. s. 216-223 (Advances in Intelligent Systems and Computing, Bind 892).
@inproceedings{449d9f2a6c194153a542159db4cf87cd,
title = "Assessing usefulness of blacklists without the ground truth",
abstract = "Domain name blacklists are used to detect malicious activity on the Internet. Unfortunately, no set of blacklists is known to encompass all malicious domains, reflecting an ongoing struggle for defenders to keep up with attackers, who are often motivated by either criminal financial gain or strategic goals. The result is that practitioners struggle to assess the value of using blacklists, and researchers introduce errors when using blacklists as ground truth. We define the ground truth for blacklists to be the set of all currently malicious domains and explore the problem of assessing the accuracy and coverage. Where existing work depends on an oracle or some ground truth, this work describes how blacklists can be analysed without this dependency. Another common approach is to implicitly sample blacklists, where our analysis covers all entries found in the blacklists. To evaluate the proposed method 31 blacklists have been collected every hour for 56 days, containing a total of 1,006,266 unique blacklisted domain names. The results show that blacklists are very different when considering changes over time. We conclude that it is important to consider the aspect of time when assessing the usefulness of a blacklist.",
keywords = "Domain names, blacklists, domain names system",
author = "Egon Kidmose and Kristian Gausel and S{\o}ren Brandbyge and Pedersen, {Jens Myrup}",
year = "2018",
doi = "10.1007/978-3-030-03658-4_26",
language = "English",
isbn = "978-3-030-03657-7",
pages = "216--223",
booktitle = "Image Processing and Communications Challenges 10",
publisher = "Springer",
address = "Germany",

}

Kidmose, E, Gausel, K, Brandbyge, S & Pedersen, JM 2018, Assessing usefulness of blacklists without the ground truth. i Image Processing and Communications Challenges 10. Springer, Advances in Intelligent Systems and Computing, bind 892, s. 216-223, Bydgoszcz, Polen, 14/11/2018. https://doi.org/10.1007/978-3-030-03658-4_26

Assessing usefulness of blacklists without the ground truth. / Kidmose, Egon; Gausel, Kristian; Brandbyge, Søren; Pedersen, Jens Myrup.

Image Processing and Communications Challenges 10. Springer, 2018. s. 216-223 (Advances in Intelligent Systems and Computing, Bind 892).

Publikation: Bidrag til bog/antologi/rapport/konference proceedingKonferenceartikel i proceedingForskningpeer review

TY - GEN

T1 - Assessing usefulness of blacklists without the ground truth

AU - Kidmose, Egon

AU - Gausel, Kristian

AU - Brandbyge, Søren

AU - Pedersen, Jens Myrup

PY - 2018

Y1 - 2018

N2 - Domain name blacklists are used to detect malicious activity on the Internet. Unfortunately, no set of blacklists is known to encompass all malicious domains, reflecting an ongoing struggle for defenders to keep up with attackers, who are often motivated by either criminal financial gain or strategic goals. The result is that practitioners struggle to assess the value of using blacklists, and researchers introduce errors when using blacklists as ground truth. We define the ground truth for blacklists to be the set of all currently malicious domains and explore the problem of assessing the accuracy and coverage. Where existing work depends on an oracle or some ground truth, this work describes how blacklists can be analysed without this dependency. Another common approach is to implicitly sample blacklists, where our analysis covers all entries found in the blacklists. To evaluate the proposed method 31 blacklists have been collected every hour for 56 days, containing a total of 1,006,266 unique blacklisted domain names. The results show that blacklists are very different when considering changes over time. We conclude that it is important to consider the aspect of time when assessing the usefulness of a blacklist.

AB - Domain name blacklists are used to detect malicious activity on the Internet. Unfortunately, no set of blacklists is known to encompass all malicious domains, reflecting an ongoing struggle for defenders to keep up with attackers, who are often motivated by either criminal financial gain or strategic goals. The result is that practitioners struggle to assess the value of using blacklists, and researchers introduce errors when using blacklists as ground truth. We define the ground truth for blacklists to be the set of all currently malicious domains and explore the problem of assessing the accuracy and coverage. Where existing work depends on an oracle or some ground truth, this work describes how blacklists can be analysed without this dependency. Another common approach is to implicitly sample blacklists, where our analysis covers all entries found in the blacklists. To evaluate the proposed method 31 blacklists have been collected every hour for 56 days, containing a total of 1,006,266 unique blacklisted domain names. The results show that blacklists are very different when considering changes over time. We conclude that it is important to consider the aspect of time when assessing the usefulness of a blacklist.

KW - Domain names

KW - blacklists

KW - domain names system

U2 - 10.1007/978-3-030-03658-4_26

DO - 10.1007/978-3-030-03658-4_26

M3 - Article in proceeding

SN - 978-3-030-03657-7

SP - 216

EP - 223

BT - Image Processing and Communications Challenges 10

PB - Springer

ER -

Kidmose E, Gausel K, Brandbyge S, Pedersen JM. Assessing usefulness of blacklists without the ground truth. I Image Processing and Communications Challenges 10. Springer. 2018. s. 216-223. (Advances in Intelligent Systems and Computing, Bind 892). https://doi.org/10.1007/978-3-030-03658-4_26