Assessing usefulness of blacklists without the ground truth

Egon Kidmose, Kristian Gausel, Søren Brandbyge, Jens Myrup Pedersen

Research output: Contribution to book/anthology/report/conference proceedingArticle in proceedingResearchpeer-review

Abstract

Domain name blacklists are used to detect malicious activity on the Internet.
Unfortunately, no set of blacklists is known to encompass all malicious domains, reflecting an ongoing struggle for defenders to keep up with attackers, who are often motivated by either criminal financial gain or strategic goals.
The result is that practitioners struggle to assess the value of using blacklists, and researchers introduce errors when using blacklists as ground truth.
We define the ground truth for blacklists to be the set of all currently malicious domains and explore the problem of assessing the accuracy and coverage.
Where existing work depends on an oracle or some ground truth, this work describes how blacklists can be analysed without this dependency.
Another common approach is to implicitly sample blacklists, where our analysis covers all entries found in the blacklists.
To evaluate the proposed method 31 blacklists have been collected every hour for 56 days, containing a total of 1,006,266 unique blacklisted domain names.
The results show that blacklists are very different when considering changes over time.
We conclude that it is important to consider the aspect of time when assessing the usefulness of a blacklist.
Original languageEnglish
Title of host publicationImage Processing and Communications Challenges 10
Number of pages8
PublisherSpringer
Publication date2018
Pages216-223
ISBN (Print)978-3-030-03657-7
ISBN (Electronic)978-3-030-03658-4
DOIs
Publication statusPublished - 2018
Event10th International Conference on Image Processing & Communications - Bydgoszcz, Poland
Duration: 14 Nov 201816 Nov 2018

Conference

Conference10th International Conference on Image Processing & Communications
CountryPoland
CityBydgoszcz
Period14/11/201816/11/2018
SeriesAdvances in Intelligent Systems and Computing
Volume892
ISSN2194-5357

Fingerprint

Internet

Keywords

  • Domain names
  • blacklists
  • domain names system

Cite this

Kidmose, E., Gausel, K., Brandbyge, S., & Pedersen, J. M. (2018). Assessing usefulness of blacklists without the ground truth. In Image Processing and Communications Challenges 10 (pp. 216-223). Springer. Advances in Intelligent Systems and Computing, Vol.. 892 https://doi.org/10.1007/978-3-030-03658-4_26
Kidmose, Egon ; Gausel, Kristian ; Brandbyge, Søren ; Pedersen, Jens Myrup. / Assessing usefulness of blacklists without the ground truth. Image Processing and Communications Challenges 10. Springer, 2018. pp. 216-223 (Advances in Intelligent Systems and Computing, Vol. 892).
@inproceedings{449d9f2a6c194153a542159db4cf87cd,
title = "Assessing usefulness of blacklists without the ground truth",
abstract = "Domain name blacklists are used to detect malicious activity on the Internet. Unfortunately, no set of blacklists is known to encompass all malicious domains, reflecting an ongoing struggle for defenders to keep up with attackers, who are often motivated by either criminal financial gain or strategic goals. The result is that practitioners struggle to assess the value of using blacklists, and researchers introduce errors when using blacklists as ground truth. We define the ground truth for blacklists to be the set of all currently malicious domains and explore the problem of assessing the accuracy and coverage. Where existing work depends on an oracle or some ground truth, this work describes how blacklists can be analysed without this dependency. Another common approach is to implicitly sample blacklists, where our analysis covers all entries found in the blacklists. To evaluate the proposed method 31 blacklists have been collected every hour for 56 days, containing a total of 1,006,266 unique blacklisted domain names. The results show that blacklists are very different when considering changes over time. We conclude that it is important to consider the aspect of time when assessing the usefulness of a blacklist.",
keywords = "Domain names, blacklists, domain names system",
author = "Egon Kidmose and Kristian Gausel and S{\o}ren Brandbyge and Pedersen, {Jens Myrup}",
year = "2018",
doi = "10.1007/978-3-030-03658-4_26",
language = "English",
isbn = "978-3-030-03657-7",
pages = "216--223",
booktitle = "Image Processing and Communications Challenges 10",
publisher = "Springer",
address = "Germany",

}

Kidmose, E, Gausel, K, Brandbyge, S & Pedersen, JM 2018, Assessing usefulness of blacklists without the ground truth. in Image Processing and Communications Challenges 10. Springer, Advances in Intelligent Systems and Computing, vol. 892, pp. 216-223, 10th International Conference on Image Processing & Communications, Bydgoszcz, Poland, 14/11/2018. https://doi.org/10.1007/978-3-030-03658-4_26

Assessing usefulness of blacklists without the ground truth. / Kidmose, Egon; Gausel, Kristian; Brandbyge, Søren; Pedersen, Jens Myrup.

Image Processing and Communications Challenges 10. Springer, 2018. p. 216-223.

Research output: Contribution to book/anthology/report/conference proceedingArticle in proceedingResearchpeer-review

TY - GEN

T1 - Assessing usefulness of blacklists without the ground truth

AU - Kidmose, Egon

AU - Gausel, Kristian

AU - Brandbyge, Søren

AU - Pedersen, Jens Myrup

PY - 2018

Y1 - 2018

N2 - Domain name blacklists are used to detect malicious activity on the Internet. Unfortunately, no set of blacklists is known to encompass all malicious domains, reflecting an ongoing struggle for defenders to keep up with attackers, who are often motivated by either criminal financial gain or strategic goals. The result is that practitioners struggle to assess the value of using blacklists, and researchers introduce errors when using blacklists as ground truth. We define the ground truth for blacklists to be the set of all currently malicious domains and explore the problem of assessing the accuracy and coverage. Where existing work depends on an oracle or some ground truth, this work describes how blacklists can be analysed without this dependency. Another common approach is to implicitly sample blacklists, where our analysis covers all entries found in the blacklists. To evaluate the proposed method 31 blacklists have been collected every hour for 56 days, containing a total of 1,006,266 unique blacklisted domain names. The results show that blacklists are very different when considering changes over time. We conclude that it is important to consider the aspect of time when assessing the usefulness of a blacklist.

AB - Domain name blacklists are used to detect malicious activity on the Internet. Unfortunately, no set of blacklists is known to encompass all malicious domains, reflecting an ongoing struggle for defenders to keep up with attackers, who are often motivated by either criminal financial gain or strategic goals. The result is that practitioners struggle to assess the value of using blacklists, and researchers introduce errors when using blacklists as ground truth. We define the ground truth for blacklists to be the set of all currently malicious domains and explore the problem of assessing the accuracy and coverage. Where existing work depends on an oracle or some ground truth, this work describes how blacklists can be analysed without this dependency. Another common approach is to implicitly sample blacklists, where our analysis covers all entries found in the blacklists. To evaluate the proposed method 31 blacklists have been collected every hour for 56 days, containing a total of 1,006,266 unique blacklisted domain names. The results show that blacklists are very different when considering changes over time. We conclude that it is important to consider the aspect of time when assessing the usefulness of a blacklist.

KW - Domain names

KW - blacklists

KW - domain names system

U2 - 10.1007/978-3-030-03658-4_26

DO - 10.1007/978-3-030-03658-4_26

M3 - Article in proceeding

SN - 978-3-030-03657-7

SP - 216

EP - 223

BT - Image Processing and Communications Challenges 10

PB - Springer

ER -

Kidmose E, Gausel K, Brandbyge S, Pedersen JM. Assessing usefulness of blacklists without the ground truth. In Image Processing and Communications Challenges 10. Springer. 2018. p. 216-223. (Advances in Intelligent Systems and Computing, Vol. 892). https://doi.org/10.1007/978-3-030-03658-4_26