Stanford Networking Seminar

12:15PM, Thursday May 20, 2010
Gates 104

Blacklisting and Filtering Sources of Malicious Traffic

Athina Markopoulou
UC Irvine

About the talk:
Dealing with malicious traffic on the Internet is a difficult problem that requires the synergy of several components. In this talk, we propose ways to improve two widely used defense mechanisms, namely blacklisting and filtering of malicious sources. In the first part of the talk, we study predicting blacklisting, i.e., the problem of using past security logs to construct lists of IP sources that are likely to generate malicious activity in the future. We formulate the problem as an implicit recommendation system and we propose a multi-level prediction model that captures various patterns of malicious behavior, including: the attacker-victim history (using time-series) as well as attackers' and/or victims' similarity (using neighborhood models). Using logs, we demonstrate that our method improves prediction by 60-70% over state-of-the-art methods. In the second part of the talk, we consider source-based filtering of malicious traffic using access control lists (ACLs). Filters are a scarce resourse because they are stored in the expensive ternary content addressable memory (TCAM). Aggregation (by filtering source prefixes instead of individual IP addresses) helps reduce the number of filters but at the cost of blocking legitimate traffic as well. We show how to optimally choose what filters to install, in a variety of realistic attack scenarios and operators' policies. We develop optimal, yet computationally efficient, algorithms and we demonstrate that they bring significant benefit in practice.

About the speaker:
Athina Markopoulou is an assistant professor in EECS at the University of California, Irvine. She received the Diploma degree in Electrical and Computer Engineering from the National Technical University of Athens, Greece, in 1996, and the Master's and Ph.D. degrees in Electrical Engineering from Stanford University, in 1998 and 2003, respectively. Her research interests include network coding, Internet measurements and network security. She received the NSF CAREER award in 2008.