Blacklist Ecosystem Analysis Update: 2014

Abstract

This report compares the contents of 85 different Internet blacklists, also known as threat intelligence feeds or threat data feeds, to discover patterns in shared entries. Lists are compared directly and indirectly, based on data type. Direct intersection comparison is straightforward; the list contents are compared temporally to determine if any list consistently published shared indicators before another list. Indirect comparison analyzes, for example, whether the existing intersection is random or has a pattern. These multiple methods indicate a range for how often a list provides an indicator with unique information and value to computer network defense (CND). Domain-name-based indicators are unique to one list between 96.16% and 97.37% of the time. IP-address-based indicators are unique to one list between 82.46% and 95.24% of the time. There is surprisingly little overlap between any two blacklists. When there is an intersection, many times there is no pattern to which list came first. These results suggest that each blacklist describes a distinct sort of malicious activity. The lists do not appear to converge on one version of all the malicious indicators for the Internet. Network defenders should be advised, therefore, to obtain and evaluate as many lists as practical, since it does not appear that any new list can be rejected out-of-hand as redundant. The results also indicate that there is no global ground truth to be acquired, no matter how many lists are merged. Therefore, the study supports the assertion that blacklisting is not a sufficient defense; an organization needs other defensive measures to add depth, such as gray listing, behavior analysis, criminal penalties, speed bumps, and organization specific white lists. This analysis provides a collective view of the whole ecosystem of blocking network touch points and blacklists. Blacklist ecosystem analysis is one aspect of a larger body of work to quantify strategic cybersecurity issues.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Dec 01, 2014
Accession Number
AD1015453

Entities

People

  • Jonathan M. Spring
  • Leigh Metcalf

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Engineered Resilient Systems

DTIC Thesaurus Topics

  • Acquisition
  • Computer Access Control
  • Computer Networks
  • Cybersecurity
  • Ecosystems
  • Guarantees
  • Indicators
  • Information Security
  • Information Systems
  • Intellectual Property
  • Internet
  • Materials
  • Network Protocols
  • Networks
  • Observation
  • Software Development
  • Universities

Readers

  • Computer Vision.
  • Cybersecurity.
  • Library and Information Science

Technology Areas

  • Cyber