The Attacker IP Prioritizer : An IoT Optimized Blacklisting Algorithm

Abstract

IP address-based blacklists are the most important part of firewalls, security systems and Threat Intelligence feeds. However, there is no comprehensive and verified evaluation of blacklists to determine if they are effective, how efficient they are, or how they forget data. Given the reliance in Threat Intelligence feeds, it is critical for blacklists to be optimally generated and evaluated. With the constant growth of 5G and IPv6 technologies, IoT devices have two unique problems: direct connection to the Internet and resource constraints. Therefore, traditional long blacklists may not fit in IoT devices, and may take time to process. Moreover, IP addresses attacking today may be associated with benign services later, marking a need to update blacklists. This thesis proposes an algorithm to optimize the creation of blacklists as well as an evaluation method targeted at better quantifying a blacklists efficacy over time. Our Attacker IP Prioritizer, or AIP, framework is designed to optimize for certain performance metrics common in IoT scenarios. The AIP framework includes three models that generate prioritized blacklists using a threat score for each malicious IP. This score is then used to decide if that IP should be blocked or not. Two of these models were designed to produce a score by combining features with a time-based aging function that decreases or increase that score. A third model uses a Machine Learning (ML) model that predicts if each particular IP is going to attack in the future. The evaluation methodology of AIP consists of building each blacklist with data from the past and evaluating how accurate the protection is in the future. The training and evaluation were done in an iterative way, using each successive day to update the blacklists, and each ‘tomorrow’ date to evaluate them. The performance metrics used were percentage of bytes blocked, total duration of attacks blocked in the future, percentage of flows blocked in the future, and total IP addresses blocked in the future. We compared AIP against four major blacklists that are provided for free as threat intelligence feeds in the Internet. For this we created an Index Metric that computes the effectiveness of each IP address in a blacklists to protect from future threats. The best AIP model achieved an Index metric of 0.0068\%, which is 22x times better than the rest of the threat intelligence feeds on the Internet. We conclude that the AIP models and the evaluation methodology can help improve the protection of memory-constrained devices by maximizing the impact of blacklists.

IP address-based blacklists are the most important part of firewalls, security systems and Threat Intelligence feeds. However, there is no comprehensive and verified evaluation of blacklists to determine if they are effective, how efficient they are, or how they forget data. Given the reliance in Threat Intelligence feeds, it is critical for blacklists to be optimally generated and evaluated. With the constant growth of 5G and IPv6 technologies, IoT devices have two unique problems: direct connection to the Internet and resources constrains. Therefore, traditional long blacklists may not fit in IoT devices, and may take time to process. Moreover, IP addresses attacking today may be associated with benign services later, marking a need to update blacklists. This thesis proposes an algorithm to optimize the creation of blacklists as well as an evaluation method targeted at better quantifying a blacklists efficacy over time. Our Attacker IP Prioritizer, or AIP, framework is designed to optimize for certain performance metrics common in IoT scenarios. The AIP framework includes three models that generate prioritized blacklists using a threat score for each malicious IP. This score is then used to decide if that IP should be blocked or not. Two of these models were designed to produce a score by combining features with a time-based aging function that decreases or increase that score. A third model uses a Machine Learning (ML) model that predicts if each particular IP is going to attack in the future. The evaluation methodology of AIP consists of building each blacklist with data from the past and evaluating how accurate the protection is in the future. The training and evaluation were done in an iterative way, using each successive day to update the blacklists, and each ‘tomorrow’ date to evaluate them. The performance metrics used were percentage of bytes blocked, total duration of attacks blocked in the future, percentage of flows blocked in the future, and total IP addresses blocked in the future. We compared AIP against four major blacklists that are provided for free as threat intelligence feeds in the Internet. For this we created an Index Metric that computes the effectiveness of each IP address in a blacklists to protect from future threats. The best AIP model achieved an Index metric of 0.0068\%, which is 22x times better than the rest of the threat intelligence feeds on the Internet. We conclude that the AIP models and the evaluation methodology can help improve the protection of memory-constrained devices by maximizing the impact of blacklists.