Home Internet Users Website Owners Software Producers Press Blog

Network reputations

Posted by Maxim Weinstein Thu, 16 Apr 2009 17:09:46 GMT

Yesterday, some of my colleagues and I attended a talk at Harvard’s Center for Research on Computation and Society. The talk was given by Mike Collins, a network security researcher who currently works at RedJack, and it focused on the limitations of intrusion detection systems as a form of network defense. The primary content of the talk was rather technical and quantitative, but Mike ended with an interesting conclusion: it may be possible to significantly decrease network-based attack traffic (e.g., port scanning, worm spreading, etc.) by blocking incoming access from the IP addresses and subnets that have historically behaved badly. By limiting the blocking to only the top 20 bad IP addresses and relatively few and narrowly-defined subnets, he says, the risk of infection could plummet without causing too many false positives (i.e., blocking legitimate traffic). Even more interesting is a statement he made to the effect that networks with bad behavior often continue to exhibit bad behavior.

If this last statement is accurate, then developing systems to track subnet reputation and apply this information to decision-making could be a viable application of John Palfrey, et. al.’s theory about peer production Internet governance. (PDF) What might this look like and what are some of the issues that would have to be addressed? Here are a few thoughts:

  • Does one type of bad behavior on a network (e.g., sending spam) correlate highly to other types of bad behavior (e.g., port scanning or perpetuating the SQL slammer worm)? If not, reputations would have to be developed separately for each type of behavior. (Or, I suppose a decision could be made to broadly punish any one bad behavior by blocking access across the board.)
  • If we expect network providers to police their networks to reduce "bad" behavior, how do we balance a desire for hands-off network management (i.e., don’t decide what I can and can’t do online) with a desire for the provider to prevent badness?
  • How does reputation change over time? What happens when the owner/operator of a network changes, and the new owner behaves differently than the old?
  • What happens when a single IP address or subnet has a lot of bad activity but also a lot of legitimate activity, as in situations where an entire country’s Internet traffic filters out through a small IP space?

This type of question is not new to StopBadware, of course. We and our partners deal with some similar issues in the work we do in publicizing badware websites. In fact, as we expand our Badware Website Clearinghouse, we expect that security researchers, law enforcement, and network providers will be able to use the data as a way to make their own judgments about the reputation of particular sites and network providers. If we ever decide to extend our work into, say, creating a "reputation score" for particular URLs, network blocks, or IP addresses, we’ll have to carefully consider all of these questions.

Tags ,  | 5 comments

 
[© 2010] [Contact Us] [Privacy Policy]
Home Internet Users Website Owners Software Producers Press Blog