SRI International Announces Availability of Highly Predictive Blacklisting Software for Network Attacks

Business Wire, April 26, 2007

Individualized Analysis Anticipates the Most Likely Internet Sources for Network Attacks

MENLO PARK, Calif. -- SRI International, an independent, nonprofit research and development organization, today announced the Internet release of its patent-pending Highly Predictive Blacklisting (HPB) software. HPB is now available for complimentary experimental use via DShield (www.dshield.org/hpbinfo.html), a community-based firewall log correlation system that receives logs from worldwide volunteers and uses them to analyze attack trends.

Blacklists have been used since the Internet's earliest days. Today, network administrators use generic blacklists to fortify their network firewalls against malicious attacks. SRI's HPB algorithm offers a radically different strategy than traditional network blacklisting methods by providing individualized lists of the most probable attackers that are likely to penetrate a network.

"SRI's experiments demonstrate that our Highly Predictive Blacklist algorithm consistently creates firewall filters that are exercised at much higher rates than those from conventional blacklist methods," said Phillip Porras, a program director in SRI's Computer Science Laboratory. "At SRI, we strive to develop security technologies that are proactive and anticipate hostile activity. Our HPB attack source prediction strategy has significant promise to fortify network firewall filters with more relevant threat information than traditional approaches."

Individualized Analysis Provides More Accurate Data

DShield's service uses SRI's HPB software to provide a list of malicious Internet addresses, formulated through analysis of the millions of firewall log entries contributed to DShield.org each day from across the Internet. As a result, each DShield contributor is provided a custom HPB that captures a set of attack source addresses deemed the most likely to attack the contributor's network.

The HPB algorithm employs a link analysis algorithm similar to Google's PageRank(TM) scheme used to find the most relevant web pages given a user's query. Similar to a web query, a DShield contributor's firewall logs are cross-compared in search of overlaps among the attackers they report. Each attacker address that is included in an HPB is selected by favoring those addresses encountered by other contributors that share degrees of overlap with the HPB owner.

Additional information about the HPB algorithm is available at: http://www.cyber-ta.org/releases/HPB/. An experimental HPB service is now available for complimentary use by DShield contributors at www.dshield.org/hpbinfo.html. Operating since 2000, DShield is the data collection engine behind the SANS Internet Storm Center (ISC). Development of the HPB service was funded in 2006 through the Cyber-Threat Analytics (Cyber-TA) research grant from the U.S. Army Research Office (http://www.cyber-ta.org).

About SRI International

Silicon Valley-based SRI International (www.sri.com) is one of the world's leading independent research and technology development organizations. Founded as Stanford Research Institute in 1946, SRI has been meeting the strategic needs of clients for more than 60 years. The nonprofit research institute performs client-sponsored research and development for government agencies, commercial businesses, and private foundations. In addition to conducting contract R&D, SRI licenses its technologies, forms strategic partnerships, and creates spin-off companies.

About SANS

SANS is the most trusted and by far the largest source for information security training and certification in the world. SANS also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security. It also operates the Internet's early warning system - Internet Storm Center.

SRI and SRI International are either trademarks or registered trademarks of SRI International. All other trademarks are the property of their respective owners.