Thomas O’Hara
Bachelor Thesis
IP address-based blacklists are an integral part of most firewall, IDS and security systems for any kind of Internet-connected device. Even modern Threat Intelligence feeds are based on IP addresses, domains and URLs. Therefore, the majority of our protection systems, such as in DNS servers and web browsers depend on blacklists. However, there has not been yet a good evaluation about how effective these blacklists are, or how they can be optimized for different environments.
With the ever constant growth of 5G and the bypassing of traditional firewalls with direct Internet connections, it is becoming more and more difficult to protect IoT devices using traditional blacklisting methods. Many blacklists in the community are created by adding the IP addresses of attackers into a general feed, with the IP addresses usually coming from the data collected from one or many honeypots. This idea is assumed to work well, but it has two main drawbacks for IoT environments. First, although systems with greater storage and large computational resources may afford to store and parse an ever growing blacklist, small Internet of Things (IoT) devices have limited computational resources and may not hold large blacklists in memory. Second, IP addresses attacking today can be associated with normal services in the future, especially in cloud environments. Moreover, the nature of IoT malware shows that attacking IP addresses mostly attack for a short amount of time (a few hours or days), questioning the value of blocking IP addresses for extended periods without verification.
In this Thesis, I will propose an algorithm to optimize the creation of blacklists and an evaluation method in order to help understand their issues. First, I will design a new algorithm for creating blacklists that is optimized for the protection of IoT devices, called the Attacker IP Prioritizer (AIP). Second, I will present an idea for a standardized methodology for evaluating the efficacy of blacklists.
Url: https://dspace.cvut.cz/handle/10467/96722