Cited By
View all- Metcalf LSpring J(2021)The Ecosystem of Detection and Blocklisting of Domain GenerationDigital Threats: Research and Practice10.1145/34239512:3(1-22)Online publication date: 8-Jun-2021
Reading the tea leaves: a comparative analysis of threat intelligence
Abstract
The term "threat intelligence" has swiftly become a staple buzzword in the computer security industry. The entirely reasonable premise is that, by compiling up-to-date information about known threats (i.e., IP addresses, domain names, file hashes, etc.), recipients of such information may be able to better defend their systems from future attacks. Thus, today a wide array of public and commercial sources distribute threat intelligence data feeds to support this purpose. However, our understanding of this data, its characterization and the extent to which it can meaningfully support its intended uses, is still quite limited. In this paper, we address these gaps by formally defining a set of metrics for characterizing threat intelligence data feeds and using these measures to systematically characterize a broad range of public and commercial sources. Further, we ground our quantitative assessments using external measurements to qualitatively investigate issues of coverage and accuracy. Unfortunately, our measurement results suggest that there are significant limitations and challenges in using existing threat intelligence data for its purported goals.
References
[1]
Abuse.ch. https://abuse.ch/.
[2]
Top Alexa domains. https://www.alexa.com/topsites/.
[3]
Alienvault IP reputation. http://reputation.alienvault.com/reputation.data.
[4]
ANTONAKAKIS, M., APRIL, T., BAILEY, M., BERNHARD, M., BURSZTEIN, E., COCHRAN, J., DURUMERIC, Z., HALDERMAN, J. A., INVERNIZZI, L., KALLITSIS, M., ET AL. Understanding the mirai botnet. In USENIX Security Symposium (2017).
[5]
Badips. https://www.badips.com/.
[6]
BENSON, K., DAINOTTI, A., SNOEREN, A. C., KALLITSIS, M., ET AL. Leveraging internet background radiation for opportunistic network analysis. In Proceedings of the 2015 Internet Measurement Conference (2015), ACM.
[7]
The Bro network security monitor. https://www.bro.org/index.html.
[8]
Composite Blocking List. https://www.abuseat.org/.
[9]
Spreading the disease and selling the cure. https://krebsonsecurity.com/2015/01/spreading-the-disease-and-selling-the-cure/.
[10]
CHACHRA, N., MCCOY, D., SAVAGE, S., AND VOELKER, G. M. Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting. In Proceedings of the Workshop on the Economics of Information Security (WEIS) (State College, PA, 2014).
[11]
Cloudflare, fast, global content delivery network. https://www.cloudflare.com/cdn/.
[12]
AWS CloudFront, fast, highly secure and programmable content delivery network. https://aws.amazon.com/cloudfront/.
[13]
Cyber Observable eXpression. http://cyboxproject.github.io/documentation/.
[14]
DEKOVEN, L. F., SAVAGE, S., VOELKER, G. M., AND LEONTIADIS, N. Malicious browser extensions at scale: Bridging the observability gap between web site and browser. In 10th USENIX Workshop on Cyber Security Experimentation and Test (CSET 17) (2017), USENIX.
[15]
DURUMERIC, Z., BAILEY, M., AND HALDERMAN, J. A. An internet-wide view of internet-wide scanning. In USENIX Security Symposium (2014).
[16]
Edgecast CDN, Verizon digital and media services. https://www.verizondigitalmedia.com/platform/edgecast-cdn/.
[17]
Facebook threat exchange. https://developers.facebook.com/programs/threatexchange.
[18]
Fastly managed CDN. https://www.fastly.com/products/fastly-managed-cdn.
[19]
Incident Object Description Exchange Format. https://tools.ietf.org/html/rfc5070.
[20]
JAGPAL, N., DINGLE, E., GRAVEL, J.-P., MAVROMMATIS, P., PROVOS, N., RAJAB, M. A., AND THOMAS, K. Trends and lessons from three years fighting malicious extensions. In USENIX Security Symposium(2015).
[21]
JUNG, J., AND SIT, E. An empirical study of spam traffic and the use of dns black lists. In Proceedings of the ACM Conference on Internet Measurement (2004).
[22]
KAPRAVELOS, A., GRIER, C., CHACHRA, N., KRUEGEL, C., VIGNA, G., AND PAXSON, V. Hulk: Eliciting malicious behavior in browser extensions. In USENIX Security Symposium (2014), San Diego, CA.
[23]
KÜHRER, M., ROSSOW, C., AND HOLZ, T. Paint it black: Evaluating the effectiveness of malware blacklists. In International Workshop on Recent Advances in Intrusion Detection (2014), Springer.
[24]
LEVCHENKO, K., PITSILLIDIS, A., CHACHRA, N., ENRIGHT, B., FÉLEGYHÁZI, M., GRIER, C., HALVORSON, T., KANICH, C., KREIBICH, C., LIU, H., MCCOY, D., WEAVER, N., PAXSON, V., VOELKER, G. M., AND SAVAGE, S. Click Trajectories: End-to-End Analysis of the Spam Value Chain. In Proceedings of the IEEE Symposium and Security and Privacy (2011).
[25]
MaxCDN. https://www.maxcdn.com/one/.
[26]
METCALF, L., AND SPRING, J. M. Blacklist ecosystem analysis: Spanning jan 2012 to jun 2014. In Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative Security (2015), ACM.
[27]
Nothink honeypot SSH. http://www.nothink.org/honeypot_ssh.php.
[28]
Packetmail.net. https://www.packetmail.net/.
[29]
PANG, R., YEGNESWARAN, V., BARFORD, P., PAXSON, V., AND PETERSON, L. Characteristics of internet background radiation. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement (2004), ACM.
[30]
PITSILLIDIS, A., KANICH, C., VOELKER, G. M., LEVCHENKO, K., AND SAVAGE, S. Taster's Choice: A Comparative Analysis of Spam Feeds. In Proceedings of the ACM Internet Measurement Conference (Boston, MA, Nov. 2012), pp. 427-440.
[31]
RAMACHANDRAN, A., FEAMSTER, N., DAGON, D., ET AL. Revealing botnet membership using dnsbl counter-intelligence. SRUTI 6 (2006).
[32]
RAMACHANDRAN, A., FEAMSTER, N., AND VEMPALA, S. Filtering spam with behavioral blacklisting. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS) (2007).
[33]
SCHEITLE, Q., HOHLFELD, O., GAMBA, J., JELTEN, J., ZIMMERMANN, T., STROWES, S. D., AND VALLINA-RODRIGUEZ, N. A long way to the top: Significance, structure, and stability of internet top lists. In Proceedings of the Internet Measurement Conference (2018), ACM.
[34]
Shadowserver. https://www.shadowserver.org/.
[35]
SHENG, S., WARDMAN, B., WARNER, G., CRANOR, L. F., HONG, J., AND ZHANG, C. An empirical analysis of phishing blacklists. In Proceedings of the Conference on Email and Anti-Spam (CEAS) (2009).
[36]
SINHA, S., BAILEY, M., AND JAHANIAN, F. Shades of grey: On the effectiveness of reputation-based "blacklists". In 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE), IEEE.
[37]
Structured Threat Information eXpression. https://stixproject.github.io/.
[38]
UCSD network telescope. https://www.caida.org/projects/network_telescope/.
[39]
The spam and open relay blocking system. http://www.sorbs.net/.
[40]
The Spamhaus block list. https://www.spamhaus.org/sbl/.
[41]
The Spamhaus Don't Route Or Peer Lists. https://www.spamhaus.org/drop/.
[42]
THOMAS, K., AMIRA, R., BEN-YOASH, A., FOLGER, O., HARDON, A., BERGER, A., BURSZTEIN, E., AND BAILEY, M. The abuse sharing economy: Understanding the limits of threat exchanges. In International Symposium on Research in Attacks, Intrusions, and Defenses (2016), Springer.
[43]
Threat intelligence market analysis by solution, by services, by deployment, by application and segment forecast, 2018 - 2025. https://www.grandviewresearch.com/industry-analysis/threat-intelligence-market.
[44]
University of Oregon route views project. http://www.routeviews.org/routeviews/.
[45]
VirusTotal. https://www.virustotal.com/#/home/upload.
- Reading the tea leaves: a comparative analysis of threat intelligence
Recommendations
Dangerous skills gap leaves organisations vulnerable
These days, not only are businesses having to contend with increasingly sophisticated attacks on data, they are also facing a serious skills gap within the professions that should be responsible for preventing these attacks. In the security landscape, ...
Spill the TeA: an empirical study of trusted application rollback prevention on android smartphones
SEC '24: Proceedings of the 33rd USENIX Conference on Security SymposiumThe number and complexity of Trusted Applications (TAs, applications running in Trusted Execution Environments— TEEs) deployed on mobile devices has exploded. A vulnerability in a single TA impacts the security of the entire device. Thus, vendors must ...
Burn after reading: a shadow stack with microsecond-level runtime rerandomization for protecting return addresses
ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software EngineeringReturn-oriented programming (ROP) is an effective code-reuse attack in which short code sequences (i.e., gadgets) ending in a ret instruction are found within existing binaries and then executed by taking control of the call stack. The shadow stack, ...
Comments
Information & Contributors
Information
Published In
Sponsors
- Google Inc.
- IBMR: IBM Research
- Microsoft: Microsoft
- Intel: Intel
- Facebook: Facebook
Publisher
USENIX Association
United States
Publication History
Published: 14 August 2019
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 13 Jan 2025
Other Metrics
Citations
Cited By
View all- Metcalf LSpring J(2021)The Ecosystem of Detection and Blocklisting of Domain GenerationDigital Threats: Research and Practice10.1145/34239512:3(1-22)Online publication date: 8-Jun-2021