Shades of Grey: On the effectiveness of reputation-based "blacklists"

Malicious code, or malware, executed on compromised hosts provides a platform for a wide variety of attacks against the availability of the network and the privacy and confidentiality of its users. Unfortunately, the most popular techniques for detecting and preventing malware ham been shown to be significantly, flawed [11], and it is widely believed that a significant fraction of the Internet consists of malware infected machines [17]. In response, defenders have turned to coarse-grained, reputation-based techniques, such as real time blackhole lists, for blocking large numbers of potentially malicious hosts and network blocks. hi this paper, we perform a preliminary study of a type of reputation-based blacklist, namely those used to block unsolicited email, or spam. We show that, for the network studied, these blacklists exhibit non-trivial false positives and false negatives. We investigate a number of possible causes for this low accuracy, and discuss the implications for other types of reputation-based blacklists.