In this paper, we study the problem of forecasting attack sources based on past attack logs from several contributors. We formulate this problem as an implicit recommendation system, and we propose a multi-level prediction model to solve it. Our model evaluates and combines various factors, namely: (i) attacker-victim history using time-series, (ii) attackers and/or victims interactions using neighborhood models and (iii) global patterns using singular value decomposition. We evaluate our combined method, referred to as Blacklisting Recommendation System (or BRS), on one month of logs from Dshield, and we demonstrate that it improves significantly the prediction rate over state-of-the-art methods as well as the robustness against poisoning attacks. Along the way, we analyze the Dshield dataset, and we reveal dominant patterns of malicious traffic.

• 出版日期2011-8