Improving IP address blocklists

Jelena Mirkovic
Date and time: 
Thu, Apr 29 2021 - 12:15pm
Jelena Mirkovic
USC Information Sciences Institute
  • Jun Li

IP address blocklists are a useful source of information about repeat attackers. Such information can be used to prioritize which traffic to divert for deeper inspection (e.g., repeat offender traffic), or which traffic to serve first (e.g., traffic from sources that are not on the blocklist). But blocklists also suffer from overspecialization – each list is geared towards a specific purpose – and they may be inaccurate due to misclassification or stale information. This talk summarizes BLAG, a system that evaluates and aggregates multiple blocklist feeds, producing a more useful, accurate and timely master blocklist, tailored to the specific customer network. Our evaluation of 157 blocklists of various attack types and three ground-truth datasets shows that BLAG achieves high specificity up to 99%, improves recall by up to 114 times compared to competing approaches, and detects attacks up to 13.7 days faster, which makes it a promising approach for blocklist generation. This talk will also briefly touch upon our new work on quantifying impact of blocklists on reused IP addresses.


Jelena Mirkovic is Research Associate Professor at University of Southern California and she leads STEEL lab at USC Information Sciences Institute. Her group does research on network-based attacks, passwords, binary analysis and cybersecurity experimentation.