IP Reputation and Sharing

I want to feed these gigs of data I have and other projects have into my security devices and let it use that data to make smarter decisions. IP reputation isn't a new concept, but applying it in realtime will be a challenge. But this also opens us up to the possibility of sharing reputation data between ourselves.

Imagine clouds of peer organizations sharing ip reputation between their security devices. Each benefits from teh data gained and contributes back what they encounter. All organizations become more safe.

Then imagine organizations that collect this data for a living. We have an avenue for this data to be more commercially viable. I want my border devices to know what Arbor Networks or Support Intelligence knows. This is possible.

Reputation should be something along the lines of a -100 to +100 score, positive being very good to allow whitelisting. These scores should be in several categories with an average amongst all being available. Default is 0. Categories could be such as web attack, spam, bot, CnC?, phish site, policy violation, etc.

Added from Jeremy at sudosecure:

The more data that is shared and collaborated on in a scoring system like you mention further down in your post the better in my opinion. I would like to see a correlation engine (ie you scoring scheme) factor in shared DNS data, Domain Reputations, ASN Reputations, ISP Reputations, Port Statistics, Protocol Statistics, Threat Indexes/Activities and statisitcs, vulnerability probabilities and activities, Network/Application/OS awareness, and GEO type statistics. I know this is kind of a big dream to have widely dispersed geographical networks sharing statistical data in real time that could be correlated to ensure even the smallest networks obtained the intelligence level and threat visibilities/awareness levels of the largest networks in the cloud... Obviously this is no trivial task!

What I do see is if this idea/dream became reality, you would see AI implemented into IDS', Firewalls, Routers, Servers, Applications, and anything else that could listen for these correlated data statistics and adjust their configurations based off live data. Imagine an IDS/IPS that could auto magically load and unload specific rules to meet the threats seen on other networks in anticipation of attacks to come that may not have reached them yet or routers that could create null routes for troubled/bad IP subnets based off of data intelligence seen by this super cloud. Even web servers that could create mod rewrite rules or acls to prevent exploit bots from delivering their drive by badness, which I am sure have all grown to love in the last six months... I see limitless possibilities, but reality may play a factor here wink

From Rob Slade: Along with both of these (and addressing some of the issues raised in regard to them), user-settable levels of paranoia. (Not too easily user-settable, mind you.)

I had something in mind like there being categories for each ip, and an overall average.

The user could if they like weight certain categories higher in that average and then make decisions on either that average or certain categories. A list of thresholds essentially and their level of pain acceptable.

Similar again to spamassassin, warn at this level, block above this level. But in this case warn would be adding a few points to their alert threshold, sort of putting that IP on probation, slightest wrong move and they're out. And vice versa, a spectacularly good reputation (predefined partners, google, yahoo, etc) would have points reduced from their alert threshold so they'd have to REALLY screw up to get blocked.

-- MattJonkman - 17 Oct 2008

Topic revision: r2 - 2008-10-17 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats