Navigating Internet Neighborhoods: Reputation, Its Impact on Security, and How to Crowd-source It

To address a myriad of threats ranging from the unintentional (misconfiguration and mismanagement) to intentional (SPAM, DDoS, botnets, etc.), network operators are increasingly relying on blacklisting/whitelisting of hosts and filtering accordingly. Commonly used host reputation lists focus on individual hosts, i.e., IP addresses, and while they reveal that certain parts of the Internet are consistently "bad" (blacklisted) or consistently "good" (not blacklisted), a large part is neither: these addresses come and go in a highly transient and dynamic fashion. This calls for a much more careful understanding of this "unknown" region and a more nuanced approach to evaluating their quality; a simple binary treatment of these addresses cannot be safely and consistently applied due to their dynamic nature. In this talk we advocate the idea of moving away from this microscopic/host-level view of the Internet, and stead focusing on the reputation of a larger entity (e.g., an address block) and across different applications/data types, which we believe leads to more stable and consistent behaviors captured by a set of aggregate reputation measures.

In this talk I present two research efforts within this context. I start with the question of how the availability of these reputation measures could incentivize selfish networks to increase their investment/effort in strengthening its health condition. I then examine whether it is possible to incentivize networks to participate in a collective effort to achieve accurate estimates of these reputation measures, by contributing local observations/assessments about each other.
======