The background description provided herein is for the purpose of generally presenting the context of the disclosure. Work of the presently named inventor, to the extent it is described in this background section, as well as aspects of the description that may not otherwise qualify as prior art at the time of filing, are neither expressly nor impliedly admitted as prior art against the present disclosure.
Networks are under constant security threats from various sources, including botnets, worms, spam, phishing and denial of service attacks. In response, network operators often adopt filtering and blocking policies at the application layer or the network layer that seek to minimize the impact of such threats. Filtering/blocking usually relies on host reputation systems or blacklists, which actively collect and distribute information about externally observed (malicious) activities associated with individual host internet protocol (IP) addresses. However, the highly dynamic nature of IP addresses limits the timeliness and accuracy of these largely reactive lists. Moreover, the large number of IP addresses on host reputation lists can significantly diminish their utility or lead to scalability issues.