The background description provided herein is for the purpose of generally presenting the context of the disclosure. Work of the presently named inventor, to the extent it is described in this background section, as well as aspects of the description that may not otherwise qualify as prior art at the time of filing, are neither expressly nor impliedly admitted as prior art against the present disclosure.
One of the primary challenges facing the network operations community is security. Proprietary networks with limited or no access to the Internet can provide a somewhat secure network. However, being disconnected from the Internet is not practical, as systems increasingly need to be interconnected to provide utility. And even attempts to control who gains access to network are limited, in part, by the sophistication of cyber thieves but also in part by the network mismanagement.
Misconfigured networks have long been attractive resources for hackers, and anecdotal evidence suggests that mismanaged networks are often taken advantage of for launching external attacks, posing a risk not only to themselves, but to the Internet as a whole. One example of this can be seen in DNS amplification attacks in which attackers utilize open DNS resolvers to flood target hosts with a large number of DNS responses. These amplification attacks have long been observed in the wild and continue to occur with increasing scale and impact. These attacks are innately dependent on both widely-distributed misconfigured open DNS resolvers and the ability of attackers to forge request packets. In spite of calls by the Internet security community to address both of these issues by following standard deployment practices, serious attacks continue to occur. As a result, these events are frequently described in terms of economic externalities: a situation where a party could efficiently prevent harm to others—that is, a dollars' worth of harm could be prevented by spending less than a dollar on prevention—but the harm is not prevented because the party has little or no incentive to prevent harm to strangers.
To help assess networks and the likelihood of their susceptibility to attack, some reputation systems/lists have been developed, such as SPAM sender's lists, Botnet Command and Control lists, Malware hosting domains lists, DNS open resolver's lists and others have seen rapid adoption as an integral part of operational network security. These host reputation systems simply publish a list of IP addresses that have been identified as origins of malicious behavior. Historically and in general, such reputation systems have evolved in isolation and are often maintained by various organizations independently of each other. These lists can be used to identify infected hosts in a given network for cleanup or in block lists to prevent traffic to and from such hosts. Malicious behavior of hosts is often a reflection of the general security posture of a given network. Network reputation (as opposed to host reputation) is a measure that aims to capture the overall security and health condition of a network. Such a measure, if established globally and uniformly, will allow the Internet community to easily interpret the relative security posture of a given network, and to adopt the appropriate local security policy that is consistent with the perceived risk when communicating with other networks. More importantly, this will provide the incentive for the administrators and operators of a network to enhance its security image by adopting better and more effective security measures. Ultimately the health of a global network relies on the due diligence of a large number of network administrators. Providing them with the right incentive is thus crucial in any effort to enhance network security on a global level.