West, A.G., Aviv, A.J., Chang, J., & Lee, I. (2010). Preventing Malicious
Behavior Using Spatio-Temporal Reputation. In submission to EuroSys 2010.


Abstract: In this paper we present Preventive Spatio-Temporal Aggregation
(PreSTA), a reputation model that combines spatial and temporal features to
produce values that are behavior predictive and are useful in partial-
knowledge situations where entity-specific data may be unknown or incomplete.
To evaluate its effectiveness, we applied PreSTA in the domain of spam
detection. Studying the temporal properties of IP blacklists, we found that
25% of IP addresses once listed on a blacklist were re-listed within 10 days,
and during our evaluation period, over 45% of IPs de-listed were re-listed.
By using the IP address assignment hierarchy to define spatial groupings and
leveraging these temporal statistics, PreSTA produces reputation values that
correctly classify up to 50% of spam email not identified by blacklists alone
while maintaining similarly low false-positive rates. When used in conjunction
with blacklists, 90% of spam emails are consistently identified. PreSTA spam
filtering can be employed as an intermediate filter (perhaps in-network) prior
to context-based analysis. Computation can occur in near real-time and over
500k emails can be scored an hour.