Social network analysis for cluster‐based IP spam reputation

IP reputation systems, which filter e‐mail based on the sender's IP address, are located at the perimeter – before the messages reach the mail server's anti‐spam filters. To increase IP reputation system efficacy and overcome the shortcomings of individual IP‐based filtering, recent studies have suggested exploiting the properties of IP clusters, such as those of Autonomous Systems (AS). Cluster‐based techniques can enhance accuracy and reduce false negative rates. However, clusters generally contain enormous amounts of IP addresses, which hinder cluster‐based systems from reaching their full spam filtering potential. The purpose of this paper is exploitation of social network metrics to obtain a more granular, i.e. sub‐divided, view of cluster‐based reputation, and thus enhance spam filtering accuracy.

The authors examined the performance of various social network metrics, including nodal degree, betweenness centrality, closeness centrality and valued graphs, to find an optimal element that enhances IP reputation prediction in AS clusters.

It was found that all measures contributed to prediction, yet the best predictor of spam reputation was the out‐degree metric, which showed a strong positive correlation with spam reputation prediction. This implies that more granular information can increase the accuracy of IP reputation prediction in AS clusters.

Used in conjunction with other technologies, the granular cluster‐based reputation system can be a valuable addition to commercial and open‐source spam filtering systems, or to standalone DNS‐based blacklists.

The authors' approach can promote mitigation of larger spam volumes at the perimeter, save bandwidth, and conserve valuable system resources.