Accession Number:



Blacklist Ecosystem Analysis Update: 2014

Descriptive Note:

[Technical Report, Final Report]

Corporate Author:

Carnegie Mellon University -Software Engineering Institute

Personal Author(s):

Report Date:


Pagination or Media Count:



This report compares the contents of 85 different Internet blacklists, also known as threat intelligence feeds or threat data feeds, to discover patterns in shared entries. Lists are compared directly and indirectly, based on data type. Direct intersection comparison is straightforward the list contents are compared temporally to determine if any list consistently published shared indicators before another list. Indirect comparison analyzes, for example, whether the existing intersection is random or has a pattern. These multiple methods indicate a range for how often a list provides an indicator with unique information and value to computer network defense CND. Domain-name-based indicators are unique to one list between 96.16 and 97.37 of the time. IP-address-based indicators are unique to one list between 82.46 and 95.24 of the time. There is surprisingly little overlap between any two blacklists. When there is an intersection, many times there is no pattern to which list came first. These results suggest that each blacklist describes a distinct sort of malicious activity. The lists do not appear to converge on one version of all the malicious indicators for the Internet. Network defenders should be advised, therefore, to obtain and evaluate as many lists as practical, since it does not appear that any new list can be rejected out-of-hand as redundant. The results also indicate that there is no global ground truth to be acquired, no matter how many lists are merged. Therefore, the study supports the assertion that blacklisting is not a sufficient defense an organization needs other defensive measures to add depth, such as gray listing, behavior analysis, criminal penalties, speed bumps, and organization specific white lists. This analysis provides a collective view of the whole ecosystem of blocking network touch points and blacklists. Blacklist ecosystem analysis is one aspect of a larger body of work to quantify strategic cybersecurity issues.


Subject Categories:

  • Computer Systems
  • Computer Systems Management and Standards

Distribution Statement:

[A, Approved For Public Release]