Mark Allman, Ethan Blanton, Vern Paxson, Scott Shenker. Fighting Coordinated Attackers with Cross-Organizational Information Sharing. ACM SIGCOMM HotNets, November 2006.
PDF | Ethan's Slides | Review

Abstract:

In this paper we propose an architecture for using cross-organization information sharing to identify members of a group of hosts enslaved for malicious purposes on the Internet. We root our system in so-called ``detectives''---savvy network monitors like sophisticated intrusion detection systems or honeyfarms that have a deep understanding of malicious behavior. We augment information from these detectives with observations from a large array of ``witnesses'' that are already in-place at many locations in the network. These witnesses are not savvy enough to understand that a particular behavior is malicious, but their simple factual observations can be shared with a detective in order to form a broad picture of a group of bad actors. A key aspect of the system is the design of a lightweight mechanism to reliably share enough information between detectives and witnesses to form an understanding of a group of bad actors without sharing more information than necessary, in order to address privacy and competitive concerns.

BibTeX:

@inproceedings{ABPS06,
    author    =        "Mark Allman and Ethan Blanton and Vern Paxson and Scott Shenker",
    title     =        "{Fighting Coordinated Attackers with Cross-Organizational Information Sharing}",
    booktitle =        "ACM SIGCOMM HotNets",
    year      =        2006,
    month     =        nov,
}