Cooperative Forensics Sharing

Having timely and credible security information is becoming critical to network and security management. Most current sources of threat information and detection techniques suffer from having a limited view of the global threat scenario. In this paper, we present Foresight, an Internet scale threat analysis, indication, early warning and response architecture. We describe the design of an incentive based cooperation scheme to create a global trusted community which is more accountable and hence less vulnerable to attacks and abuse. Foresight utilizes this infrastructure to share a global threat view in order to detect unknown threats and isolate them. We describe a novel behavioral signature scheme to extract a generalized footprint for multi-modal threats. System performance analysis through trace-based simulations show significant benefits for sharing forensics across cooperating domains

[1]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[2]  P. Matzinger The Danger Model: A Renewed Sense of Self , 2002, Science.

[3]  R. Sekar,et al.  An Approach for Detecting Self-propagating Email Using Anomaly Detection , 2003, RAID.

[4]  Refik Molva,et al.  Core: a collaborative reputation mechanism to enforce node cooperation in mobile ad hoc networks , 2002, Communications and Multimedia Security.

[5]  Thomas A. Longstaff,et al.  A common language for computer security incidents , 1998 .

[6]  Leonard N. Foner,et al.  Yenta: a multi-agent, referral-based matchmaking system , 1997, AGENTS '97.

[7]  F. Burnet The clonal selection theory of acquired immunity , 1959 .

[8]  Karl N. Levitt,et al.  Cooperative response strategies for large scale attack mitigation , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[9]  Eleazar Eskin,et al.  MET: an experimental system for Malicious Email Tracking , 2002, NSPW '02.

[10]  Donald F. Towsley,et al.  Worm propagation modeling and analysis under dynamic quarantine defense , 2003, WORM '03.

[11]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[12]  Eugene H. Spafford,et al.  Using embedded sensors for detecting network attacks , 2000 .

[13]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[14]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[15]  Vitaly Shmatikov,et al.  Reputation-Based Trust Management ∗ , 2003 .

[16]  Fareed Zaffar,et al.  Paranoid: a global secure file access control system , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[17]  Harold S. Javitz,et al.  The SRI IDES statistical anomaly detector , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[18]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[19]  Seungjoon Lee,et al.  Cooperative peer groups in NICE , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[20]  Hakim Weatherspoon,et al.  Netbait: a Distributed Worm Detection Service , 2003 .

[21]  Matthew C. Elder,et al.  On computer viral infection and the effect of immunization , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[22]  Pietro Michiardi,et al.  Game theoretic analysis of cooperation enforcement in mobile ad hoc networks , 2003 .

[23]  G. A. Calvert,et al.  The scent of color , 2002 .

[24]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[25]  Matthew C. Elder,et al.  Recent worms: a survey and trends , 2003, WORM '03.

[26]  Adam Rifkin,et al.  Weaving a Web of trust , 1997, World Wide Web J..

[27]  Philipp Obreiter A Case for Evidence-Aware Distributed Reputation Systems: Overcoming the Limitations of Plausibility Considerations , 2004, iTrust.