Establishing a Cross-Institutional Platform for Cooperative Security Monitoring and Forensics
Vern Paxson, Mark Allman1, Robin Sommer2 and Christian Kreibich3
National Science Foundation
Although there has been much research in developing systems for globally sharing security information, often these approaches are fundamentally limited because their broad scope limits the trust that participants can place in the system. This project instead seeks to reap significantly greater utility by considering a more restricted scope: a system for coordinated security analysis based on exchanging information between a set of sites who have explicitly decided to work with each other. This more limited scope optimizes for the common case that in such an environment the participating sites will usually (but not always) act in a responsible manner.
A key focus of the project concerns automating the steps commonly involved in security monitoring and forensic analysis while still keeping an analyst "in the loop" for significant decisions. As security problems arise, a site detecting an incident codifies a description of the attack in an "analysis script" to export to other sites. Analysts receiving such scripts inspect them to determine whether they are of interest. If so, they can instruct the system to conduct both a retrospective search for the activity in the past, and refine the site's monitoring configurations to detect future instances.