Cyber-Threat Analytics (Cyber-TA) published is Top 50 ISP sources of malware infections
October 2007 by Cyber-Threat Analytics (Cyber-TA)
Cyber-Threat Analytics (Cyber-TA) http://www.cyber-ta.org is a research initiative to accelerate the ability of organizations to defend against large-scale network threats by creating the underlying technologies to enable next-generation privacy-preserving digital threat analysis centers. We will conduct basic research, develop prototype implementations of our core concepts, and demonstrate practical schemes for Internet-scale collaborative digital attack reconnaissance and mitigation. Our envisioned next-generation threat analysis centers must support highly automated threat diagnosis and prioritization, scale to alert volumes and data sources that characterize attack phenomena across millions of IP addresses, and rapidly distribute actionable information back to the broader network community to help mitigate emerging attacks. However, such centers must also address fundamental information privacy concerns among the contributor pool. These privacy concerns may at best limit the participation of, or at worst expose to harm, those who choose to share highly sensitive security log content within current collaborative security analysis frameworks.
We will pursue this initiative with four primary project thrusts. First, we will explore practical schemes for Internet-scale collaborative sharing of sensitive information security log content, while providing extensive guarantees for contributor anonymity. Cyber-TA will enable much greater content sharing of even the most sensitive system and security log content, allowing contributors to release “rich-content” (anonymized) alert information that can enable new directions in ultra-large-scale repository correlation. Second, we will develop real-time malware-focused alert correlation analyses, and in particular will explore contributor-side correlation applications with repository-side reassembly. Third, we will develop new threat-warning dissemination schemes to rapidly inform large-scale multi-enterprise environments of new attack patterns, and will also explore malware mitigation strategies that take advantage of the collaborative data correlation performed by analysis centers. Finally, we will operationalize our research prototypes in open-source software releases, developing capability demonstrations within a Washington D.C.-based threat operations center, and perform integration studies with our commercial partners.
Cyber-TA will contribute to the mission of DoD information data protection in several ways. Our initiative seeks to overcome fundamental limitations observed in the current generation of large-scale DoD threat analysis systems. This includes solving the problems of passive vulnerability disclosure, component equity control, and legitimate site-local privacy concerns, which have hindered current and past Computer Network Defense Command and Control (CND C2) activities. We envision anonymity-enabled rich content alert collection that will drive several novel schemes for large-scale malware detection and mitigation. We further believe that this work is highly applicable to problems that today prohibit the rapid formation of digital threat analysis centers in a variety of multi-agency or multi-country coalition network operating scenarios, as well as supporting the future of national-scale protection services for the public Internet.
We have selected a consortium team that brings together outstanding researchers in all key areas of information security that Cyber-TA will encompass. Our consortium will be led by the Computer Science Laboratory of SRI, which has an established history of foundational research in system and network architecture, information privacy, protocol design, computer and network intrusion detection, and large-scale alert correlation. We also bring together well-established researchers from eight academic institutions that are actively engaged in the development of key innovations that will allow Cyber-TA to deliver new results in all of our research thrust areas. Finally, we will actively develop and demonstrate prototype instantiations of our concepts, and to this end we include four small business consortium partners with relevant security products and services, who will support commercial integration studies of our solutions into the enterprise security markets.
We published a TOP 50 ISP SOURCES OF MALWARE INFECTIONS :