Event-driven analyses

Real-time alert data published by alert repositories offers compelling value as a source of early warning signs that a new outbreak of malicious activity is emerging across the contributor pool. The focus of this analysis is to identify significant changes or sudden inflections in alert production that may be indicative of a currently occurring attack.

• Intensity analysis identifies extremely aggressive sources causing a large number of alerts from multiple contributors. Although the sources remain anonymous, hash values of their IP addresses can be published and/or distributed to contributors to help them adjust their filtering policies, as described above.

• Sudden and widespread inflections in the volume and ratios of event_IDs and Dest_Ports in the incoming alert streams may indicate the emergence of a new intrusion threat that is affecting a growing subset of the contributor pool.

• Aggregation of the volume and severity of alerts observed in the incoming alert streams may provide a basis from which to capture an overall assessment or ``Defcon level'' of the threats that the contributor pool is currently facing.

A more challenging task is to identify propagation patterns in the occurrence of event_IDs and volumes, which is necessary to analyze spreading behavior of Internet-scale intrusion activity. Both hashing and keyed hashing destroy all topological information in IP addresses, making it infeasible to determine whether two sanitized alerts belong to the same region of address space. A possible solution may be offered by prefix-preserving anonymization [36], but we leave these techniques for future investigation.