Established Internet analysis centers, such as DShield [34] and Symantec's DeepSight [32] gather alerts from a diverse population of sensors. For example, in April 2003, DShield reported a contributor pool of around 41,000 registered participants and around 2000 regular submitters, who submit a total of 5 to 10 million alerts daily [7]. These centers proved effective in recognizing short-term inflections in alert content and volume that may indicate wide-scale malicious phenomena [39], as well as the ability to track important security trends that may allow sites to better tune their security postures [31]. Other research has shown how to use distributed security information to infer Internet DoS activity [22], and how to improve the speed and accuracy of large-scale multi-enterprise alert analysis centers [38].
Alert sharing communities have not yet enjoyed wide-scale adoption, in part due to privacy concerns of potential alert contributors and managers of community alert repositories. Raw alerts may expose site-private topological information, proprietary content, client relationships, and the site's defensive capabilities and vulnerabilities. With this in mind, established systems suppress sensitive alert content before it is distributed to analysis centers (e.g., field suppression is a configurable option in DShield's alert extraction software). Even with these measures, organizations such as DeepSight and DShield must be granted a substantial degree of trust by the alert producers, since suppression and anonymization must be balanced against the need to maintain the utility of the alert.