We have described a broad set of privacy concerns that limit the ability of sites to share security alert information, and enumerated a number of data sanitization techniques that strike a balance between the privacy of alert producers and the functional needs of multi-site correlation services, without imposing heavy performance costs. Our techniques are practical even for large alert loads, and, most importantly, do not require that alert contributors trust alert repositories to protect their sensitive data. This enables creation of open community-access repositories that will offer a better perspective on Internet-wide trends, real-time detection of emerging threats and a source of data for malicious code research.
As a first prototype to demonstrate basic alert sanitization with live sensors, we are developing a Snort alert delivery plugin that implements SHA/HMAC and field sanitization discussed in section 6.2. We also plan to analyze defenses against probe-response attacks in which the attacker artificially stimulates an alert with a rare Event_Id and then uses this Event_Id as a marker to recognize the response in the general alert traffic.
Acknowledgements. We thank Keith Skinner for his support in the initial performance analysis, and Johannes Ullrich from the SANS Internet Storm Center for providing access to data set samples from DShield.org. We are grateful to the anonymous reviewers for useful comments.