Fighting Coordinated Attackers with Cross-Organizational Information Sharing.

In this paper we propose an architecture for using cross-organization information sharing to identify members of a group of hosts enslaved for malicious purposes on the Internet. We root our system in so-called “detectives”— savvy network monitors like sophisticated intrusion de-tection systems or honeyfarms that have a deep under-standing of malicious behavior. We augment informa-tion from these detectives with observations from a large array of “witnesses ” that are already in-place at many lo-cations in the network. These witnesses are not savvy enough to understand that a particular behavior is mali-cious, but their simple factual observations can be shared with a detective in order to form a broad picture of a group of bad actors. A key aspect of the system is the de-sign of a lightweight mechanism to reliably share enough information between detectives and witnesses to form an understanding of a group of bad actors without sharing more information than necessary, in order to address pri-vacy and competitive concerns. 1