Scalable detection of community cyber incidents utilizing distributed and anonymous security information sharing

Communities are experiencing cyber attacks from a multitude of threat agents. These cyber attacks have had severe consequences in the past, and the potential for even more devastating effects will grow as communities become more reliant upon cyberspace. Communities must adopt a defense in depth strategy which includes preventing, detecting, responding to, and recovering from cyber attacks. Previously, our research efforts focused on preventative measures. This dissertation focuses on the detection of a wide variety of community cyber incidents. The detection framework is designed to provide the means to enable a fast and effective response and recovery.

A distributed and descriptive information sharing framework is presented, designed around the needs of community cyber incident detection. Although this dissertation focuses on the sharing of Intrusion Detection System (IDS) alerts, the information sharing framework is generic. A fully working implementation was created, and used to conduct simulations. From the analysis of results, new algorithms and techniques are devised to greatly improve the scalability of the information sharing. Additionally, the simulation results are verified using additional relevant real-world data.

A community cyber incident detection framework is introduced, which is the only known detection framework tailored to the needs of a community. Spatiotemporal differentiation, a new community cyber incident detection technique, is introduced. Detection capabilities are improved over the related works known as Collaborative Intrusion Detection Systems (CIDSs). Again, overall scalability is improved by analyzing previous results and introducing new, specialized techniques to remove unnecessary reports on potential community cyber incidents. Scalability simulations are performed producing the only known quantifiable data. Furthermore, the usefulness and usability of the community cyber incident detection system is demonstrated through a real-time case study.