This Proposal is for the investigation of the feasibility, and if feasible, the requirements, for deploying distributed intrusion and bot detection services in a bundle inside multiple networks, while sharing the resulting threat information in an anonymized way. It will involve the implementation of combined defense and sensor nodes as gateways; local correlation, log processing and reporting engines; and dissemination of detected threat sources back to a central correlation authority which then disseminates the information to all participating entities. Key items to be examined are the scalability of distributing existing databases while maintaining consistency; anonymization of threat information detected while maintaining relevancy; and the scalability of processing data from the local detector enforcers into the private threat correlation system, sending the detected threats upstream to the global system, and disseminating the correlated data to all nodes. This will provide the requirements to scale the current ThreatSTOP system so that it can be fully commercialized to protect national security assets, large enterprises, and large numbers of individual users. The benefit will be dynamic detection and blocking of network level attacks and the dynamic disabling of botnets through the interruption of their command and control channels.
