V-COPS: A Distributed Vulnerability-based Cooperative Alert System

Shiping Chen
George Mason University

Dongyu Liu
George Mason University

Songqing Chen
George Mason University

Sushil Jajodia
George Mason University

The efficiency of promptly releasing security alerts of established
analysis centers has been greatly challenged by the continuous
emergence of various large scale network attacks, such as fast
worms. With a limited number of sensors deployed over the Internet and
a long attack verification period, when the alert is released by
analysis centers, the best time to stop the attack may have passed. On
the other hand, (1) most of the past large scale attacks targeted known vulnerabilities, and (2) today numerous Internet systems have integrated detection tools, such as virus detection software and intrusion detection systems (IDS), the power of which could be harnessed to defend against large scale attacks.

In this paper, we propose V-COPS, a distributed and vulnerability-based cooperative alert system by leveraging
existing independent local attack detection systems. V-COPS is
capable of promptly propagating genuine alerts with critical
vulnerability information, based on which relevant stakeholders
can take preventive actions in time. The effectiveness of V-COPS
is achieved through the following designs: 1) V-COPS actively distributes alerts with vulnerability information, which
can lead prompt response of alert receivers with patches or
network filters by tools like Shield; 2) V-COPS
applies hierarchical alert aggregation during alert distribution
to efficiently filter out false positives from local detection
systems; 3) V-COPS relies on a hybrid alert propagation mechanism
to quickly and scalably propagate alerts to participants; 4)
V-COPS uses a probability based verification scheme to defend against
various attacks to itself. Extensive analysis and experiments have
been performed to study the performance of V-COPS. The preliminary
results show V-COPS is effective.

Keywords: vulnerability, attack alert and prevention, peer-to-peer

Read Paper Read Paper (in PDF)