Communizer: A collaborative cloud-based self-protecting software communities framework - Focus on the alert coordination system

Abstract

Popular software has always been appealing to adversaries, as related vulnerabilities are synonymous with millions of exposed businesses. Collaborative intrusion detection, as well as software self-protection, try to alleviate this situation. However, they lack either autonomy and adaptation, or Internet-scale oversight and mitigation. In this work, we present Communizer: a collaborative cloud-based framework that creates communities of self-protecting software across organizations. It allows community members to turn their common weaknesses into collaborative and proactive self-protection, empowering them to detect intrusions, exchange alerts, and anticipate attacks. We start by integrating multiple autonomic MAPE-K loops through cloud-based coordination, and a novel hierarchical, regional coordination pattern (HRCP), optimizing scalability, resiliency, accuracy and privacy. Then, we design a trust-based multi-level alert coordination system (TMACS), as well as a lightweight alert coordination message exchange format (ACMEF). At its core, TMACS aggregates, validates, and shares security alerts among community members while fostering agreement and managing trust. It also addresses insider attacks by detecting and blacklisting rogue members. Moreover, TMACS identifies and neutralizes selfish members through a specifically designed probabilistic model. The analysis, optimization, and evaluation of TMACS show a good trade-off between the precision and recall of untrustworthy and selfish members detection. More importantly, we demonstrate a drastic reduction of monitoring loads on community members while ensuring a high collaborative attack detection and anticipation rate, even for small-scope attacks.