The Doodlebug approach will build a robust, redundant, decentralized network for event correlation, producing rich results by incorporating very large amounts of information.
SIFT's Doodlebug approach provides a revolutionary approach to intrusion event correlation and fusion. Existing correlation systems are brittle, mostly rule-based systems that provide centralized correlation of intrusion events from very restricted areas. They require access to confidential information of the systems whose events they correlate, share those systems' false positive problems, and are difficult to configure and operate. By contrast, Doodlebug provides a lightweight event correlation solution that will operate over extremely large areas (e.g., continent-wide). The Doodlebug approach will build a robust, redundant, decentralized network for event correlation, producing rich results by incorporating very large amounts of information. Using large amounts of information, and combining it with relatively simple, and computationally inexpensive operations, Doodlebug will enable detection and identification of both known and novel attacks. In order to incorporate these large numbers of nodes, Doodlebug must stretch across not just administrative domains, but enterprises as well. To make this possible, Doodlebug will incorporate techniques for robust computation even in the face of malicious network members, and will provide strong assurances of the privacy of network nodes. Doodlebug will do this by combining a novel re-framing of the correlation problem with existing techniques for robust distributed computation and privacy protection.