Haakon Ringberg will present his preFPO on Friday December 12 at 10AM in Room 302. The members of his committee are: Jennifer Rexford, advisor; Nicholas Duffield (AT&T), Mike Freedman, Vivek Pai, and Rob Calderbank. Everyone is invited to attend his talk. His abstract follows below. ---------------------------------------------- Unwanted traffic is a major concern in the Internet today. The algorithms that attempt to identify this unwanted traffic are called network anomaly detectors, and their task is challenging in part because many network attacks mimic the behavior of normal traffic. The victims of these attacks should therefore collaborate by correlating their attack data, under the assumption that a given malicious host is likely to affect more than one victim. The major obstacle to such collaboration is that the corporations who manage these networks are hesitant to openly share information about the hosts (customers) that use their services. In this thesis, we propose and evaluate the feasibility of an architecture for privacy-preserving collaborative anomaly detection. First, we study the potential gain from collaboration on traces from operational networks. We do this by calculating the fraction of detected network anomalies (viz., IP scans, port scans, and DoS attacks) that could have been mitigated in these traces if some subset of the victim hosts collaborated to block attackers. Second, we propose and evaluate the efficiency of a novel cryptographic protocol that allows victims to collaborate to identify the hosts sending unwanted traffic. The protocol allows each participant to submit a set of IP addresses that they suspect might be engaging in said activity. The protocol preserves privacy because it never reveals who suspected whom, and a submitted IP address is only revealed when more than n participating networks suspect it. Finally, we close the loop by evaluating the feasibility of making a commonly-used single vantage-point anomaly detector faster and more scalable. Specifically, we propose and evaluate a system that leverages machine learning to bring the classification intelligence of the signature- and packet-based intrusion detection system (IDS) Snort to the IP flow realm. We demonstrate that our system can effectively learn to classify many Snort alarms on IP flows. In sum, the thesis presents a complete collaborative anomaly detection architecture, from the high-confidence detection of unwanted traffic at single networks to a privacy-preserving protocol that allows these networks to collectively increase their confidence in their detections.