Large-scale network attacks have been a serious threat to the Internet since many years. Owing to the immense importance of the Internet, this threat has been growing steadily, with no end in sight. Ever more sophisticated attacks try to outdo the efforts of security experts, to detect, mitigate or eliminate these attacks, in a game of cat-and-mouse. Software has been deployed in large-scale networks like those of Internet Service Providers, to counteract attacks. However, success depends on the capabilities of the software to detect not just one, but different types of attacks. Because networks are self-contained and because of the financial aspect, such software, also known as Intrusion Detection System or Anomaly Detection System, only protects the network it is deployed in, but ignores all other networks around it. It is quite common that Internet Service Providers unknowingly forward attacks aiming at other networks, and let the target network handle the attack. That is why attack traffic, originating in a network, can freely travel through multiple other networks around the globe, to reach the target network.
This thesis addresses the need of cooperation between large-scale network operators, such as Internet Service Providers, to address attacks at the source and to improve detection rates. A concept for a cooperative approach is presented in this thesis, which allows a cooperation between different network operators running different anomaly detection systems in their networks, by exchanging information about detected hosts that participate in an attack. Using probabilities and traffic flows containing outgoing traffic only, it is shown that the false positive rate can efficiently be reduced, by maintaining or increasing the true positive rate. In addition, a prototypical anomaly detection system, based on entropy scores, is developed, to demonstrate the effectiveness of such cooperative approach.