Outsourcing Security Analysis with Anonymized Logs Jianqing Zhang, Nikita Borisov, William Yurcik 2 nd International Workshop on the Value of Security.

Slides:



Advertisements
Similar presentations
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Advertisements

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Lemonade and Mobile e- mail Stéphane H. Maes – Lemonade Intermediate meeting Vancouver, BC October 2004.
Protecting Cyber-TA Contributors: Risks and Challenges Vitaly Shmatikov The University of Texas at Austin.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
1 Reading Log Files. 2 Segment Format
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
Intrusion Detection Systems and Practices
Multi-level Application-based Traffic Characterization in a Large-scale Wireless Network Maria Papadopouli 1,2 Joint Research with Thomas Karagianis 3.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff DePaul University.
Why Wireless? The answer is simple: Reach users who are often on the move!
National Center for Supercomputing Applications Adam Slagell, Jun Wang and William Yurcik, National Center for Supercomputing Applications (NCSA) University.
Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Resource Virtualization Winter Quarter Project.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.
Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL.
IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Lecture 11 Intrusion Detection (cont)
Microsoft delivers a complete datacenter solution with Windows Server 2012 R2 out-of-the-box Cloud OS Development Management Identity Virtualization.
Privacy in Computing Legal & Ethical Issues in Computer …Security Information Security Management …and Security Controls Week-9.
Security Guidelines and Management
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
R 18 G 65 B 145 R 0 G 201 B 255 R 104 G 113 B 122 R 216 G 217 B 218 R 168 G 187 B 192 Core and background colors: 1© Nokia Solutions and Networks 2014.
Auditing for Security Management By Cyril Onwubiko Network Security Analyst at COLT Telecom Invited Guest Lecture delivered at London Metropolitan University,
Traffic Analysis Prevention Chris Conger CIS6935 – Cryptographic Protocols 11/16/2004.
Privacy-Preserving P2P Data Sharing with OneSwarm -Piggy.
End-to-end resource management in DiffServ Networks –DiffServ focuses on singal domain –Users want end-to-end services –No consensus at this time –Two.
Dividing the Pizza An Advanced Traffic Billing System An Advanced Traffic Billing System Christopher Lawrence Burke The University of Queensland.
A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006.
Anonymity on the Internet Presented by Randy Unger.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
Connect. Communicate. Collaborate Experiences with tools for network anomaly detection in the GÉANT2 core Maurizio Molina, DANTE COST TMA tech. Seminar.
Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos.
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
CS460 Final Project Service Provider Scenario David Bergman Dong Jin Richard Bae Scott Greene Suraj Nellikar Wee Hong Yeo Virtual Customer: Mark Scifres.
Open-Eye Georgios Androulidakis National Technical University of Athens.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
Security Management Process 1. six-stage security operations model 2 In large networks, the potential for attacks exists at multiple points. It is suggested.
PART3 Data collection methodology and NM paradigms 1.
The Devil and Packet Trace Anonymization Authors: Ruoming Pang, Mark Allman, Vern Paxson and Jason Lee Published: ACM SIGCOMM Computer Communication Review,
Measurement in the Internet Measurement in the Internet Paul Barford University of Wisconsin - Madison Spring, 2001.
DoS/DDoS attack and defense
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
DDoS flooding attack detection through a step-by-step investigation
Security System for KOREN/APII-Testbed
Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix.
1 NES554: Computer Networks Defense Course Overview.
Introduction Web analysis includes the study of users’ behavior on the web Traffic analysis – Usage analysis Behavior at particular website or across.
Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –
Application Protocol - Network Link Utilization Capability: Identify network usage by aggregating application protocol traffic as collected by a traffic.
SIEM Rotem Mesika System security engineering
CS457 Introduction to Information Security Systems
Information Security, Theory and Practice.
The Devil and Packet Trace Anonymization
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
Network management system
Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009
Principles of Computer Security
Data collection methodology and NM paradigms
Privacy Through Anonymous Connection and Browsing
Chapter 8: Monitoring the Network
Balancing Risk and Utility in Flow Trace Anonymization
Mapping Internet Sensors With Probe Response Attacks
Presentation transcript:

Outsourcing Security Analysis with Anonymized Logs Jianqing Zhang, Nikita Borisov, William Yurcik 2 nd International Workshop on the Value of Security through Collaboration Friday, September 1, 2006

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 2 Motivation  Managed Security Service Providers: Security outsourcing is a trend Security monitoring is getting more complicated and sophisticated Economical: assemble skilled security professionals Effective: shared security infrastructure across organizational boundaries  Challenges Sensitive data is shared  Data protected by privacy laws  Valuable information to competitors  Useful information to adversaries

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 3 Managed Security Service Provider

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 4 Problem Statement  What are the criteria for log anonymization that sufficiently protect privacy and guarantee MSSP ’ s efficiency?

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 5 Contributions  Case studies of common attack types based on classic logs  Derive a common set of anonymization criteria Retain time interval dependence between records Pseudonymize the external IP addresses re- identifiably Pseudonymize the internal IP addresses re- identifiably and preserve some network topology information  First step for privacy-preserving MSSPs

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 6 NetFlows and Syslogs  NetFlows: network-based log Timestamps IP address pairs (source/destination) Port pairs (source/destination) …  Syslog: host-based log Application level critical events

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 7 Which Data is Sensitive?  Identity information External (source) IP  Partner, common guest and adversary Internal (destination) IP  Internal user  System privacy & security Timestamp  When the transactions happen Destination port number  Services and applications hosted on the system Subnet number  Internal network structure Records number  Overall resource usage

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 8 Log Anonymization Mechanisms  Timestamp anonymization Time unit annihilation Random time shifts Enumeration  IP address anonymization Truncation Random permutation Prefix-preserving pseudonymization  Port number anonymization Bilateral Classification Black Marker Anonymization Random permutation

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 9 Traffic Traces Logs: Port Scan Start timeSrcIPaddrSrcPortDstIPaddrDstPortPPkts 18:56: :56: :56: :56: …  Scan all ports of a single host: Source: same address, different port numbers Destination:  Same addresses  Different ports (sequentially) In a short time

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 10 Traffic Traces Logs: DoS/DDoS  SYN Flood Source: same addresses, same (or different) port numbers Destination:  Same addresses  Same port (intended to a particular protocol or application) Protocol / Packets/ Packet size In a short time Start timeSrcIPaddrSrcPortDstIPaddrDstPortPPktsB/Pk 21:47: :47: :47: :47: …

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 11 Anonymization Constraints on Traffic Traces Logs  Timestamp (Start Time) Events interval and time dependence should be retained  Anonymization Time unit annihilation Random time shifts Enumeration

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 12 Anonymization Constraints on Traffic Traces Logs (cont.)  Source/Destination IP address Anonymized and re-identifiable Retain virtual network topology (dest.)  Anonymization Truncation Random permutation (pseudonyms)  Source (external) IP address Prefix-preserving pseudonymization  Destination (internal) IP address

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 13 Anonymization Constraints on Traffic Traces Logs (cont.)  Source/Destination port number Contain sensitive information More efficient if retained  Anonymization Bilateral Classification Black Marker Anonymization Random permutation

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 14 Active Operating System Fingerprinting  Syslog  Syslog + Tcplog Time StampHost Name (IP)MessageSource PortDest. Port

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 15 Anonymization Constraints on Syslog Attributes List Anonymization Constraints Recommended Anonymization Start Time Retain events interval and time dependence Random Time Shifts Source IP AddressAnonymized and Re-identifiablePseudonyms Source PortMore efficient if retainedPseudonyms Dest. IP Address  Retain virtual network topology  Re-identifiable if anonymized Pseudonyms + Prefix-preserving Dest. Port  More efficient if retained  Re-identifiable if anonymized Pseudonyms Msg.Retained--

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 16 Sensitive Data After Anonymization  Traffic volumes Batched upload  Aggregate volumes Dummy log records  Sacrifice the efficiency at MSSP  False positives and false negatives  Size of customer base; customer retention Change the pseudonym mappings periodically  Structure of the internal network Simple pseudonyms Periodic rotation of pseudonyms  Policy dependent

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 17 Conclusion  Sensitive data should be anonymized for security monitoring  Constraints on log anonymization  Sensitive data leakage after anonymization and countermeasures  Privacy and efficiency is a trade-off

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 18 Future Work  Analyze other attacks Anonymization strategies for wide range of attacks Patterns of attack detection and general principles  Study other log formats and types  Analyze correlation of different logs across different organizations

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 19 Q & A  Jianqing Zhang  Nikita Borisov  William Yurcik

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 20 Anonymization Constraints on Traffic Traces Logs Attributes List Anonymization Constraints Recommended Anonymization Start Time Retain events interval and time dependence Random Time Shifts Source IP AddressAnonymized and Re-identifiablePseudonyms Source PortMore efficient if retainedPseudonyms Dest. IP Address  Retain virtual network topology  Anonymized and Re-identifiable Pseudonyms + Prefix-preserving Dest. PortMore efficient if retained--

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 21 Port Scan (cont.)  Portmap scan: Source: same address, different port numbers Destination: various addresses, same port (portmap daemon) In a short time Start timeSrcIPaddrSrcPortDstIPaddrDstPortPPkts 10:53: :53: :53: :53: …

Sep. 1, 2006Outsourcing Security Analysis with Anonymized Logs 22 DoS/DDoS (cont.)  Distributed SYN Flood Source: different addresses, different port numbers Destination:  Same addresses  Same ports (intended for a particular protocol) Protocol / Packets/ Packet size In a short time Start timeSrcIPaddrSrcPortDstIPaddrDstPortPPktsB/Pk 19:08: :08: :08: :08: …

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.