A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006.

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

Secure Data Storage in Cloud Computing Submitted by A.Senthil Kumar( ) C.Karthik( ) H.Sheik mohideen( ) S.Lakshmi rajan( )

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments Yitao Duan and John Canny UC Berkeley.

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

Intrusion Detection Systems and Practices

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Outsourcing Security Analysis with Anonymized Logs Jianqing Zhang, Nikita Borisov, William Yurcik 2 nd International Workshop on the Value of Security.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Privacy-Preserving Cross-Domain Network Reachability Quantification

National Center for Supercomputing Applications Adam Slagell, Jun Wang and William Yurcik, National Center for Supercomputing Applications (NCSA) University.

Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL.

Data Security in Local Networks using Distributed Firewalls

Lesson 19: Configuring Windows Firewall

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

INTRUSION DETECTION SYSTEM

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Cong Wang1, Qian Wang1, Kui Ren1 and Wenjing Lou2

Intranet, Extranet, Firewall. Intranet and Extranet.

Chapter 17: Computer Audits ACCT620 Internal Accounting Otto Chang Professor of Accounting.

COEN 252 Computer Forensics

Cross-Domain Privacy-Preserving Cooperative Firewall Optimization.

Overview of Privacy Preserving Techniques.  This is a high-level summary of the state-of-the-art privacy preserving techniques and research areas  Focus.

Chapter 13 – Network Security

COEN 252 Computer Forensics Collecting Network-based Evidence.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine

SOS: Security Overlay Service Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University ACM SIGCOMM 2002 CONFERENCE, PITTSBURGH PA, AUG.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

An Approach To Automate a Process of Detecting Unauthorised Accesses M. Chmielewski, A. Gowdiak, N. Meyer, T. Ostwald, M. Stroiński

Linux Networking and Security

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.

Real-time Flow Management 2 BOF: Remote Packet Capture Extensions Jürgen Quittek NEC Europe Ltd, Heidelberg, Germany Georg Carle GMD.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Abstract With the advent of cloud computing, data owners are motivated to outsource their complex data management systems from local sites to the commercial.

P 3 -Coupon: A Probabilistic System for Prompt and Privacy-Preserving Electronic Coupon Distribution Boying ZhangPh.D. Advisor: Dr. Dong Xuan Joint Work.

The Devil and Packet Trace Anonymization Authors: Ruoming Pang, Mark Allman, Vern Paxson and Jason Lee Published: ACM SIGCOMM Computer Communication Review,

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Chapter 40 Network Security (Access Control, Encryption, Firewalls)

Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix.

Data Security in Local Network Using Distributed Firewall Presented By- Rahul N.Bais Guide Prof. Vinod Nayyar H.O.D Prof.Anup Gade.

Role Of Network IDS in Network Perimeter Defense.

SECURITY REQUIREMENTS AND MANAGEMENT: Presentation By: Guillermo Dijk.

IS3220 Information Technology Infrastructure Security

@Yuan Xue CS 285 Network Security Placement of Security Function and Security Service Yuan Xue Fall 2013.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Big Data Security Issues in Cloud Management. BDWG Big Data Working Group Researchers 1: Data analytics for security 2: Privacy preserving 3: Big data-scale.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Network Security. Introduction to Networking What is Network ? The ISO/OSI Reference Model - The International Standards Organization (ISO) Open Systems.

1 Network Security. 2 Security Services Confidentiality: protection of any information from being exposed to unintended entities. –Information content.

Some Great Open Source Intrusion Detection Systems (IDSs)

Internet Architecture

SIEM Rotem Mesika System security engineering

Threat Modeling for Cloud Computing

Intrusion Tolerant Architectures

Securing the Network Perimeter with ISA 2004

Introduction to Networking

Cloud Testing Shilpi Chugh.

Anupam Das , Nikita Borisov

IS4680 Security Auditing for Compliance

Presentation transcript:

A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006

Security Auditing Necessary for the maintenance of secure and robust systems Logs contain sensitive information Often performed centrally within one organization

Motivation for Distributed Audit Coordinated attacks are a growing threat [1] –Correlated network reconnaissance –Application-level abuses But there is still that whole privacy thing… [1] S. Katti, B. Krishnamurthy, and D. Katabi. Collaborating Against Common Enemies. Internet Measurement Conference, Privacy- Preserving Now we can… Detect coordinated attacks Avoid single point of failure Analyze data otherwise protected under privacy legislation

Practical Scenarios Virtual Organizations Grid Computing Research Labs Organizations with multiple sites Raw Logs Anonymized Logs Privacy Policy Spectrum This work

Plan of Action… 1.System Architecture 2.Threat Model 3.Log Obfuscation Techniques 4.Implementation and Evaluation 5.Discussion and Future Work

System Architecture Audit Group Auditor Organization Alert !

Threat Model The Organizations… –Keep secrets secret –May try to probe other organizations The Auditor… –An “honest, but curious” adversary –Probabilistic guarantees against a Byzantine adversary

Data Formats Identifiers (ie. DEBUG, WARN) Numbers (ie. 80, 3.14) Trees (ie ) Partially Ordered Sets (ie. RBAC systems) Lists (ie. Packet header fields)

Obfuscation Levels Full Disclosure Local Exact Match Portion Dropping Local Prefix Match Local Greater-Than Basic Numeric Transformations Local Blinded Arithmetic Complete Obfuscation

Local Exact Match Suppose we want an auditor to verify if some message value of a log matches, but not leak any information about the value of that field… Use a keyed-hash MAC to obfuscate value –Can only recover original data by brute force search in space of possible values Warn Error Debug ErrorWarn

Local Prefix Match Suppose we are only interested in certain IP address subnets matching in a log field… Use the keyed-hash MAC construction on each “portion” of a hierarchical log field. –Compared to other prefix-preserving schemes, can be done in one pass

Local Greater-Than Suppose we want to know if some user belongs to a group role in a system… Represent a transformed poset as a bloom filter to test set membership Student User Staff GraduateUndergrad Student User Staff GraduateUndergrad

Local Blinded Summation Suppose we want to provide daily summary reports on intrusions and alerts to all audit members without leaking information about actual statistics. Use homomorphic encryption –Given the complexity of homomorphic computation, appropriate for batched processing =

Analysis Engine A Basic Implementation IDS Logs Application Logs Traffic Logs GLO Alert Manager OrganizationAuditor Alert !

Evaluation On a standard computer… –P4 2.5GHz Processor, 512M RAM, Linux, blah, blah The processing rates are reasonable… –NCSA IDS rates: ~30 records/second –GLO Fastest: Complete obfuscation on a number, poset, identifier is ~20,000 records/second. Slowest: Prefix-preserving match on a tree is ~7,000 records/second A typical network log is processed fast enough… –A log similar to tcpdump processes at ~3,500 records/second

Catching Liars and Cheaters How do we assure the auditor is running the correct software? Trusted computing platforms How can we detect false or incomplete alarms? Sign logs to verify alerts Plant fake log sequences How do we detect probing organizations? Define rules to detect gaming

Information Disclosure Fields in logs are often related Common knowledge can circumvent obfuscation (the crowd boos) Choose data fields to be reported carefully Consider functional dependencies

Future Work Combating information leakage Standard log conversion and optimized obfuscation Investigation into distributed attack detection Key management protocol for audit group

Cliff’s Notes Architecture and obfuscation methods for privacy-preserving distributed audit An encouraging evaluation of obfuscation techniques Some challenges and incentive for further research Questio ns?