Transcript slides - Parisa Tabriz

A Privacy-Preserving
Interdomain Audit Framework
Adam J. Lee Parisa Tabriz
Nikita Borisov
University of Illinois, Urbana-Champaign
Security Auditing
• Necessary for the maintenance of secure
and robust systems
• Logs contain sensitive information
• Often performed centrally within one
organization
Motivation for Distributed Audit
• Coordinated attacks are a growing threat [1]
– Correlated network reconnaissance
– Application-level abuses
• But there is still that whole privacy thing…
Now we can…
Detect coordinated attacks
Avoid single point of failure
Analyze data otherwise protected under privacy
legislation
[1] S. Katti, B. Krishnamurthy, and D. Katabi. Collaborating Against Common
Enemies. Internet Measurement Conference, 2005.
Practical Scenarios
Raw Logs
Privacy Policy
Spectrum
Anonymized Logs
• Virtual Organizations
• Grid Computing
• Research Labs
• Organizations with multiple sites
Plan of Action…
1.
2.
3.
4.
5.
System Architecture
Threat Model
Log Obfuscation Techniques
Implementation and Evaluation
Discussion and Future Work
System Architecture
Alert!
Alert!
Auditor
Organization
Organization
Organization
Audit Group
Threat Model
• The Organizations…
– Keep secrets secret
– May try to probe other organizations
• The Auditor…
– An “honest, but curious” adversary
– Probabilistic guarantees against a Byzantine
adversary
Data Formats
• Identifiers (ie. DEBUG, WARN)
• Numbers (ie. 80, 3.14)
• Trees (ie. 192.168.0.1)
• Partially Ordered Sets (ie. RBAC systems)
• Lists (ie. Packet header fields)
Obfuscation Levels
• Full Disclosure
• Local Exact Match
• Portion Dropping
• Local Prefix Match
• Local Greater-Than
• Basic Numeric Transformations
• Local Blinded Arithmetic
• Complete Obfuscation
Local Exact Match
Suppose we want an auditor to verify if some message
value of a log matches, but not leak any information
about the value of that field…
• Use a keyed-hash MAC to obfuscate value
– Can only recover original data by brute force search
in space of possible values
Warn
Debug
Warn
Warn
Error
Warn
Warn
Error
Debug
Warn
Local Prefix Match
Suppose we are only interested in certain IP address
subnets matching in a log field…
• Use the keyed-hash MAC construction on each
“portion” of a hierarchical log field.
– Compared to other prefix-preserving schemes, can be
done in one pass
192
168
0
1
192
168
0
2
192
168
10
31
Local Greater-Than
Suppose we want to know if some user belongs to a
group role in a system…
• Represent a transformed poset as a bloom filter
to test set membership
User
Staff
Student
Graduate
Undergrad
Local Blinded Summation
Suppose we want to provide daily summary reports on
intrusions and alerts to all audit members without
leaking information about actual statistics.
• Use homomorphic encryption
– Given the complexity of homomorphic computation,
appropriate for batched processing
505
+
134
=
639
A Basic Implementation
IDS Logs
GLO
Application Logs
Traffic Logs
Alert!
Analysis
Engine
Alert
Manager
Organization
Auditor
Evaluation
• On a standard computer…
– P4 2.5GHz Processor, 512M RAM, Linux, blah, blah
• The processing rates are reasonable…
– NCSA IDS rates: ~30 records/second
– GLO
• Fastest: Complete obfuscation on a number, poset, identifier
is ~20,000 records/second.
• Slowest: Prefix-preserving match on a tree is ~7,000
records/second
• A typical network log is processed fast
enough…
– A log similar to tcpdump processes at ~3,500
records/second
Catching Liars and Cheaters
• How do we assure the auditor is running the
correct software?
Trusted computing platforms
• How can we detect false or incomplete alarms?
Sign logs to verify alerts
Plant fake log sequences
• How do we detect probing organizations?
Define rules to detect gaming
Information Disclosure
• Fields in logs are often related
• Common knowledge can circumvent
obfuscation
(the crowd boos)
Choose data fields to be reported carefully
Consider functional dependencies
Future Work
• Combating information leakage
• Standard log conversion and optimized
obfuscation
• Investigation into distributed attack
detection
• Key management protocol for audit group
Cliff’s Notes
• Architecture and obfuscation methods for
privacy-preserving distributed audit
• An encouraging evaluation of obfuscation
techniques
• Some challenges and incentive for further
research