Upload
dorothy-barber
View
219
Download
3
Tags:
Embed Size (px)
Citation preview
A Privacy-Preserving Interdomain Audit
FrameworkAdam J. Lee Parisa Tabriz
Nikita Borisov
University of Illinois, Urbana-Champaign
WPES 2006
Security Auditing
• Necessary for the maintenance of secure and robust systems
• Logs contain sensitive information• Often performed centrally within one
organization
Motivation for Distributed Audit
• Coordinated attacks are a growing threat [1]
– Correlated network reconnaissance– Application-level abuses
• But there is still that whole privacy thing…
[1] S. Katti, B. Krishnamurthy, and D. Katabi. Collaborating Against Common Enemies. Internet Measurement Conference, 2005.
Privacy-Preserving
Now we can…Detect coordinated attacksAvoid single point of failureAnalyze data otherwise
protected under privacy legislation
Practical Scenarios
• Virtual Organizations• Grid Computing• Research Labs• Organizations with multiple sites
Raw Logs Anonymized LogsPrivacy Policy
Spectrum
This
work
Plan of Action…
1. System Architecture2. Threat Model3. Log Obfuscation Techniques4. Implementation and Evaluation5. Discussion and Future Work
System Architecture
Audit Group
Auditor
Organization
Organization
Organization
Alert!Alert!
Threat Model
• The Organizations…– Keep secrets secret– May try to probe other organizations
• The Auditor…– An “honest, but curious” adversary– Probabilistic guarantees against a
Byzantine adversary
Data Formats
• Identifiers (ie. DEBUG, WARN)• Numbers (ie. 80, 3.14)• Trees (ie. 192.168.0.1)• Partially Ordered Sets (ie. RBAC
systems)• Lists (ie. Packet header fields)
Obfuscation Levels
• Full Disclosure• Local Exact Match• Portion Dropping• Local Prefix Match• Local Greater-Than• Basic Numeric Transformations• Local Blinded Arithmetic• Complete Obfuscation
Local Exact Match
Suppose we want an auditor to verify if some message value of a log matches, but not leak any information about the value of that field…
• Use a keyed-hash MAC to obfuscate value– Can only recover original data by brute force
search in space of possible valuesWarn
Warn
Warn
WarnError
Debug
Debug
ErrorWarn
Warn
Local Prefix Match
Suppose we are only interested in certain IP address subnets matching in a log field…
• Use the keyed-hash MAC construction on each “portion” of a hierarchical log field.– Compared to other prefix-preserving schemes,
can be done in one pass
192 168 0 1
192
192
168
168
0
10
2
31
Local Greater-Than
Suppose we want to know if some user belongs to a group role in a system…
• Represent a transformed poset as a bloom filter to test set membership
Student
User
Staff
Graduate Undergrad
Student
User
Staff
Graduate Undergrad
Local Blinded Summation
Suppose we want to provide daily summary reports on intrusions and alerts to all audit members without leaking information about actual statistics.
• Use homomorphic encryption– Given the complexity of homomorphic
computation, appropriate for batched processing
505 134 639+ =
AnalysisEngine
A Basic Implementation
IDS Logs
Application Logs
Traffic Logs
GLO
AlertManager
Organization Auditor
Alert!
Evaluation
• On a standard computer…– P4 2.5GHz Processor, 512M RAM, Linux, blah,
blah• The processing rates are reasonable…
– NCSA IDS rates: ~30 records/second– GLO
• Fastest: Complete obfuscation on a number, poset, identifier is ~20,000 records/second.
• Slowest: Prefix-preserving match on a tree is ~7,000 records/second
• A typical network log is processed fast enough…– A log similar to tcpdump processes at ~3,500
records/second
Catching Liars and Cheaters
• How do we assure the auditor is running the correct software?
Trusted computing platforms• How can we detect false or incomplete
alarms?
Sign logs to verify alertsPlant fake log sequences
• How do we detect probing organizations?
Define rules to detect gaming
Information Disclosure
• Fields in logs are often related• Common knowledge can circumvent
obfuscation
(the crowd boos)
Choose data fields to be reported carefully
Consider functional dependencies
Future Work
• Combating information leakage• Standard log conversion and
optimized obfuscation• Investigation into distributed attack
detection• Key management protocol for audit
group
Cliff’s Notes
• Architecture and obfuscation methods for privacy-preserving distributed audit
• An encouraging evaluation of obfuscation techniques
• Some challenges and incentive for further research
Questio
ns?