a privacy-preserving interdomain audit framework adam j. lee parisa tabriz nikita borisov university...
TRANSCRIPT
![Page 1: A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e795503460f94b78b44/html5/thumbnails/1.jpg)
A Privacy-Preserving Interdomain Audit
FrameworkAdam J. Lee Parisa Tabriz
Nikita Borisov
University of Illinois, Urbana-Champaign
WPES 2006
![Page 2: A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e795503460f94b78b44/html5/thumbnails/2.jpg)
Security Auditing
• Necessary for the maintenance of secure and robust systems
• Logs contain sensitive information• Often performed centrally within one
organization
![Page 3: A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e795503460f94b78b44/html5/thumbnails/3.jpg)
Motivation for Distributed Audit
• Coordinated attacks are a growing threat [1]
– Correlated network reconnaissance– Application-level abuses
• But there is still that whole privacy thing…
[1] S. Katti, B. Krishnamurthy, and D. Katabi. Collaborating Against Common Enemies. Internet Measurement Conference, 2005.
Privacy-Preserving
Now we can…Detect coordinated attacksAvoid single point of failureAnalyze data otherwise
protected under privacy legislation
![Page 4: A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e795503460f94b78b44/html5/thumbnails/4.jpg)
Practical Scenarios
• Virtual Organizations• Grid Computing• Research Labs• Organizations with multiple sites
Raw Logs Anonymized LogsPrivacy Policy
Spectrum
This
work
![Page 5: A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e795503460f94b78b44/html5/thumbnails/5.jpg)
Plan of Action…
1. System Architecture2. Threat Model3. Log Obfuscation Techniques4. Implementation and Evaluation5. Discussion and Future Work
![Page 6: A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e795503460f94b78b44/html5/thumbnails/6.jpg)
System Architecture
Audit Group
Auditor
Organization
Organization
Organization
Alert!Alert!
![Page 7: A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e795503460f94b78b44/html5/thumbnails/7.jpg)
Threat Model
• The Organizations…– Keep secrets secret– May try to probe other organizations
• The Auditor…– An “honest, but curious” adversary– Probabilistic guarantees against a
Byzantine adversary
![Page 8: A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e795503460f94b78b44/html5/thumbnails/8.jpg)
Data Formats
• Identifiers (ie. DEBUG, WARN)• Numbers (ie. 80, 3.14)• Trees (ie. 192.168.0.1)• Partially Ordered Sets (ie. RBAC
systems)• Lists (ie. Packet header fields)
![Page 9: A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e795503460f94b78b44/html5/thumbnails/9.jpg)
Obfuscation Levels
• Full Disclosure• Local Exact Match• Portion Dropping• Local Prefix Match• Local Greater-Than• Basic Numeric Transformations• Local Blinded Arithmetic• Complete Obfuscation
![Page 10: A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e795503460f94b78b44/html5/thumbnails/10.jpg)
Local Exact Match
Suppose we want an auditor to verify if some message value of a log matches, but not leak any information about the value of that field…
• Use a keyed-hash MAC to obfuscate value– Can only recover original data by brute force
search in space of possible valuesWarn
Warn
Warn
WarnError
Debug
Debug
ErrorWarn
Warn
![Page 11: A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e795503460f94b78b44/html5/thumbnails/11.jpg)
Local Prefix Match
Suppose we are only interested in certain IP address subnets matching in a log field…
• Use the keyed-hash MAC construction on each “portion” of a hierarchical log field.– Compared to other prefix-preserving schemes,
can be done in one pass
192 168 0 1
192
192
168
168
0
10
2
31
![Page 12: A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e795503460f94b78b44/html5/thumbnails/12.jpg)
Local Greater-Than
Suppose we want to know if some user belongs to a group role in a system…
• Represent a transformed poset as a bloom filter to test set membership
Student
User
Staff
Graduate Undergrad
Student
User
Staff
Graduate Undergrad
![Page 13: A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e795503460f94b78b44/html5/thumbnails/13.jpg)
Local Blinded Summation
Suppose we want to provide daily summary reports on intrusions and alerts to all audit members without leaking information about actual statistics.
• Use homomorphic encryption– Given the complexity of homomorphic
computation, appropriate for batched processing
505 134 639+ =
![Page 14: A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e795503460f94b78b44/html5/thumbnails/14.jpg)
AnalysisEngine
A Basic Implementation
IDS Logs
Application Logs
Traffic Logs
GLO
AlertManager
Organization Auditor
Alert!
![Page 15: A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e795503460f94b78b44/html5/thumbnails/15.jpg)
Evaluation
• On a standard computer…– P4 2.5GHz Processor, 512M RAM, Linux, blah,
blah• The processing rates are reasonable…
– NCSA IDS rates: ~30 records/second– GLO
• Fastest: Complete obfuscation on a number, poset, identifier is ~20,000 records/second.
• Slowest: Prefix-preserving match on a tree is ~7,000 records/second
• A typical network log is processed fast enough…– A log similar to tcpdump processes at ~3,500
records/second
![Page 16: A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e795503460f94b78b44/html5/thumbnails/16.jpg)
Catching Liars and Cheaters
• How do we assure the auditor is running the correct software?
Trusted computing platforms• How can we detect false or incomplete
alarms?
Sign logs to verify alertsPlant fake log sequences
• How do we detect probing organizations?
Define rules to detect gaming
![Page 17: A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e795503460f94b78b44/html5/thumbnails/17.jpg)
Information Disclosure
• Fields in logs are often related• Common knowledge can circumvent
obfuscation
(the crowd boos)
Choose data fields to be reported carefully
Consider functional dependencies
![Page 18: A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e795503460f94b78b44/html5/thumbnails/18.jpg)
Future Work
• Combating information leakage• Standard log conversion and
optimized obfuscation• Investigation into distributed attack
detection• Key management protocol for audit
group
![Page 19: A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e795503460f94b78b44/html5/thumbnails/19.jpg)
Cliff’s Notes
• Architecture and obfuscation methods for privacy-preserving distributed audit
• An encouraging evaluation of obfuscation techniques
• Some challenges and incentive for further research
Questio
ns?