aligning the conflicting needs of privacy, malware detection and nework protection

1 © Nokia Solutions and Networks 2014

Aligning the Conflicting Needs of Privacy, Malware

Detection and Network Protection

Ian Oliver, Silke Holtmanns

Security Research

Nokia Networks

TrustCom 2015, Helsinki, Finland

21 Aug 2015


Unjustified data collection is a major privacy problem

Public


Except that we have some good reasons….if not good justifications

Public

Criminals, Terrorists

Malware

Theft

Today’s latest, moral and

safety panic…

Porn, Illicit content etc..

Monitoring for malware, network anomalies etc

But reduce the degree of surveillance


Public

Minimise this set as much as possible

Minimise (optimise) the required data

for analysis

All available data

Data collected

Required data

Minimise this set of data

Data collected has a habit of increasing to

all data… …just in case


Public

Problems (for a network infrastructure provider) •How to minimise data •Without compomising necessary analytics

•Malware detection •DDOS detection •LI •…

•How to justifiably increase data collection


Public

•Calculate the privacy risk of a given data set •Map this to a mode of system operation •Operate at the lowest possible mode (implying lowest risk) based upon the current perceived level of danger •Justified and targetted collection and analysis of data

Data

Risk

Mode


Simple Example

Public

Filter Analysis

LOW

Timestamp, IPsrc, IPdest, Protocol, Content, Length

etc…

Diff(Timestamp) K-Anon(IPsrc), K-Anon(Ipdest)

Current mode of operation


Simple Example

Public

Filter Analysis

LOW


etc…

Diff(Timestamp) K-Anon(IPsrc), K-Anon(Ipdest)

Some anomaly is detected

Request to change system mode


Simple Example

Public

Filter Analysis

MED


etc…

Timestamp IPsrc

IPdest [190-210.*.*.*] Protocol = HTTP

Domain(Content_URL)


Simple Example

Public

Filter Analysis


etc…

Timestamp IPsrc

IPdest [190-210.*.*.*] Protocol = HTTP

Domain(Content_URL)

Anomaly is not detected ,

False positive?


LOW


Simple Example

Public

Filter Analysis


etc…

Everything!

Anomaly is detected


HIGH


Public

Hypothesis: If we can calculate the risk from a number of parameters, eg: sensitivity, identifiability etc then we can [partially-]order datasets based on their content


Public

Metricisation of privacy


Public



Public

timestamp IPsrc IPtarg protocol length [port, verb, URL, etc..]

timestamp IPsrc IPtarg timestamp f(IPsrc) f(IPtarg) protocol

timestamp f(IPsrc) f(IPtarg) l-diverse(protocol)

DP(timestamp,e=0.01) f(IPsrc) f(IPtarg) l-diverse(protocol)

DP(timestamp,e=0.001)


Public

Risk and Justification •Prior justification actually lowers risk

•from a legal point of view •The set of criteria for a mode change can be better reasoned about

•the choice of filtering or anonymisation technology can be better made •the degree of anonymisation can be rationalised

Data

Risk

Mode


Public

•Metricisation •Proper ontological support

•aspects of information, eg: type, provenance, purpose, usage, risk, requirements •compositional problems

•Library of techniques •differential privacy (and its suitable parameters) •k-anon,l-div,t-closeness •dynamic data pipeine construction and ordering •quasi-identifiers

Data

Risk

Mode


Summary

Public

•A metrics based framework for justified data collection can be constructed •Requires

•processing methods (and infrastructure) •a metric of risk •ontological support

•Analysis and Mode change

•suitable analysis techniques (ML) that can operate over ’noisy’ or ’low semantic content’ data

•Implementation •NFV, 5G

Data

Risk

Mode


Public

Everything that flows over the

network, IP addresses etc

A select sub-set of that information

according to a given signature

A description of what is required for a given use-case, eg: malware

signatures


Public

Risk that we miss the malware, terrorist etc

increases

This is the process of data

minmisation

Privacy risk decreases as we employ data

minimisation (diff. K-anon etc)


Public

Risk that we miss the malware, terrorist etc

increases

This is the process of data

minmisation

Privacy risk decreases as we employ data

minimisation (diff. K-anon etc)

Increase in happiness of privacy lawyers

Increase in difficulty of monitoring


Public


Public

Privacy Metric (one of potentially many)


Public

Other metrics can be constructed too


Public

Combined Privacy Metric


Public

Hypothesis: If we can calculate the risk from a number of parameters, eg: sensitivity, identifiability etc then we can [partially-]order datasets based on their content

aligning the conflicting needs of privacy, malware detection and nework protection

Technology