Pracis: privacy-preserving and aggregatable cybersecurity information sharing Essay

PRACIS: Privacy-preserving and aggregatable cybersecurity information sharing Adam Kalu Liberty University Technical Communications, ENGR 270 25 February 2019 Background Within the last few years, the number of cybersecurity incidents has significantly increased. A 2016 report by PricewaterhouseCoopers indicates a 38% increase in the number of incidents that have occurred in the year 2015 in terms of the previous year. Those numbers showed approximately 59 million security incidents. What is also noticeable is the growing number in complexity of these incidents. As a means to combat against these emerging threats, several detection and protection mechanisms are being developed. One of them, called Intrusion Detection Systems (IDSs), has received much research attention. However, one major issue with IDSs is that they are not always successful against organized attacks. Because of this a so-called cooperative cyberdefense is fundamental for properly detecting these attacks. In order for this to happen, mechanisms for sharing up-to-date cybersecurity information such as vulnerabilities, or indicators of compromise are preeminent. Cybersecurity Information Sharing (CIS) in particular, has been fostered and encouraged by governments across the globe by means of a number of recent legal initiatives. Despite its benefits, organizations are not willing to share cybersecurity intelligence such as ongoing or past cyber incidents. (This is due to lack of trust in the sharing infrastructure, especially if it is handled by a possible competitor. When it comes to government involvement, companies are inclined to stay anonymous in case of an incident that shows something like personal data being leaked). A serious drawback for the current mechanisms used is that they are not compatible with the CIS infrastructures already used. Therefore, PRACIS (Privacy preserving and Aggregatable Cybersecurity Information Sharing) is introduced as a means to solve this issue. PRACIS: privacy-preserving and aggregatable sharing Phases Setup During the setup phase, all entities are given the appropriate cryptographic material to partake in the information sharing network. Each publisher Di shares two keys with all incident subscribers ISi that are authorized to receive its incidents. The Statistics Subscriber StS also creates a random number per Di, referred to as rDi which enables verifying the incident aggregation. All Di, AF and ISi share a HMAC key (KHMAC) to perform incident integrity checking. The last step of the setup phase is incident subscription. During incident subscription, every ISi subscribe to incidents of its interest. Thanks to encryption, the Message broker AF is oblivious to the exact incident that ISi is subscribing to. Preparation and delivery of security incidents Once an incident takes place in a given Publisher i (Di), it is shared with interested Incident of type ti (Iti). A Structured Threat Information Expression (STIX) incident structure is used to transmit all fields of an incident. The actual values are not stored in each field but only the authorized Incident Subscriber i (Isi) can access the content and enable incident aggregation so that the Statistics Subscriber (StS) can receive incident statistics. The three sensitive attributes: Affected_Asset:Type, Effect and Confidence:Value fields are encrypted applying Format-preserving Encryption (FPE). Forwarding and aggregation of incidents AF processes each message once incidents are sent by Di. To check the integrity of the message, it compares the HMAC of all fields against the value stored in the Victim:id field. If the integrity remains, AF finds ISs subscribed to this type of event. Otherwise, after a maximum of Imax authentic security incidents have been received by AF, it is then aggregated. Decrypting security incidents When an incident forward by AF is received, each ISi needs to decrypt the actual content contained. During verification of the message integrity, its HMAC is computed using KHMAC. If the result is equal to “Victim:id”, the encrypted fields are decrypted by means of format-preserving decryption with KFPE (Di) being Di identified in “Victim:Name”. Aggregation verification Once StS received the the aggregated incident types, it decodes the message contents and verifies that everything is correct. StS simply needs to identify how many bits are commited to each incident type and it proceeds appropriately. It also verifies that aggregated data is clean. If the result matches rsum, the claimed number of incidents received per entity is correct. StS will then accept the data and update Di counters accordingly; On the other hand, if number of incidents is incorrect, data is thrown out. Conclusion Sharing cybersecurity information has been acknowledged to be a key factor in developing cooperative cyberdefense strategies and preparing against cyberthreats. Privacy is vital to encourage cooperation, especially when insecure infrastructures are used to support sharing. This issue is addressed by proposing PRACIS, a protocol that provides privacy-preserving and aggregatable cybersecurity information sharing. PRACIS capitalizes on existing format-preserving and homomorphic encryption techniques and acclimates them to the elements of standard message formats such as STIX. Its usefulness has been evaluated in a real-world setting using a proof-of concept implementation of PRACIS. These results suggest that the costs obtained by PRACIS are easily affordable in real-world scenarios. References de Fuentes, J. M., González-Manzano, L., Tapiador, J., & Peris-Lopez, P. (2017). PRACIS: Privacy-preserving and aggregatable cybersecurity information sharing. Computers & Security, 69, 127-141. doi:10.1016/j.cose.2016.12.011

How to cite this essay: