private sharing of iocs and sightings
play

Private Sharing of IOCs and Sightings (short paper) Tim van de Kamp - PowerPoint PPT Presentation

Oct 03, 2023 •20 likes •410 views

Private Sharing of IOCs and Sightings (short paper) Tim van de Kamp Andreas Peter Maarten Everts Willem Jonker Workshop on Information Sharing and Collaborative Security, 2016 What This Talk Is About: Private Information Sharing

  1. Private Sharing of IOCs and Sightings (short paper) Tim van de Kamp Andreas Peter Maarten Everts Willem Jonker Workshop on Information Sharing and Collaborative Security, 2016

  2. What This Talk Is About: Private Information Sharing Privacy-enhanced information sharing Simple & existing cryptographic techniques Proof-of-concept implementations 2 / 17

  3. Information Sharing in Practice Clear benefits Quicker detection Better protection Improved situational awareness Challenge: Sensitive Data Information leakage due to information shared with a compromised party freedom of information laws Leads to reputation damage notifying and informing attackers 3 / 17

  4. Information Sharing via the Source–Subscriber Model Source intelligence CERT or anti-virus company Subscriber critical infrastructure or other company 4 / 17

  5. Type of Security Information Shared by a Source Source (e.g., CERT or anti-virus company) Indicators of Compromise (IOCs) Description of potentially malicious observables using features (IP address, hash of a malicious file, . . . ). Examples (Indicator of Compromise) fileHash = bbd758d9b26404d9b28957af865d1234 (destIP = 198.51.100.43) ∧ (destPort = 80 ∨ destPort = 443) Course of Action (COA) Measures to be taken to address a specific threat. Example (Course of Action) If IOC #2043 is matched, kill process x and remove files y and z . 5 / 17

  6. Type of Security Information Shared by a Subscriber Subscribers (e.g., critical infrastructures or other companies) Sightings Report of a matched IOC: The observables match the pattern described in the IOC. Example (Sighting) In the previous hour, IOC #175 matched 2 times against our network traffic. 6 / 17

  7. Information Sharing via the Source–Subscriber Model Source CERT or anti-virus company Subscriber critical infrastructure IOCs or other company sightings Indicator of Compromise IP address malicious software hash . . . Sighting Report of a matched IOC 7 / 17

  8. Why Do We Need Private Information Sharing? Source (e.g., CERT or anti-virus company) shares IOCs and COAs Prevent attackers from learning the detection technique Protect the intellectual property of an anti-virus company Subscribers (e.g., critical infrastructures or other companies) share sightings Prevent attackers from learning they are detected Avoid reputation damage 8 / 17

  9. Private Information Sharing through Cryptography PKC symmetric ciphers i O FHE hash functions FE MPC SWHE powerful functionality simple functionality inefficient/slow efficient/fast 9 / 17

  10. Private Information Sharing through Cryptography PKC symmetric ciphers related work i O FHE hash functions FE MPC SWHE powerful functionality simple functionality inefficient/slow efficient/fast 9 / 17

  11. Private Information Sharing through Cryptography PKC this research symmetric ciphers i O FHE hash functions FE MPC SWHE powerful functionality simple functionality inefficient/slow efficient/fast 9 / 17

  12. Scenario for Private IOC Sharing IOC evaluates IOCs on its observables 10 / 17

  13. Scenario for Private IOC Sharing IOC evaluates IOCs on false data Inherent to the Scenario Subscriber can evaluate an IOC with false data. 10 / 17

  14. Our Approach to Private IOC Sharing 1 Write the IOC in disjunctive normal form. (destIP = 198.51.100.43 ∧ destPort = 80) ∨ (destIP = 198.51.100.43 ∧ destPort = 443) 2 Split the IOC rule into subrules at every OR gate. IOC 1 : destIP = 198.51.100.43 ∧ destPort = 80 IOC 2 : destIP = 198.51.100.43 ∧ destPort = 443 3 Concatenate the feature values, choose a salt and the number of iterations, and derive a symmetric encryption key k = KDF ( 198.51.100.43 � 80 , salt , iterations ) Example (Cryptographic IOC) ( AES k ( COA ) , “ destIP , destPort ” , salt , iterations ) 11 / 17

  15. Our Approach to Private IOC Sharing 1 Write the IOC in disjunctive normal form. (destIP = 198.51.100.43 ∧ destPort = 80) ∨ (destIP = 198.51.100.43 ∧ destPort = 443) 2 Split the IOC rule into subrules at every OR gate. IOC 1 : destIP = 198.51.100.43 ∧ destPort = 80 prevents precomputation attacks IOC 2 : destIP = 198.51.100.43 ∧ destPort = 443 3 Concatenate the feature values, choose a salt and the number of iterations, and derive a symmetric encryption key k = KDF ( 198.51.100.43 � 80 , salt , iterations ) Example (Cryptographic IOC) ( AES k ( COA ) , “ destIP , destPort ” , salt , iterations ) 11 / 17

  16. Our Approach to Private IOC Sharing 1 Write the IOC in disjunctive normal form. (destIP = 198.51.100.43 ∧ destPort = 80) ∨ (destIP = 198.51.100.43 ∧ destPort = 443) 2 Split the IOC rule into subrules at every OR gate. IOC 1 : destIP = 198.51.100.43 ∧ destPort = 80 IOC 2 : destIP = 198.51.100.43 ∧ destPort = 443 influences evaluation time 3 Concatenate the feature values, choose a salt and the number of iterations, and derive a symmetric encryption key k = KDF ( 198.51.100.43 � 80 , salt , iterations ) Example (Cryptographic IOC) ( AES k ( COA ) , “ destIP , destPort ” , salt , iterations ) 11 / 17

  17. Private IOC Sharing: Proof-of-Concept Implementation Python wrapper for Bro [CRIPTIM] Key derivation functions: HKDF and PBKDF2 using SHA-256 Encryption using AES Cryptographic overhead: depends on number of iterations Minimal overhead per evaluation (e.g., per network flow): ± 40 µ s per IOC 12 / 17

  18. Scenario for Private Reporting of Sightings x 1 = 4 ( x 1 ) x 2 = 1 7 sightings ( x 2 ) ( x 3 ) ? � i x i x 3 = 0 ( x 4 ) ( x 5 ) x 4 = 2 x 5 = 0 13 / 17

  19. Scenario for Private Reporting of Sightings x 1 = 4 ( x 1 ) x 2 = 1 ( x 2 ) x 1 = ? x 2 = ? ( x 3 ) ? x 3 = ? x 4 = ? x 5 = ? x 3 = 0 ( x 4 ) ( x 5 ) � = 7 x 4 = 2 x 5 = 0 13 / 17

  20. Scenario for Private Reporting of Sightings x 1 = 4 x 2 = 1 x 1 = 4 x 2 = 1 ( x 3 ) ? x 3 = ? x 4 = ? x 5 = ? x 3 = 0 ( x 4 ) ( x 5 ) � = 7 x 4 = 2 x 5 = 0 13 / 17

  21. Properties of Our Approach Source only learns the sum, not the individual values of the subscribers. All subscribers need to contribute to the computation, otherwise the source can learn the individual values � � x j = x i − x i i i ∈ [ n ] \ j Can be used for more specific counts e.g., number of matches being false positive 14 / 17

  22. Proof-of-Concept Implementation of Private Reporting of Sightings Privacy-preserving aggregation scheme [Shi et al. 2011] Python implementation [CRIPTIM] P-256 elliptic curve ( ≈ 128 bit security) Results Encryption time (for a single subscriber): 0 . 58 ms Aggregate ciphertexts and decrypt 0 . 8 Time (ms) 0 . 6 0 . 4 0 . 2 0 20 40 60 80 100 Number of subscribers 15 / 17

  23. Summary Efficient, existing cryptography for private information sharing Cryptographic constructions for practical use IOCs: speed–privacy trade-off (minimal overhead: < 0 . 05 ms) Sightings: encryption and decryption in < 1 ms Outlook Evaluation using real sensitive data, in real systems Other types of information sharing using cryptographic techniques 16 / 17

  24. Questions? Contact: t.r.vandekamp@utwente.nl References [CRIPTIM] Implementations of Private Information Sharing Schemes . CRIPTIM consortium. URL : https://github.com/CRIPTIM/ . [Shi et al. 2011] E. Shi, T. H. Chan, E. G. Rieffel, R. Chow, and D. Song. “Privacy-Preserving Aggregation of Time-Series Data.” In: Proceedings of the Network and Distributed System Security Symposium (NDSS) . 2011. 17 / 17

  25. Appendix Questions 1 Details about Using a Salt Details about Substring Matching Details about Traitor Tracing Privacy-Preserving Aggregation [Shi et al. 2011] A.1

  26. Details about Using a Salt Definition (Salt) A salt is a large, public, random number. Due to the randomness, it is unpredictable. IOCs 1 precomputes many potential IOCs A.2

  27. Details about Using a Salt Definition (Salt) A salt is a large, public, random number. Due to the randomness, it is unpredictable. IOC ( COA ) 2 IOCs A.2

  28. Details about Using a Salt Definition (Salt) A salt is a large, public, random number. Due to the randomness, it is unpredictable. IOC ( COA ) 2 IOCs 3 lookup in precom- puted values A.2

  29. Details about Using a Salt Definition (Salt) A salt is a large, public, random number. Due to the randomness, it is unpredictable. IOC , salt ( COA ) 2’ IOCs A.2

  30. Details about Using a Salt Definition (Salt) A salt is a large, public, random number. Due to the randomness, it is unpredictable. IOC , salt ( COA ) 2’ IOCs 3’ has to recompute for specific salt A.2

  31. Details about Using a Salt Definition (Salt) A salt is a large, public, random number. Due to the randomness, it is unpredictable. IOCs If using a randomized block cipher modes of operation, no salt is needed. question overview A.2

  32. Details about Substring Matching Example (Substring matching) IOC: content=abc ∧ offset=4 ∧ depth=6 ≤ 3 4 5 6 7 8 9 ≥ 10 match? IOC 1 . . . a b c . . . ✗ IOC 2 . . . a b c . . . ✗ IOC 3 . . . a b c . . . ✓ IOC 4 . . . a b c . . . ✗ Observable . . . a b c . . . question overview A.3

  33. Details about Traitor Tracing Example (Traitor Tracing) Include an identifier of the subscriber in the cryptographic IOCs: ( AES k ID ( COA ) , “ ID , destIP , destPort ” , salt , iterations ) question overview A.4

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Build an Alien Sightings Dashboard BUILDIN G W EB AP P LICATION S W ITH S H IN Y IN R Kaelen

Build an Alien Sightings Dashboard BUILDIN G W EB AP P LICATION S W ITH S H IN Y IN R Kaelen

Build an Alien Sightings Dashboard BUILDIN G W EB AP P LICATION S W ITH S H IN Y IN R Kaelen Medeiros Data Scientist Alien Sightings Dashboard BUILDING WEB APPLICATIONS WITH SHINY IN R Choices, choices... ui &lt;- fluidPage(

554 views • 41 slides
Scoring model for IoCs by combining open intelligence feeds to reduce false positives Authors:

Scoring model for IoCs by combining open intelligence feeds to reduce false positives Authors:

Scoring model for IoCs by combining open intelligence feeds to reduce false positives Authors: Supervisors: Joao de Novais Marques Jelle Ermerins Leandro Velasco Niek van Noort 1 Introduction Indicators of Compromise (IoCs) identify

349 views • 30 slides
SEEING STARS Using technology to deliver an engaging app to capture meteorite sightings, on

SEEING STARS Using technology to deliver an engaging app to capture meteorite sightings, on

b e s p o k e A R f o r m o b i l e s SEEING STARS Using technology to deliver an engaging app to capture meteorite sightings, on Android and iOS DESERT FIREBALL NETWORK Image credit: DFN 2 HTTP:// BIT.LY/FIREBALLSDL Or search App Store

760 views • 40 slides
TUVALU Map of Tuvalu Source: Te Kakeega, Government of Tuvalu HISTORY in brief First sightings -

TUVALU Map of Tuvalu Source: Te Kakeega, Government of Tuvalu HISTORY in brief First sightings -

TUVALU Map of Tuvalu Source: Te Kakeega, Government of Tuvalu HISTORY in brief First sightings - 1568 (Spaniard Explorer) Traders 1860s Missionaries 1861 (Elekana) Colonisation 1892 (by the British, became Gilbert and Ellice

622 views • 23 slides
Seabird sightings data preparation 200708 to 201819 Yvan Richard Edward Abraham 6 August

Seabird sightings data preparation 200708 to 201819 Yvan Richard Edward Abraham 6 August

Seabird sightings data preparation 200708 to 201819 Yvan Richard Edward Abraham 6 August 2020 Department of Conservation Project CSP12302-1 This presentation is of provisional work, final results may differ. Introduction 2 / 35

601 views • 35 slides
Jasper Bongertz, Airbus CyberSecurity @packetjay Scanning for network IoCs is relatively easy:

Jasper Bongertz, Airbus CyberSecurity @packetjay Scanning for network IoCs is relatively easy:

Jasper Bongertz, Airbus CyberSecurity @packetjay Scanning for network IoCs is relatively easy: use an IDS/IPS snort, suricata, commercial appliances Perform live traffic analysis, or from PCAPs @packetjay IDS scan can easily result

380 views • 7 slides
Turtle: Safe and Private Data Sharing Bogdan C. Popescu Petr Matejka Bruno Crispo Andrew S.

Turtle: Safe and Private Data Sharing Bogdan C. Popescu Petr Matejka Bruno Crispo Andrew S.

Turtle: Safe and Private Data Sharing Bogdan C. Popescu Petr Matejka Bruno Crispo Andrew S. Tanenbaum Vrije Universiteit, Amsterdam Motivation Use p2p for safe sharing of sensitive data an adversary (censor) attempts to prevent this

208 views • 6 slides
International developments in public/private financial information- sharing partnerships

International developments in public/private financial information- sharing partnerships

KEYNOTE ADDRESS: International developments in public/private financial information- sharing partnerships Southern Africa Anti-Money Laundering &amp; Financial Crime Conference 23 &amp; 24 October 2019 at the Indaba Hotel, Johannesburg Nick

453 views • 23 slides
Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem Frank Cangialosi, Taejoong

Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem Frank Cangialosi, Taejoong

Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem Frank Cangialosi, Taejoong Chung, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson How do we know with whom we are communicating? How do we know

1.21k views • 119 slides
Human Rights and the Olympic Games Ryan Gauthier Assistant Professor, Thompson Rivers University

Human Rights and the Olympic Games Ryan Gauthier Assistant Professor, Thompson Rivers University

Human Rights and the Olympic Games Ryan Gauthier Assistant Professor, Thompson Rivers University October 15, 2019 Today IOCs legitimacy crisis IOCs response Agenda 2020 (2014) Accountability Has the IOC made meaningful

559 views • 19 slides
P i Paired Redundant IOCs Paired Redundant IOCs d R d d t IOC with Redundant Hardware with

P i Paired Redundant IOCs Paired Redundant IOCs d R d d t IOC with Redundant Hardware with

Slide 1 Slide 1 P i Paired Redundant IOCs Paired Redundant IOCs d R d d t IOC with Redundant Hardware with Redundant Hardware ith R d d t H d S A Baily and Eric Bjorklund S. A. Baily and Eric Bjorklund S. A. Baily and Eric Bjorklund

536 views • 15 slides
Summary of Sample analysed Species Number Number Proportion Number Mean tagged of birds of

Summary of Sample analysed Species Number Number Proportion Number Mean tagged of birds of

Summary of Sample analysed Species Number Number Proportion Number Mean tagged of birds of birds re- of re- number of re-sighted sighted (%) sightings re-sightings per bird Cape Vulture 8 6 75 27 3.4 African White-backed 93

290 views • 7 slides
The EPICS IOC Builder Python scripts for generating IOCs. Michael Abbott, Diamond Light Source

The EPICS IOC Builder Python scripts for generating IOCs. Michael Abbott, Diamond Light Source

The EPICS IOC Builder Python scripts for generating IOCs. Michael Abbott, Diamond Light Source Original motivation: a set of classes for generating .db files from Python .db file IOC builder Python Script For example (part of Libera build)

549 views • 21 slides
Risk Sharing Models for Private Healthcare Insurance George Orros CEO, Universal Health

Risk Sharing Models for Private Healthcare Insurance George Orros CEO, Universal Health

IAAHS 2007 IAA Health Section Colloquium 13 th 16 th May 2007 CTICC www.iaahs2007.com Risk Sharing Models for Private Healthcare Insurance George Orros CEO, Universal Health Consultants Key Messages from Paper 1.

471 views • 33 slides
Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing Constructions Moir Cryptography Issues Secret Sharing Secret Sharing Threshold Secret Sharing (Shamir, Blakely 1979) Motivation

1.32k views • 62 slides
ESCRI-SA Knowledge Sharing Sharing Objectives and Components A presentation for the ESCRI-SA

ESCRI-SA Knowledge Sharing Sharing Objectives and Components A presentation for the ESCRI-SA

ESCRI-SA Knowledge Sharing Sharing Objectives and Components A presentation for the ESCRI-SA Knowledge Sharing Reference Group, Meeting 1 February 6, 2018 Knowledge Sharing Plan (KSP) The sharing of knowledge from ARENA funded projects

197 views • 6 slides
Windows Azure Storage A Highly Available Cloud Storage Service with Strong Consistency Brad

Windows Azure Storage A Highly Available Cloud Storage Service with Strong Consistency Brad

Windows Azure Storage A Highly Available Cloud Storage Service with Strong Consistency Brad Calder, Ju Wang, Aaron Ogus, Niranjan Nilakantan, Arild Skjolsvold, Sam McKelvie, Yikang Xu, Shashwat Srivastav, Jiesheng Wu, Huseyin Simitci, Jaidev

530 views • 40 slides
t s

t s

t s q Prss Pr

666 views • 24 slides
SPECIAL THANKS TO: The followi wing individuals, f for sharing g thei eir c consider erable

SPECIAL THANKS TO: The followi wing individuals, f for sharing g thei eir c consider erable

SPECIAL THANKS TO: The followi wing individuals, f for sharing g thei eir c consider erable knowled edge, , time and resources f for this pr presentation. Jim Ra Rankin Reporter/Photographer, The Toronto Star Fr Fred Val allan

768 views • 44 slides
Jug Tutorial: Coarse-Level Parallel Programming in Python Luis Pedro Coelho luis@luispedro.org

Jug Tutorial: Coarse-Level Parallel Programming in Python Luis Pedro Coelho luis@luispedro.org

Jug Tutorial: Coarse-Level Parallel Programming in Python Luis Pedro Coelho luis@luispedro.org May 15, 2013 Luis Pedro Coelho (luis@luispedro.org) Jug Tutorial 0 May 15, 2013 (1 / 24) Problem Brute force a password. Luis Pedro

741 views • 24 slides
Models and Analyses for Image Synthesis Cyril Soler INRIA, LJK, Grenoble University C.Soler

Models and Analyses for Image Synthesis Cyril Soler INRIA, LJK, Grenoble University C.Soler

Introduction Automatic instancing (2006) Fourier Analysis of Light Transport (2005-2014) Conclusion Models and Analyses for Image Synthesis Cyril Soler INRIA, LJK, Grenoble University C.Soler (INRIA) Models and Analyses for Image Synthesis

1.3k views • 103 slides
Solving LPN Using Large Covering Codes Thom Wiggers Radboud University, Nijmegen, The Netherlands

Solving LPN Using Large Covering Codes Thom Wiggers Radboud University, Nijmegen, The Netherlands

Solving LPN Using Large Covering Codes Thom Wiggers Radboud University, Nijmegen, The Netherlands 8th August 2019 Outline Intro Learning Parity with Noise Breaking LPN The covering-codes reduction Covering Codes Combinations of reductions

1.64k views • 146 slides
Simulation of complex geometry in FDS ed tape such as the CityCent Marcos Vanella a,b ,

Simulation of complex geometry in FDS ed tape such as the CityCent Marcos Vanella a,b ,

Simulation of complex geometry in FDS ed tape such as the CityCent Marcos Vanella a,b , Randall McDermott b , Glenn Forney b , Emanuele Gissi C , Kevin McGrattan b a University of Maryland, College Park, MD b National Institute of Standards and

473 views • 19 slides
Revisiting the USPTO Concordance Between the U.S. Patent Classification and the Standard

Revisiting the USPTO Concordance Between the U.S. Patent Classification and the Standard

Revisiting the USPTO Concordance Between the U.S. Patent Classification and the Standard Industrial Classification Systems Jim Hirabayashi, U.S. Patent and Trademark Office The United States Patent and Trademark Office (USPTO), with support from

327 views • 16 slides

More recommend