10,091 research outputs found
Privacy-safe network trace sharing via secure queries
Privacy concerns relating to sharing network traces have traditionally been handled via sanitization, which includes removal of sensitive data and IP address anonymization. We argue that sanitization is a poor solution for data sharing that offers insufficient research utility to users and poor privacy guarantees to data providers. We claim that a better balance in the utility/privacy tradeoff, inherent to network data sharing, can be achieved via a new paradigm we propose: secure queries. In this paradigm, a data owner publishes a query language and an online portal, allowing researchers to submit sets of queries to be run on data. Only certain operations are allowed on certain data fields, and in specific contexts. Query restriction is achieved via the provider’s privacy policy, and enforced by the language’s interpreter. Query results, returned to researchers, consist of aggregate information such as counts, histograms, distributions, etc. and not of individual packets. We discuss why secure queries provide higher privacy guarantees and higher research utility than sanitization, and present a design of the secure query language and a privacy policy
Sharing Computer Network Logs for Security and Privacy: A Motivation for New Methodologies of Anonymization
Logs are one of the most fundamental resources to any security professional.
It is widely recognized by the government and industry that it is both
beneficial and desirable to share logs for the purpose of security research.
However, the sharing is not happening or not to the degree or magnitude that is
desired. Organizations are reluctant to share logs because of the risk of
exposing sensitive information to potential attackers. We believe this
reluctance remains high because current anonymization techniques are weak and
one-size-fits-all--or better put, one size tries to fit all. We must develop
standards and make anonymization available at varying levels, striking a
balance between privacy and utility. Organizations have different needs and
trust other organizations to different degrees. They must be able to map
multiple anonymization levels with defined risks to the trust levels they share
with (would-be) receivers. It is not until there are industry standards for
multiple levels of anonymization that we will be able to move forward and
achieve the goal of widespread sharing of logs for security researchers.Comment: 17 pages, 1 figur
Reduce to the Max: A Simple Approach for Massive-Scale Privacy-Preserving Collaborative Network Measurements (Extended Version)
Privacy-preserving techniques for distributed computation have been proposed
recently as a promising framework in collaborative inter-domain network
monitoring. Several different approaches exist to solve such class of problems,
e.g., Homomorphic Encryption (HE) and Secure Multiparty Computation (SMC) based
on Shamir's Secret Sharing algorithm (SSS). Such techniques are complete from a
computation-theoretic perspective: given a set of private inputs, it is
possible to perform arbitrary computation tasks without revealing any of the
intermediate results. In fact, HE and SSS can operate also on secret inputs
and/or provide secret outputs. However, they are computationally expensive and
do not scale well in the number of players and/or in the rate of computation
tasks. In this paper we advocate the use of "elementary" (as opposite to
"complete") Secure Multiparty Computation (E-SMC) procedures for traffic
monitoring. E-SMC supports only simple computations with private input and
public output, i.e., it can not handle secret input nor secret (intermediate)
output. Such a simplification brings a dramatic reduction in complexity and
enables massive-scale implementation with acceptable delay and overhead.
Notwithstanding its simplicity, we claim that an E-SMC scheme is sufficient to
perform a great variety of computation tasks of practical relevance to
collaborative network monitoring, including, e.g., anonymous publishing and set
operations. This is achieved by combining a E-SMC scheme with data structures
like Bloom Filters and bitmap strings.Comment: This is an extended version of the paper presented at the Third
International Workshop on Traffic Monitoring and Analysis (TMA'11), Vienna,
27 April 201
- …