A roadmap towards improving managed security services from a privacy perspective
- 558 Downloads
This paper proposes a roadmap for how privacy leakages from outsourced managed security services using intrusion detection systems can be controlled. The paper first analyses the risk of leaking private or confidential information from signature-based intrusion detection systems. It then discusses how the situation can be improved by developing adequate privacy enforcement methods and privacy leakage metrics in order to control and reduce the leakage of private and confidential information over time. Such metrics should allow for quantifying how much information that is leaking, where these information leakages are, as well as showing what these leakages mean. This includes adding enforcement mechanisms ensuring that operation on sensitive information is transparent and auditable. The data controller or external quality assurance organisations can then verify or certify that the security operation operates in a privacy friendly manner. The roadmap furthermore outlines how privacy-enhanced intrusion detection systems should be implemented by initially providing privacy-enhanced alarm handling and then gradually extending support for privacy enhancing operation to other areas like digital forensics, exchange of threat information and big data analytics based attack detection.
KeywordsSecurity Privacy Outsourcing Intrusion detection and prevention systems Managed security services Ethical awareness
Thanks to all anonymous reviewers, for challenging questions and good ideas on how to improve the quality of the paper. This work has been partially supported by the project “PRECYSE - Protection, prevention and reaction to cyber-attacks to critical infrastructures”, funded by the European Commission under the FP7 frame programme with contract number FP7-SEC-2012-1-285181 (www.precyse.eu), and partially by Telenor Research and Innovation under the contract DR-2009-1.
- Acquisti, A., John, L., & Loewenstein, G. (2010). What is privacy worth? http://www.futureofprivacy.org/wp-content/uploads/2010/07/privacy-worth-acquisti-FPF.
- Baker, M., Turnbull, D., & Kaszuba, G. (2012). Finding needles in haystacks (the size of countries). http://media.blackhat.com/bh-eu-12/Baker/bh-eu-12-Baker-Needles_Haystacks-WP.
- Bicknell, P., & Jean, H. (2011). National information assurance partnership common criteria evaluation and validation scheme, validation report hp tippingpoint intrusion prevention systems. http://www.commoncriteriaportal.org/files/epfiles/st_vid10345-vr.
- Cavoukian, A. (2009). Whole body imaging in airport scanners: Activate privacy filters to achieve security and privacy. http://www.ipc.on.ca/images/Resources/wholebodyimaging.
- Ciriani, V., di Vimercati, S. C., Foresti, S., & Samarati, P. (2007). k-Anonymity. In: Secure data management in decentralized systems (pp. 323–353). Springer.Google Scholar
- Cisco (2013). Writing custom signatures for the cisco intrusion prevention system. http://www.cisco.com/web/about/security/intelligence/ips_custom_sigs_pdf.
- Ding, W., Yurcik, W., & Yin, X. (2005). Outsourcing internet security: Economic analysis of incentives for managed security service providers. In: Internet and network economics, LNCS, vol 3828 (pp. 947–958). Springer.Google Scholar
- Dwork, C. (2006). Differential privacy. Automata, languages and programming (pp. 1–12).Google Scholar
- European Commission. (2002). Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:NOT.
- European Communities. (2014). Digital security: Cybersecurity, privacy and trust. URL http://ec.europa.eu/research/participants/portal/desktop/en/opportunities/h2020/topics/99-ds-01-2014.html.
- Flegel, U. (2007). Privacy-respecting intrusion detection (1st ed.). Berlin: Springer.Google Scholar
- Gartner. (2010). Magic quadrant for network intrusion prevention systems. URL http://mcafee.zinfi.com/enduser/ngns/dyntek1/file/McAfee_vol4-art5.
- Gritzalis, S., Yannacopoulos, A., Lambrinoudakis, C., Hatzopoulos, P., & Katsikas, S. (2007). A probabilistic model for optimal insurance contracts against security risks and privacy violation in IT outsourcing environments. International Journal of Information Security, 6(4), 197–211. doi: 10.1007/s10207-006-0010-x.CrossRefGoogle Scholar
- Kairab, S. (2005). A practical guide to security assessments. Boca Raton, Florida: Auerbach Publications.Google Scholar
- Richards, N. M., King, J. H. (2013). Three paradoxes of big data. Stanford Law Review Online 66:41, URL http://www.stanfordlawreview.org/online/privacy-and-big-data/three-paradoxes-big-data.
- Machanavajjhala, A., Kifer, D., Gehrke, J., Venkitasubramaniam, M. (2007). l-diversity: Privacy beyond k-anonymity. Cornell University p 52, URL http://www.truststc.org/pubs/465.html.
- McAfee. (2007). Mcafee intrushield IPS, user-defined signature creation version 4.1. https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/20000/PD20345/en_US/INTR_User-Defined_Signatures_4.1.
- Moen, R. D., Nolan, T. W., & Provost, L. P. (1999). Quality improvement through planned experimentation. New York: McGraw-Hill.Google Scholar
- National Science Foundation. (2014). US NSF-CISE-funding. URL http://www.nsf.gov/cise/funding/cyber_awards.jsp.
- Plashchynski, D. (2014). viewssld—SSL traffic descryption daemon. URL http://sourceforge.net/projects/viewssld/.
- Popa, R. A., Redfield, C. M. S., Zeldovich, N., & Balakrishnan, H. (2011). CryptDB: Protecting confidentiality with encrypted query processing. In: Proceedings of the twenty-third ACM symposium on operating systems principles, ACM, New York, NY, USA, SOSP ’11, (pp. 85–100), doi: 10.1145/2043556.2043566.
- Radianti, J., & Ulltveit-Moe, N. (2008). Classification of malicious tools in underground markets for vulnerabilities. NISK, 2008, 19–31.Google Scholar
- Roesch, M. & Green, S. C. (2009). Snort. URL http://www.snort.org/assets/82/snort_manual.
- Samuelson, P. (2000). Privacy as intellectual property? Stanford Law Review 52(5):1125–1173, URL http://www.jstor.org/stable/1229511.
- Scarfone, K., Mell, P. (2007). Guide to intrusion detection and prevention systems (IDPS). http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.
- Smith, G. (2009). On the foundations of quantitative information flow. In: Alfaro, L. D. (Ed.), Foundations of software science and computational structures, no. 5504 in Lecture Notes in Computer Science (pp 288–302). Berlin Heidelberg: Springer.Google Scholar
- Smith, G. (2011). Quantifying information flow using min-entropy. In: Quantitative evaluation of systems (QEST), 2011 eighth international conference on, pp 159–167, doi: 10.1109/QEST.2011.31.
- Sourcefire Vulnerability Research Team VRT. (2014). Download snort rules. URL http://www.snort.org/downloads/2862.
- Tavallaee, M., Bagheri, E., Lu, W., & Ghorbani, A. (2010). A detailed analysis of the KDD CUP 99 data set. In: Second IEEE symposium on computational intelligence for security and defence applications 2009.Google Scholar
- Trustwave. (2014). ModSecurity open source web application firewall. URL http://www.modsecurity.org.
- Ulltveit-Moe, N., Oleshchuk, V. A. (2013). Measuring privacy leakage for IDS rules. CoRR abs/1308.5421.Google Scholar
- Warren, S., & Brandeis, L. D. (1890). The right to privacy. Harvard Law Review, 4(5),Google Scholar
- X-Force, I. S. S. (2011). Signature author’s guide, IBM security systems opensignature. http://www-01.ibm.com/support/docview.wss?uid=swg21570487&aid=3.
- Yannacopoulos, A. N., Lambrinoudakis, C., Gritzalis, S., Xanthopoulos, S. Z., & Katsikas, S. N. (2008). Modeling privacy insurance contracts and their utilization in risk management for ICT firms. Proceedings of the 13th European symposium on research in computer security: Computer security (pp. 207–222). Málaga, Spain: Springer.Google Scholar