Advertisement

Ethics and Information Technology

, Volume 16, Issue 3, pp 227–240 | Cite as

A roadmap towards improving managed security services from a privacy perspective

  • Nils Ulltveit-Moe
Original Paper

Abstract

This paper proposes a roadmap for how privacy leakages from outsourced managed security services using intrusion detection systems can be controlled. The paper first analyses the risk of leaking private or confidential information from signature-based intrusion detection systems. It then discusses how the situation can be improved by developing adequate privacy enforcement methods and privacy leakage metrics in order to control and reduce the leakage of private and confidential information over time. Such metrics should allow for quantifying how much information that is leaking, where these information leakages are, as well as showing what these leakages mean. This includes adding enforcement mechanisms ensuring that operation on sensitive information is transparent and auditable. The data controller or external quality assurance organisations can then verify or certify that the security operation operates in a privacy friendly manner. The roadmap furthermore outlines how privacy-enhanced intrusion detection systems should be implemented by initially providing privacy-enhanced alarm handling and then gradually extending support for privacy enhancing operation to other areas like digital forensics, exchange of threat information and big data analytics based attack detection.

Keywords

Security Privacy Outsourcing Intrusion detection and prevention systems Managed security services Ethical awareness 

Notes

Acknowledgments

Thanks to all anonymous reviewers, for challenging questions and good ideas on how to improve the quality of the paper. This work has been partially supported by the project “PRECYSE - Protection, prevention and reaction to cyber-attacks to critical infrastructures”, funded by the European Commission under the FP7 frame programme with contract number FP7-SEC-2012-1-285181 (www.precyse.eu), and partially by Telenor Research and Innovation under the contract DR-2009-1.

References

  1. Acquisti, A., John, L., & Loewenstein, G. (2010). What is privacy worth? http://www.futureofprivacy.org/wp-content/uploads/2010/07/privacy-worth-acquisti-FPF.
  2. Alharby, A., & Imai, H. (2005). IDS false alarm reduction using continuous and discontinuous patterns. Lecture Notes in Computer Science, 3531, 192–205.CrossRefGoogle Scholar
  3. Baker, M., Turnbull, D., & Kaszuba, G. (2012). Finding needles in haystacks (the size of countries). http://media.blackhat.com/bh-eu-12/Baker/bh-eu-12-Baker-Needles_Haystacks-WP.
  4. Berthold, S., & Böhme, R. (2010). Valuating privacy with option pricing theory. In T. Moore, D. Pym, & C. Ioannidis (Eds.), Economics of Information Security and Privacy (pp. 187–209). US: Springer.CrossRefGoogle Scholar
  5. Bicknell, P., & Jean, H. (2011). National information assurance partnership common criteria evaluation and validation scheme, validation report hp tippingpoint intrusion prevention systems. http://www.commoncriteriaportal.org/files/epfiles/st_vid10345-vr.
  6. Cavoukian, A. (2009). Whole body imaging in airport scanners: Activate privacy filters to achieve security and privacy. http://www.ipc.on.ca/images/Resources/wholebodyimaging.
  7. Cavoukian, A., Taylor, S., & Abrams, M. E. (2010). Privacy by design—Essential for organizational accountability and strong business practices. Identity in the Information Society, 3(2), 405–413.CrossRefGoogle Scholar
  8. Ciriani, V., di Vimercati, S. C., Foresti, S., & Samarati, P. (2007). k-Anonymity. In: Secure data management in decentralized systems (pp. 323–353). Springer.Google Scholar
  9. Cisco (2013). Writing custom signatures for the cisco intrusion prevention system. http://www.cisco.com/web/about/security/intelligence/ips_custom_sigs_pdf.
  10. Cord, A., Ambroise, C., & Cocquerez, J. P. (2006). Feature selection in robust clustering based on laplace mixture. Pattern Recognition Letters, 27(6), 627–635. doi: 10.1016/j.patrec.2005.09.028.CrossRefGoogle Scholar
  11. Ding, W., Yurcik, W., & Yin, X. (2005). Outsourcing internet security: Economic analysis of incentives for managed security service providers. In: Internet and network economics, LNCS, vol 3828 (pp. 947–958). Springer.Google Scholar
  12. Dwork, C. (2006). Differential privacy. Automata, languages and programming (pp. 1–12).Google Scholar
  13. European Commission. (2002). Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:NOT.
  14. European Communities. (2014). Digital security: Cybersecurity, privacy and trust. URL http://ec.europa.eu/research/participants/portal/desktop/en/opportunities/h2020/topics/99-ds-01-2014.html.
  15. Figueiredo, M. A. T., & Jain, A. K. (2002). Unsupervised learning of finite mixture models. IEEE Transactions on Pattern Analysis and Machine Intelligence, 24(3), 381–396. doi: 10.1109/34.990138.CrossRefGoogle Scholar
  16. Flegel, U. (2007). Privacy-respecting intrusion detection (1st ed.). Berlin: Springer.Google Scholar
  17. Gartner. (2010). Magic quadrant for network intrusion prevention systems. URL http://mcafee.zinfi.com/enduser/ngns/dyntek1/file/McAfee_vol4-art5.
  18. Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457. doi: 10.1145/581271.581274.CrossRefGoogle Scholar
  19. Gritzalis, S., Yannacopoulos, A., Lambrinoudakis, C., Hatzopoulos, P., & Katsikas, S. (2007). A probabilistic model for optimal insurance contracts against security risks and privacy violation in IT outsourcing environments. International Journal of Information Security, 6(4), 197–211. doi: 10.1007/s10207-006-0010-x.CrossRefGoogle Scholar
  20. Ho, C. Y., Lai, Y. C., Chen, I. W., Wang, F. Y., & Tai, W. H. (2012). Statistical analysis of false positives and false negatives from real traffic with intrusion detection/prevention systems. IEEE Communications Magazine, 50(3), 146–154. doi: 10.1109/MCOM.2012.6163595.CrossRefGoogle Scholar
  21. Kairab, S. (2005). A practical guide to security assessments. Boca Raton, Florida: Auerbach Publications.Google Scholar
  22. Richards, N. M., King, J. H. (2013). Three paradoxes of big data. Stanford Law Review Online 66:41, URL http://www.stanfordlawreview.org/online/privacy-and-big-data/three-paradoxes-big-data.
  23. Machanavajjhala, A., Kifer, D., Gehrke, J., Venkitasubramaniam, M. (2007). l-diversity: Privacy beyond k-anonymity. Cornell University p 52, URL http://www.truststc.org/pubs/465.html.
  24. Maier, G., Sommer, R., Dreger, H., Feldmann, A., Paxson, V., & Schneider, F. S. (2008). Enriching network security analysis with time travel. SIGCOMM Computer Communication Review, 38(4), 183–194. doi: 10.1145/1402946.1402980.CrossRefGoogle Scholar
  25. Moen, R. D., Nolan, T. W., & Provost, L. P. (1999). Quality improvement through planned experimentation. New York: McGraw-Hill.Google Scholar
  26. National Science Foundation. (2014). US NSF-CISE-funding. URL http://www.nsf.gov/cise/funding/cyber_awards.jsp.
  27. Plashchynski, D. (2014). viewssld—SSL traffic descryption daemon. URL http://sourceforge.net/projects/viewssld/.
  28. Popa, R. A., Redfield, C. M. S., Zeldovich, N., & Balakrishnan, H. (2011). CryptDB: Protecting confidentiality with encrypted query processing. In: Proceedings of the twenty-third ACM symposium on operating systems principles, ACM, New York, NY, USA, SOSP ’11, (pp. 85–100), doi: 10.1145/2043556.2043566.
  29. Radianti, J., & Ulltveit-Moe, N. (2008). Classification of malicious tools in underground markets for vulnerabilities. NISK, 2008, 19–31.Google Scholar
  30. Roesch, M. & Green, S. C. (2009). Snort. URL http://www.snort.org/assets/82/snort_manual.
  31. Samuelson, P. (2000). Privacy as intellectual property? Stanford Law Review 52(5):1125–1173, URL http://www.jstor.org/stable/1229511.
  32. Sankar, L., Rajagopalan, S., & Poor, H. (2010). Utility and privacy of data sources: Can Shannon help conceal and reveal information? Information Theory and Applications Workshop (ITA), 2010, 1–7. doi: 10.1109/ITA.2010.5454092.CrossRefGoogle Scholar
  33. Scarfone, K., Mell, P. (2007). Guide to intrusion detection and prevention systems (IDPS). http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.
  34. Schechter, S. E., & Smith, M. D. (2003). How much security is enough to stop a thief? The economics of outsider theft via computer systems and networks. Financial Cryptography, 2742, 122–137.CrossRefGoogle Scholar
  35. Shannon, C. (1948). A mathematical theory of communication. Bell System Technical Journal, 27(379–423), 623–656.CrossRefMathSciNetGoogle Scholar
  36. Smith, G. (2009). On the foundations of quantitative information flow. In: Alfaro, L. D. (Ed.), Foundations of software science and computational structures, no. 5504 in Lecture Notes in Computer Science (pp 288–302). Berlin Heidelberg: Springer.Google Scholar
  37. Smith, G. (2011). Quantifying information flow using min-entropy. In: Quantitative evaluation of systems (QEST), 2011 eighth international conference on, pp 159–167, doi: 10.1109/QEST.2011.31.
  38. Sourcefire Vulnerability Research Team VRT. (2014). Download snort rules. URL http://www.snort.org/downloads/2862.
  39. Sweeney, L. (2002). k-anonymity: A model for protecting privacy. International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 10, 557–570.CrossRefMATHMathSciNetGoogle Scholar
  40. Tavallaee, M., Bagheri, E., Lu, W., & Ghorbani, A. (2010). A detailed analysis of the KDD CUP 99 data set. In: Second IEEE symposium on computational intelligence for security and defence applications 2009.Google Scholar
  41. Trustwave. (2014). ModSecurity open source web application firewall. URL http://www.modsecurity.org.
  42. Ulltveit-Moe, N., Oleshchuk, V. A. (2013). Measuring privacy leakage for IDS rules. CoRR abs/1308.5421.Google Scholar
  43. Warren, S., & Brandeis, L. D. (1890). The right to privacy. Harvard Law Review, 4(5),Google Scholar
  44. X-Force, I. S. S. (2011). Signature author’s guide, IBM security systems opensignature. http://www-01.ibm.com/support/docview.wss?uid=swg21570487&aid=3.
  45. Yannacopoulos, A. N., Lambrinoudakis, C., Gritzalis, S., Xanthopoulos, S. Z., & Katsikas, S. N. (2008). Modeling privacy insurance contracts and their utilization in risk management for ICT firms. Proceedings of the 13th European symposium on research in computer security: Computer security (pp. 207–222). Málaga, Spain: Springer.Google Scholar

Copyright information

© Springer Science+Business Media Dordrecht 2014

Authors and Affiliations

  1. 1.University of AgderGrimstadNorway

Personalised recommendations