Abstract
Security analytics is a catchall term for vulnerability assessment and intrusion detection leveraging security logs from a wide array of Security Analytics Sources (SASs), which include firewalls, VPNs, and endpoint instrumentation. Today, nearly all security analytics systems suffer from a lack of even basic data protections. An adversary can eavesdrop on SAS outputs and advanced malware can undetectably suppress or tamper with SAS messages to conceal attacks.
We introduce PillarBox, a tool that enforces integrity for SAS data even when such data is buffered on a compromised host within an adversarially controlled network. Additionally, PillarBox (optionally) offers stealth, concealing SAS data and potentially even alerting rules on a compromised host. Using data from a large enterprise and on-host performance measurements, we show experimentally that PillarBox has minimal overhead and is practical for real-world systems.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Ettercap, http://ettercap.sourceforge.net/
Bellare, M., Namprempre, C.: Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21, 469–491 (2008)
Bellare, M., Yee, B.: Forward-security in private-key cryptography. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 1–18. Springer, Heidelberg (2003)
Bowers, K.D., Hart, C., Juels, A., Triandopoulos, N.: PillarBox: Combating next-generation malware with fast forward-secure logging. Cryptology ePrint Archive, Report 2013/625 (2013)
Crosby, S.A., Wallach, D.S.: Efficient data structures for tamper-evident logging. In: USENIX Sec., pp. 317–334 (2009)
Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. on Inf. Theory 29(2), 198–207 (1983)
Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: A virtual machine-based platform for trusted computing. In: SOSP, pp. 193–206 (2003)
Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)
Håstad, J., Jonsson, J., Juels, A., Yung, M.: Funkspiel schemes: An alternative to conventional tamper resistance. In: CCS, pp. 125–133 (2000)
Itkis, G.: Handbook of Inf. Security, Forward Security: Adaptive Cryptography—Time Evolution. John Wiley & Sons (2006)
Karger, P.A.: Securing virtual machine monitors: what is needed? In: ASIACCS, pp. 1–2 (2009)
Kelsey, J., Callas, J., Clemm, A.: RFC 5848: Signed syslog messages (2010)
Kelsey, J., Schneier, B.: Minimizing bandwidth for remote access to cryptographically protected audit logs. In: RAID, p. 9 (1999)
Ma, D., Tsudik, G.: A new approach to secure logging. Trans. Storage 5(1), 2:1–2:21 (2009)
Mandiant. M-trends: The advanced persistent threat (2010), http://www.mandiant.com
Marson, G.A., Poettering, B.: Practical secure logging: Seekable sequential key generators. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 111–128. Springer, Heidelberg (2013)
Oltsik, J.: Defining big data security analytics. Networkworld, 1 (April 2013)
Ristenpart, T., Maganis, G., Krishnamurthy, A., Kohno, T.: Privacy-preserving location tracking of lost or stolen devices: Cryptographic techniques and replacing trusted third parties with DHTs. In: USENIX Sec., pp. 275–290 (2008)
Schneier, B., Kelsey, J.: Cryptographic support for secure logs on untrusted machines. In: USENIX Sec., p. 4 (1998)
Schneier, B., Kelsey, J.: Tamperproof audit logs as a forensics tool for intrusion detection systems. Comp. Networks and ISDN Systems (1999)
Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the Effectiveness of Address-Space Randomization. In: CCS, pp. 298–307 (2004)
Sharif, M.I., Lee, W., Cui, W., Lanzi, A.: Secure in-VM monitoring using hardware virtualization. In: CCS, pp. 477–487 (2009)
Waters, B.R., Balfanz, D., Durfee, G., Smetters, D.K.: Building an encrypted and searchable audit log. In: NDSS (2004)
Chen, Y., Chen, Y., Paxson, V., Katz, R.: What’s new about cloud computing security? Technical Report UCB/EECS-2010-5, UC Berkeley (2010)
Yavuz, A.A., Ning, P.: BAF: An efficient publicly verifiable secure audit logging scheme for distributed systems. In: ACSAC, pp. 219–228 (2009)
Yavuz, A.A., Ning, P., Reiter, M.K.: Efficient, compromise resilient and append-only cryptographic schemes for secure audit logging. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 148–163. Springer, Heidelberg (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Bowers, K.D., Hart, C., Juels, A., Triandopoulos, N. (2014). PillarBox: Combating Next-Generation Malware with Fast Forward-Secure Logging. In: Stavrou, A., Bos, H., Portokalidis, G. (eds) Research in Attacks, Intrusions and Defenses. RAID 2014. Lecture Notes in Computer Science, vol 8688. Springer, Cham. https://doi.org/10.1007/978-3-319-11379-1_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-11379-1_3
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11378-4
Online ISBN: 978-3-319-11379-1
eBook Packages: Computer ScienceComputer Science (R0)