Controlled Data Sharing for Collaborative Predictive Blacklisting

Freudiger, Julien; Cristofaro, Emiliano De; Brito, Alejandro E.

doi:10.1007/978-3-319-20550-2_17

Cited by 22 publications

(42 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Only a few works were found to approach the problem, although with rather simple approaches. For example, collaborative predictive blacklisting has been a subject of research [21,22] with promising results against specific attacks. However, a generic approach similar to early attempts to attack prediction is still an open research problem [3].…”

Section: Related Workmentioning

confidence: 99%

Towards Predicting Cyber Attacks Using Information Exchange and Data Mining

Husák

Kašpar

2018

2018 14th International Wireless Communications &Amp; Mobile Computing Conference (IWCMC)

View full text Add to dashboard Cite

Abstract-In this paper, we present an empirical evaluation of an approach to predict attacker's activities based on information exchange and data mining. We gathered the cyber security alerts shared within the SABU platform, in which around 220,000 alerts from heterogeneous geographically distributed sensors (intrusion detection systems and honeypots) are shared every day. Subsequently, we used the methods of sequential rule mining to identify common attack patterns and to derive rules for predicting attacks. As we illustrate in this paper, a collaborative environment allows attack prediction in multiple dimensions. First, we can predict what will the attacker do next and when. Second, we can predict where will the attack hit, e.g., when an attacker is targeting several networks at once. In a weeklong experiment, we processed in total over 1 million alerts, from which we mined predictive rules every day. Our findings show that most of the rules display stable values of support and confidence and, thus, can be used to predict cyber attacks in consecutive days after mining without a need to actualize the rules every day.

show abstract

Section: Related Workmentioning

confidence: 99%

Towards Predicting Cyber Attacks Using Information Exchange and Data Mining

Husák

Kašpar

2018

2018 14th International Wireless Communications &Amp; Mobile Computing Conference (IWCMC)

View full text Add to dashboard Cite

show abstract

“…Toward this goal, we perform a set of measurements to shed light on (i) how to cluster We experiment with a few clustering algorithms using the number of common attacks as a measure of similarity, which can be computed in a privacy-preserving way, and experiment with privacy-friendly within-clusters sharing strategies, namely, only disclosing the details of common/correlated attacks. Overall, we show that our new hybrid model outperforms [9] in terms of hit counts (4x), while achieving better accuracy than [14] (2x).…”

Section: Introductionmentioning

confidence: 78%

“…We use this dataset both as training and testing sets -more precisely, we consider a sliding window of 5 days for training and 1 day for testing, as done in previous work [9,14].…”

Section: Datasetsmentioning

confidence: 99%

“…First, we reproduce, measure, and compare the centralized (non-private) system by Soldo et al [14] vs the peer-to-peer privacy-friendly one by Freudiger et al [9], using alerts obtained from DShield.org, involving 70 organizations which report an average of 4,000 daily events over a 15-day time window. We finding that the former [14] achieves high hit counts (almost doubling correct predictions compared to no collaboration), but its F1 accuracy is ultimately poor (14%) due to high false positives.…”

Section: Introductionmentioning

confidence: 99%

“…In this paper, we present a measurement study of state-of-the-art CPB techniques, aiming to shed light on the actual impact of collaboration. To this end, we reproduce and measure two systems: a non privacy-friendly one that uses a trusted coordinating party with access to all alerts [14] and a peer-to-peer one using privacy-preserving data sharing [9]. We show that, while collaboration boosts the number of predicted attacks, it also yields high false positives, ultimately leading to poor accuracy.…”

mentioning

confidence: 99%

See 2 more Smart Citations

On collaborative predictive blacklisting

Melis

Pyrgelis

Cristofaro

2019

SIGCOMM Comput. Commun. Rev.

Self Cite

View full text Add to dashboard Cite

Collaborative predictive blacklisting (CPB) allows to forecast future attack sources based on logs and alerts contributed by multiple organizations. Unfortunately, however, research on CPB has only focused on increasing the number of predicted attacks but has not considered the impact on false positives and false negatives. Moreover, sharing alerts is often hindered by confidentiality, trust, and liability issues, which motivates the need for privacy-preserving approaches to the problem. In this paper, we present a measurement study of state-of-the-art CPB techniques, aiming to shed light on the actual impact of collaboration. To this end, we reproduce and measure two systems: a non privacy-friendly one that uses a trusted coordinating party with access to all alerts [14] and a peer-to-peer one using privacy-preserving data sharing [9]. We show that, while collaboration boosts the number of predicted attacks, it also yields high false positives, ultimately leading to poor accuracy. This motivates us to present a hybrid approach, using a semitrusted central entity, aiming to increase utility from collaboration while, at the same time, limiting information disclosure and false positives. This leads to a better trade-off of true and false positive rates, while at the same time addressing privacy concerns. * A preliminary version of this paper appears in ACM SIGCOMM's Computer Communication Review. This is the full version.

show abstract

Nothing Refreshes Like a RePSI: Reactive Private Set Intersection

Cerulli

Cristofaro

Soriente³

2018

Applied Cryptography and Network Security

Self Cite

View full text Add to dashboard Cite

Private Set Intersection (PSI) is a popular cryptographic primitive that allows two parties, a client and a server, to compute the intersection of their private sets, so that the client only receives the output of the computation, while the server learns nothing besides the size of the client's set. A common limitation of PSI is that a dishonest client can progressively learn the server's set by enumerating it over different executions. Although these "oracle attacks" do not formally violate security according to traditional secure computation definitions, in practice, they often hamper real-life deployment of PSI instantiations, especially if the server's set does not change much over multiple interactions. In a first step to address this problem, this paper presents and studies the concept of Reactive PSI (RePSI). We model PSI as a reactive functionality, whereby the output depends on previous instances, and use it to limit the effectiveness of oracle attacks. We introduce a general security model for RePSI in the (augmented) semi-honest model and a construction which enables the server to control how many inputs have been used by the client across several executions. In the process, we also present the first construction of a Size-Hiding PSI (SHI-PSI) protocol in the standard model, which may be of independent interest.

show abstract

Controlled Data Sharing for Collaborative Predictive Blacklisting

Cited by 22 publications

References 21 publications

Towards Predicting Cyber Attacks Using Information Exchange and Data Mining

Towards Predicting Cyber Attacks Using Information Exchange and Data Mining

On collaborative predictive blacklisting

Nothing Refreshes Like a RePSI: Reactive Private Set Intersection

Contact Info

Product

Resources

About