Defensive techniques against Internet-scale attacks can signicantly benet from sharing network security data among dierent domains. However, cross-domain collaborative security is aected by a native dichotomy. On one side, sharing of monitoring data across domains may signicantly help in detecting large scale threats and attacks; on the other side, data sharing con icts with the need to protect network customers' privacy and condentiality of business and operational information. In this thesis, we address the challenges through sharing network security data and we propose two distinct approaches enable what we call conditional data sharing, i.e., permit cross-domain sharing of ne-grained organized subsets of network security data, only when a global attack is ongoing in the network and multiple of the domain contributors are ready to reveal their data for the same incident. In the rst so called threshold-based approach, we propose a cryptographic construction devised to permit disclosure of cross-domain shared ne-grained organized subsets of network monitoring data, only when a threshold number of domains are determined for the data closure. The proposed approach revolves on a careful combination of distributed threshold based cryptography with identity-based encryption. Protection is accomplished by \simply" using dierent cryptographic keys per monitoring feed, and automatically permitting per-feed key reconstruction upon the occurrence of independent and asynchronous per-domain/per-feed alerts. Due to the rigid limitation of threshold-based approach for data disclosure, we signicantly extend the underlying cryptographic approach so as to support disclosure not only for threshold-based policies, but for more general (monotone) access structures. We further show that both solutions appear scalable and easy to deploy, not requiring neither a-priori monitoring data feeds identication, nor explicit coordination among domains. We cast such technique to a realistic scenario of whitelist sharing for DDoS mitigation. Therefore, in the case of whitelists for DDoS mitigation, where domains broadcast, for each possible DDoS target, the set of legitimate customers (client IP addresses) whose trac should not be blocked while a DDoS attack is in progress. However, such a ne-grained whitelist sharing approach appears hardly appealing (to say the least) to operators; not only the indiscriminate sharing of customers' addresses raises privacy concerns, but also it discloses, to competitor domains, business critical information on the identity and activity of customers. In Appendix A, there is a list of my publications related to the three contributions of this PhD thesis
(2013). Secure conditional cross-domain data sharing.
Secure conditional cross-domain data sharing
RAJABI, HANIEH
2013-01-01
Abstract
Defensive techniques against Internet-scale attacks can signicantly benet from sharing network security data among dierent domains. However, cross-domain collaborative security is aected by a native dichotomy. On one side, sharing of monitoring data across domains may signicantly help in detecting large scale threats and attacks; on the other side, data sharing con icts with the need to protect network customers' privacy and condentiality of business and operational information. In this thesis, we address the challenges through sharing network security data and we propose two distinct approaches enable what we call conditional data sharing, i.e., permit cross-domain sharing of ne-grained organized subsets of network security data, only when a global attack is ongoing in the network and multiple of the domain contributors are ready to reveal their data for the same incident. In the rst so called threshold-based approach, we propose a cryptographic construction devised to permit disclosure of cross-domain shared ne-grained organized subsets of network monitoring data, only when a threshold number of domains are determined for the data closure. The proposed approach revolves on a careful combination of distributed threshold based cryptography with identity-based encryption. Protection is accomplished by \simply" using dierent cryptographic keys per monitoring feed, and automatically permitting per-feed key reconstruction upon the occurrence of independent and asynchronous per-domain/per-feed alerts. Due to the rigid limitation of threshold-based approach for data disclosure, we signicantly extend the underlying cryptographic approach so as to support disclosure not only for threshold-based policies, but for more general (monotone) access structures. We further show that both solutions appear scalable and easy to deploy, not requiring neither a-priori monitoring data feeds identication, nor explicit coordination among domains. We cast such technique to a realistic scenario of whitelist sharing for DDoS mitigation. Therefore, in the case of whitelists for DDoS mitigation, where domains broadcast, for each possible DDoS target, the set of legitimate customers (client IP addresses) whose trac should not be blocked while a DDoS attack is in progress. However, such a ne-grained whitelist sharing approach appears hardly appealing (to say the least) to operators; not only the indiscriminate sharing of customers' addresses raises privacy concerns, but also it discloses, to competitor domains, business critical information on the identity and activity of customers. In Appendix A, there is a list of my publications related to the three contributions of this PhD thesisFile | Dimensione | Formato | |
---|---|---|---|
HaniehRajabi.pdf
solo utenti autorizzati
Licenza:
Non specificato
Dimensione
4.19 MB
Formato
Adobe PDF
|
4.19 MB | Adobe PDF | Visualizza/Apri Richiedi una copia |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.