Paper 2013/625

PillarBox: Combating next-generation malware with fast forward-secure logging

Kevin D. Bowers, Catherine Hart, Ari Juels, and Nikos Triandopoulos

Abstract

Security analytics is a catchall term for vulnerability assessment in large organizations capturing a new emerging approach to intrusion detection. It leverages a combination of automated and manual analysis of security logs and alerts which originate from a wide and varying array of sources and are often aggregated into a massive data repository. Such log and alert sources include firewalls, VPNs, and endpoint instrumentation, such as intrusion-detection systems, syslog or other alerting host facilities, that we generically call Security Analytics Sources (SASs). Security analytics are only as good as the data being analyzed. Yet nearly all security analytics systems today suffer from a lack of even basic protections on data collection. By merely monitoring network traffic, an adversary can eavesdrop on SAS outputs to discover sensitive SAS instrumentation and security-alerting behaviors. Moreover, by using advance malware, an adversary can undetectably suppress or tamper with SAS messages to conceal attack evidence and disrupt intrusion detection. We introduce PillarBox, a tool for securely relaying SAS data in a security analytics system. PillarBox enforces integrity: It secures SAS data against tampering, even when such data is buffered on a compromised host within an adversarially controlled network. Additionally, PillarBox (optionally) offers stealth: It can conceal SAS data, alert-generation activity, and potentially even alerting rules on a compromised host, thus hiding select SAS alerting actions from an adversary. We present an implementation of PillarBox and show experimentally that it can secure messages against attacker suppression, tampering or discovery even in the most challenging environments where SASs generate real-time security alerts related to a host compromise directly targeting to diminish their alerting power. We also show, based on data from a large enterprise and on-host performance measurements, that PillarBox has minimal overhead and is practical for real-world security analytics systems.

Note: This is an updated full version which contains new ideas and concepts that have been developed and tested.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Major revision. RAID 2014
Keywords
applicationimplementationforward-securityloggingdata security
Contact author(s)
kevin bowers @ rsa com
History
2014-10-23: last of 2 revisions
2013-09-29: received
See all versions
Short URL
https://ia.cr/2013/625
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2013/625,
      author = {Kevin D.  Bowers and Catherine Hart and Ari Juels and Nikos Triandopoulos},
      title = {PillarBox: Combating next-generation malware with fast forward-secure logging},
      howpublished = {Cryptology ePrint Archive, Paper 2013/625},
      year = {2013},
      note = {\url{https://eprint.iacr.org/2013/625}},
      url = {https://eprint.iacr.org/2013/625}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.