Towards privacy-preserving security analytics
Author: Devharsh Trivedi
It has been three decades since
I and the first website arrived on this beautiful blue planet. With a rose
comes thorns; with free streaming comes ads! While the Internet allowed you to
enjoy Cat videos, it opened new avenues for crimes. The ransomware payment rose
71% from last year, approaching the unprecedented $1 million mark during the first five
months of 2022.
Log anomaly detection with the contemporary encryption schemes
The credit probably goes to your
Security Information and Event Management (SIEM) or Extended Detection and
Response (XDR) provider if you have yet to pay any ransom. Most organizations
outsource their Information Security Operations Center (ISOC) to a cloud
vendor. System and audit logs are collected from all types of stationary or
mobile, thick or thin clients, and fed to these ISOCs to generate alerts for a possible
Incident of Compromise (IoC). These logs are in textual form, and unencrypted
(plaintext) access is required to process them. Not all are created equal; some
vendors are like Amazon and some Apple. The logs may contain sensitive
information about the organization or the customers of the organization, and a
vendor may have enough incentives to monetize this data. Thus, it becomes a
challenge to preserve privacy while outsourcing.
It would help if you
contemplated the following before deployment:
to preserve the security and privacy of data at rest?
to safeguard the security and privacy of data in transit?
to maintain the security and privacy of data during use?
As always, there are two ways to
solve this problem -- by Silicon or Software. While a Trusted Execution
Environment (TEE) achieves the hardware approach for privacy-preserving
operations, the software-based solution is realized by deploying Fully
Homomorphic Encryption (FHE). A TEE is an isolated private enclave inside the
memory, providing integrity and confidentiality for both data and code. In
addition, TEE prevents unauthorized access from other applications, admins,
operating systems, and hypervisors. However, while the TEE looks like the
Kryptonian who will save our world, it has a few Kryptonites. For instance,
TEEs are not supported for older machines requiring hardware upgrades.
Furthermore, it has limitations on the amount of data that can be secured,
e.g., Intel SGX has limited protected memory of 128 MB. Besides, they are
vulnerable to side-channel attacks.
Platform Security Processor
Secure Enclave Processor (SEP)
MultiZone Security for RISC-V
Secure Service Container
Software Guard Extensions
Qualcomm Secure Execution Environment
Hence, I bet my money on team
FHE. Popular FHE schemes are FV/BFV, BGV, CKKS, and TFHE. These schemes have
roots in the mathematical concepts of the hardness of the Ring Learning With
Errors (RLWE) problem, where noise is added during encryption and key generation
to achieve hardness (i.e., security) properties. FV/BFV and BGV schemes are
similar, and the computations are performed on integers; however, CKKS allows
calculations on complex numbers with limited precision. FHE enable you to
perform and preserve computations on encrypted data as if they were done on
Figure 2. Log
anomaly detection with Fully Homomorphic Encryption
FHE can be applied to log
anomaly detection problems as the organizations can parse and encrypt their
logs before sending them to ISOC for processing and get an encrypted result
back, decrypting which results in the knowledge of an IoC or alert to the
security admins. But, unfortunately, FHE, at an early stage, suffers from high
computation and communication costs. Also, it only supports limited operations
like Addition, Subtraction, and Multiplication. For further insights on this
topic, read my recent article, "The Future of Cryptography: Performing
Computations on Encrypted Data," ISACA Journal, volume 1, 2023.
About the author: Devharsh Trivedi is a
Ph.D. candidate at Stevens Institute of Technology, NJ. His research areas of interest are
Cybersecurity and Machine learning. He worked as a senior software engineer at
Oracle and Philips and enjoys volunteering at the ISACA NYM chapter and Positive
Please feel free to connect with him on LinkedIn and ResearchGate.
Author's note: The opinions
expressed are the author's views and do not represent those of the organization
or any of the certification bodies he is affiliated with.