Towards privacy-preserving security analytics

Title: Towards privacy-preserving security analytics

Author: Devharsh Trivedi

 

 

It has been three decades since I and the first website arrived on this beautiful blue planet. With a rose comes thorns; with free streaming comes ads! While the Internet allowed you to enjoy Cat videos, it opened new avenues for crimes. The ransomware payment rose 71% from last year, approaching the unprecedented $1 million mark during the first five months of 2022.

 

Figure 1. Log anomaly detection with the contemporary encryption schemes

The credit probably goes to your Security Information and Event Management (SIEM) or Extended Detection and Response (XDR) provider if you have yet to pay any ransom. Most organizations outsource their Information Security Operations Center (ISOC) to a cloud vendor. System and audit logs are collected from all types of stationary or mobile, thick or thin clients, and fed to these ISOCs to generate alerts for a possible Incident of Compromise (IoC). These logs are in textual form, and unencrypted (plaintext) access is required to process them. Not all are created equal; some vendors are like Amazon and some Apple. The logs may contain sensitive information about the organization or the customers of the organization, and a vendor may have enough incentives to monetize this data. Thus, it becomes a challenge to preserve privacy while outsourcing.

 

It would help if you contemplated the following before deployment:

• How to preserve the security and privacy of data at rest?
• How to safeguard the security and privacy of data in transit?
• How to maintain the security and privacy of data during use?

 

As always, there are two ways to solve this problem -- by Silicon or Software. While a Trusted Execution Environment (TEE) achieves the hardware approach for privacy-preserving operations, the software-based solution is realized by deploying Fully Homomorphic Encryption (FHE). A TEE is an isolated private enclave inside the memory, providing integrity and confidentiality for both data and code. In addition, TEE prevents unauthorized access from other applications, admins, operating systems, and hypervisors. However, while the TEE looks like the Kryptonian who will save our world, it has a few Kryptonites. For instance, TEEs are not supported for older machines requiring hardware upgrades. Furthermore, it has limitations on the amount of data that can be secured, e.g., Intel SGX has limited protected memory of 128 MB. Besides, they are vulnerable to side-channel attacks.

 

Vendor	TEE Technology
AMD	Platform Security Processor (PSP)
Apple	Secure Enclave Processor (SEP)
ARM	Trustzone
Google	Titan M
Hex Five	MultiZone Security for RISC-V
Huawei	iTrustee
IBM	Secure Service Container
Intel	Software Guard Extensions (SGX)
Qualcomm	Qualcomm Secure Execution Environment (QSEE)
Samsung	TEEGRIS
Trustonic	Kinibi

 

Hence, I bet my money on team FHE. Popular FHE schemes are FV/BFV, BGV, CKKS, and TFHE. These schemes have roots in the mathematical concepts of the hardness of the Ring Learning With Errors (RLWE) problem, where noise is added during encryption and key generation to achieve hardness (i.e., security) properties. FV/BFV and BGV schemes are similar, and the computations are performed on integers; however, CKKS allows calculations on complex numbers with limited precision. FHE enable you to perform and preserve computations on encrypted data as if they were done on unencrypted data.

 

Figure 2. Log anomaly detection with Fully Homomorphic Encryption

FHE can be applied to log anomaly detection problems as the organizations can parse and encrypt their logs before sending them to ISOC for processing and get an encrypted result back, decrypting which results in the knowledge of an IoC or alert to the security admins. But, unfortunately, FHE, at an early stage, suffers from high computation and communication costs. Also, it only supports limited operations like Addition, Subtraction, and Multiplication. For further insights on this topic, read my recent article, "The Future of Cryptography: Performing Computations on Encrypted Data," ISACA Journal, volume 1, 2023.

 

About the author: Devharsh Trivedi is a Ph.D. candidate at Stevens Institute of Technology, NJ. His research areas of interest are Cybersecurity and Machine learning. He worked as a senior software engineer at Oracle and Philips and enjoys volunteering at the ISACA NYM chapter and Positive Planet US. Please feel free to connect with him on LinkedIn and ResearchGate.

 

Author's note: The opinions expressed are the author's views and do not represent those of the organization or any of the certification bodies he is affiliated with.