Cryptology ePrint Archive: Report 2013/625

PillarBox: Combating next-generation malware with fast forward-secure logging

Kevin D. Bowers and Catherine Hart and Ari Juels and Nikos Triandopoulos

Abstract: Security analytics is a catchall term for vulnerability assessment in large organizations capturing a new emerging approach to intrusion detection. It leverages a combination of automated and manual analysis of security logs and alerts which originate from a wide and varying array of sources and are often aggregated into a massive data repository. Such log and alert sources include firewalls, VPNs, and endpoint instrumentation, such as intrusion-detection systems, syslog or other alerting host facilities, that we generically call Security Analytics Sources (SASs).

Security analytics are only as good as the data being analyzed. Yet nearly all security analytics systems today suffer from a lack of even basic protections on data collection. By merely monitoring network traffic, an adversary can eavesdrop on SAS outputs to discover sensitive SAS instrumentation and security-alerting behaviors. Moreover, by using advance malware, an adversary can undetectably suppress or tamper with SAS messages to conceal attack evidence and disrupt intrusion detection.

We introduce PillarBox, a tool for securely relaying SAS data in a security analytics system. PillarBox enforces integrity: It secures SAS data against tampering, even when such data is buffered on a compromised host within an adversarially controlled network. Additionally, PillarBox (optionally) offers stealth: It can conceal SAS data, alert-generation activity, and potentially even alerting rules on a compromised host, thus hiding select SAS alerting actions from an adversary.

We present an implementation of PillarBox and show experimentally that it can secure messages against attacker suppression, tampering or discovery even in the most challenging environments where SASs generate real-time security alerts related to a host compromise directly targeting to diminish their alerting power. We also show, based on data from a large enterprise and on-host performance measurements, that PillarBox has minimal overhead and is practical for real-world security analytics systems.

Category / Keywords: cryptographic protocols / application, implementation, forward-security, logging, data security

Original Publication (with major differences): RAID 2014

Date: received 27 Sep 2013, last revised 18 Sep 2014

Contact author: kevin bowers at rsa com

Available format(s): PDF | BibTeX Citation

Note: This is an updated full version which contains new ideas and concepts that have been developed and tested.

Version: 20140918:205853 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]