Private Packet Filtering Searching for Sensitive Indicators without Revealing the Indicators in Collaborative Environments

<p> Private Packet Filtering (PPF) is a new capability that preserves the confidentiality of sensitive attack indicators, and retrieves network packets that match those indicators without revealing specific indicators or the matching packets. The capability is achieved through the introduction...

Full description

Bibliographic Details
Main Author: Oehler, Michael John
Language:EN
Published: University of Maryland, Baltimore County 2014
Subjects:
Online Access:http://pqdtopen.proquest.com/#viewpdf?dispub=3609975
Description
Summary:<p> Private Packet Filtering (PPF) is a new capability that preserves the confidentiality of sensitive attack indicators, and retrieves network packets that match those indicators without revealing specific indicators or the matching packets. The capability is achieved through the introduction of a high-level language, a conjunction operator that expands the breadth of the language, a simulation of the document detection and recovery rates of the output buffer, and through a description of applicable system facets. Fundamentally, PPF adapts the private stream search system defined by Ostrovsky and Skeith which uses the (partial) homomorphic property of the Paillier cryptosystem. </p><p> PPF is intended for use in a collaborative environment involving a cyber defender and a partner: The defender has access to a set of sensitive indicators, and is willing to share some of those indicators with the partner. The partner has access to network data, and is willing to share that data. Neither is willing to provide full access. Using the language, the defender creates an encrypted form of the sensitive indicators, and passes the encrypted indicators to the partner. The partner then uses the encrypted indicators to filter packets, and returns an encrypted packet capture file. The partner does not decrypt the indicators and cannot identify which packets matched. The defender decrypts, reassembles the matching packets, gains situational awareness, and notifies the partner of any packets that matched an attack indicator. In this sense, the defender reveals only the matched indicator and retains control of all other indicators. PPF allows both parties to gain situational awareness of malicious activity, and to retain control without exposing every indicator or all network data. </p><p> Ostrovsky and Skeith introduced the notion of private stream searching in 2005. Their private search system is clever, uses a list of encrypted ones and zeroes to select matching documents, and an output buffer to accumulate non-matching documents as a summation of plaintext zeroes. This buffer optimizes the communication cost of the search and assures that non-matching documents are not transmitted back to client performing the performing search. </p><p> Using our PPF language, a cyber defender gains access to the underlying private stream search system without significant knowledge of the system or the complexity of its cryptographic methods. The language thus provides a standard representation of a private query for packet filtering that resolves data organization issues and encourages the development of inter-operable implementations. A high level language for private stream searching has not been previously presented.</p>