PillarBox: Combating next-generation malware with fast forward-secure logging

Kevin D. Bowers, Catherine Hart, Ari Juels, Nikos Triandopoulos

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

17 Scopus citations

Abstract

Security analytics is a catchall term for vulnerability assessment and intrusion detection leveraging security logs from a wide array of Security Analytics Sources (SASs), which include firewalls, VPNs, and endpoint instrumentation. Today, nearly all security analytics systems suffer from a lack of even basic data protections. An adversary can eavesdrop on SAS outputs and advanced malware can undetectably suppress or tamper with SAS messages to conceal attacks. We introduce PillarBox, a tool that enforces integrity for SAS data even when such data is buffered on a compromised host within an adversarially controlled network. Additionally, PillarBox (optionally) offers stealth, concealing SAS data and potentially even alerting rules on a compromised host. Using data from a large enterprise and on-host performance measurements, we show experimentally that PillarBox has minimal overhead and is practical for real-world systems.

Original languageEnglish
Title of host publicationResearch in Attacks, Intrusions, and Defenses - 17th International Symposium, RAID 2014, Proceedings
Pages46-67
Number of pages22
DOIs
StatePublished - 2014
Event17th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2014 - Gothenburg, Sweden
Duration: 17 Sep 201419 Sep 2014

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume8688 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference17th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2014
Country/TerritorySweden
CityGothenburg
Period17/09/1419/09/14

Keywords

  • Security analytics
  • forward-secure logging
  • log integrity and secrecy
  • secure chain of custody
  • self-protecting alerting

Fingerprint

Dive into the research topics of 'PillarBox: Combating next-generation malware with fast forward-secure logging'. Together they form a unique fingerprint.

Cite this