TY - GEN
T1 - PillarBox
T2 - 17th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2014
AU - Bowers, Kevin D.
AU - Hart, Catherine
AU - Juels, Ari
AU - Triandopoulos, Nikos
PY - 2014
Y1 - 2014
N2 - Security analytics is a catchall term for vulnerability assessment and intrusion detection leveraging security logs from a wide array of Security Analytics Sources (SASs), which include firewalls, VPNs, and endpoint instrumentation. Today, nearly all security analytics systems suffer from a lack of even basic data protections. An adversary can eavesdrop on SAS outputs and advanced malware can undetectably suppress or tamper with SAS messages to conceal attacks. We introduce PillarBox, a tool that enforces integrity for SAS data even when such data is buffered on a compromised host within an adversarially controlled network. Additionally, PillarBox (optionally) offers stealth, concealing SAS data and potentially even alerting rules on a compromised host. Using data from a large enterprise and on-host performance measurements, we show experimentally that PillarBox has minimal overhead and is practical for real-world systems.
AB - Security analytics is a catchall term for vulnerability assessment and intrusion detection leveraging security logs from a wide array of Security Analytics Sources (SASs), which include firewalls, VPNs, and endpoint instrumentation. Today, nearly all security analytics systems suffer from a lack of even basic data protections. An adversary can eavesdrop on SAS outputs and advanced malware can undetectably suppress or tamper with SAS messages to conceal attacks. We introduce PillarBox, a tool that enforces integrity for SAS data even when such data is buffered on a compromised host within an adversarially controlled network. Additionally, PillarBox (optionally) offers stealth, concealing SAS data and potentially even alerting rules on a compromised host. Using data from a large enterprise and on-host performance measurements, we show experimentally that PillarBox has minimal overhead and is practical for real-world systems.
KW - Security analytics
KW - forward-secure logging
KW - log integrity and secrecy
KW - secure chain of custody
KW - self-protecting alerting
UR - http://www.scopus.com/inward/record.url?scp=84906777526&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84906777526&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-11379-1_3
DO - 10.1007/978-3-319-11379-1_3
M3 - Conference contribution
AN - SCOPUS:84906777526
SN - 9783319113784
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 46
EP - 67
BT - Research in Attacks, Intrusions, and Defenses - 17th International Symposium, RAID 2014, Proceedings
Y2 - 17 September 2014 through 19 September 2014
ER -