Citation Context

... sign( ∑ k wkpk(x)−θ). However, deployment considerations will determine the best operating threshold for a given operating point. Supervised linear classifiers such as Support Vector Machines (SVMs) =-=[79]-=-, Adaboost [69] and Maximum Entropy [19] have been successfully applied to many such problems. There are two primary reasons for this. First, the convex optimization problem is guaranteed to converge ...

Citation Context

...aspect, we insist on providing security against any coalition of an arbitrary number of participants together with the database. This is essential as otherwise the database can perform a Sybil attack =-=[18]-=-, i.e., create many dummy participants and use their views, together with his own view, to reveal sensitive information. Similarly, we require security against any coalition of the proxy and the parti...

Citation Context

...n-profit entities tasked with providing such functionality. For example, Google (which already plays a role in bot and malware detection [32]) or the EFF (which has funded anonymity tools such as Tor =-=[17]-=-), which themselves have no incentive to collude. It should be emphasized that the proxy and database are not treated as trusted parties: we only assume that they will not collude. Using a semi-centra...

Citation Context

...(x)−θ). However, deployment considerations will determine the best operating threshold for a given operating point. Supervised linear classifiers such as Support Vector Machines (SVMs) [79], Adaboost =-=[69]-=- and Maximum Entropy [19] have been successfully applied to many such problems. There are two primary reasons for this. First, the convex optimization problem is guaranteed to converge and optimizatio...

Citation Context

...techniques like hashing input keys [27, 4], while efficient, cannot ensure keyword and participant privacy. In contrast, the secure multi-party computation protocols from the cryptographic literature =-=[85, 23, 57, 47, 26, 25, 42, 50, 7]-=- would allow us to achieve our security goals, but are not practical at the scale we have in mind. [82] has a similar intent to our work, but provides much weaker privacy properties (e.g., keys are kn...

Citation Context

...ing the first entry (resp. second entry) by g b′ (resp. hb′ ) where b ′ is chosen randomly from Z∗ p . Finally, a zero-knowledge proof for knowing the decryption of a given ciphertext is described in =-=[71]-=-. The scheme adds only 3 exponentiations and does not increase the overall round complexity as it can be applied in parallel to the EOPRF protocol. Naor-Reingold PRF [59]. The key s of the function Fs...

Citation Context

... privacy, while the database offers flexibility in any computation over a key’s values T[ki] and scalability through traditional replication and data-partitioning techniques (e.g., consistent hashing =-=[40]-=-). 4.2.3 Security Assumptions and Definitions We now motivate and clarify some design decisions related to our security assumptions and privacy definitions. Roughly speaking, our final protocol defend...

Citation Context

...bot and malware detection [32]) or the EFF (which has funded anonymity tools such as Tor [17]), who have no incentive to collude. Such a separation of trust appears in several cryptographic protocols =-=[12]-=-, and even in some natural real-world scenarios, such as Democrats and Republicans jointly comprising election boards in the U.S. political system. It should be emphasized that the proxy and database ...

Citation Context

...techniques like hashing input keys [27, 4], while efficient, cannot ensure keyword and participant privacy. In contrast, the secure multi-party computation protocols from the cryptographic literature =-=[85, 23, 57, 47, 26, 25, 42, 50, 7]-=- would allow us to achieve our security goals, but are not practical at the scale we have in mind. [82] has a similar intent to our work, but provides much weaker privacy properties (e.g., keys are kn...

Citation Context

...s m values (s1, . . .,sm) chosen randomly from Z ∗ p . Given m-bit string k = x1 . . .xm, the value of Fs(k) is g Q x i =1 si , where the exponentiation is computed in the group G. Oblivious-Transfer =-=[66, 58]-=-. To implement the sub protocol of Step 1, we will need an additional cryptographic tool called Oblivious Transfer (OT). In an OT protocol, we have two parties: sender and receiver. The sender holds t...

Citation Context

... to correlate observations from various vantage points in order to improve anomaly detection. The majority of this work has analyzed traffic traces and leveraged general statistical techniques, e.g., =-=[45]-=-. While these techniques have shown promise for intranetwork anomaly detection, they have not been extended to cross-organizational settings where there will be many more vantage points and thus the c...

Citation Context

...rk to detect or filter malicious activity in isolation. In order to counter this emerging threat, previous 41work has proposed that victim sites collaborate to build a shared defense against attacks =-=[39, 56, 75, 4]-=-. While the notion of victim collaboration has been previously proposed in the literature, the extent to which it improves our ability to detect and isolate malicious traffic has not been rigorously e...

Citation Context

...ed to flag deviations from baseline behavior of network traffic learned through various unsupervised methods, including clustering, Bayesian networks, PCA anal14ysis and spectral methods; see, e.g., =-=[46, 73, 2, 76, 86, 6]-=-. Our approach is different from these: rather than alarming unknown unusual events based on deviation from observed norms, we regard the set of events alerted by packet rules as representing the most...

Citation Context

...via Internet worms. Such compromised hosts are called 2bots—because they are “robots” which can be controlled—and large collections of bots are referred to as botnets [16]. Bots can be used for spam =-=[31, 68]-=-, DoS attacks [72], pump-and-dump schemes [1], click fraud [60, 51, 53], identity theft [8, 13], and a slew of other illicit actions [24, 35, 5]. There is strong reason to believe that the status quo ...

Citation Context

...lasses via clustering of flow features and derivation of heuristics for packet-based identification [9]; semi-supervised learning from marked flow data [22] and supervised learning from flow features =-=[54, 37]-=-. 2.3 A Packet Signature Taxonomy We adopt the following model and classification for packet rules. A packet rule is specified by a set of predicates that are combined through logical AND and OR opera...

Citation Context

... policy, are two key applications. Many types of unwanted traffic can be identified by rules that match known signatures. Rules may match on a packet’s header, payload, or both. The 2003 Slammer Worm =-=[55]-=-, which exploited a buffer overflow vulnerability in the Microsoft SQL server, was matchable to a signature comprising both packet header fields and payload patterns. Packet inspection can be carried ...

Citation Context

...domains. In our current implementation, all proxies register with a single group membership server, although a distributed group membership service could be implemented for additional fault tolerance =-=[11, 84]-=-. To discover a client-facing proxy, a client contacts this group membership service, which returns a proxy IP address in round-robin order (this could be replaced by any technique for server selectio...

Citation Context

...techniques like hashing input keys [27, 4], while efficient, cannot ensure keyword and participant privacy. In contrast, the secure multi-party computation protocols from the cryptographic literature =-=[85, 23, 57, 47, 26, 25, 42, 50, 7]-=- would allow us to achieve our security goals, but are not practical at the scale we have in mind. [82] has a similar intent to our work, but provides much weaker privacy properties (e.g., keys are kn...

Citation Context

...1]) in the 93presence of “man-in-the-middle” attacks. Such environments present potentially larger scaling challenges due to the potentially large number of keys that could be inserted. According to =-=[38]-=-, most hosts execute fewer than 15 DNS lookups per hour, and according to [70], ssh hosts rarely authenticate with more than 30 remote hosts over long periods of time. Here, we envision our system cou...

Citation Context

...hat the protocol leaks no more information than an ideal implementation that uses a trusted third party. This convention is standard in secure multi-party computation; further details can be found in =-=[30]-=-. • Efficiency: The system should scale to large numbers of participants, each generating and inputting large numbers of observations (key-value tuples). 63The system should be scalable both in terms...

Citation Context

... be controlled—and large collections of bots are referred to as botnets [16]. Bots can be used for spam [31, 68], DoS attacks [72], pump-and-dump schemes [1], click fraud [60, 51, 53], identity theft =-=[8, 13]-=-, and a slew of other illicit actions [24, 35, 5]. There is strong reason to believe that the status quo provides the three necessary ingredients to ensure that the problem of unwanted traffic cannot ...

Citation Context

...sed on single packet alarms produced by Snort, our approach could in principle we applied 36to learn from flow records alone, alarms generated by multipacket/flow events of the type monitored by Bro =-=[62]-=-. 3738 Alert message Number of flows Average Precision for wkA-B (week A=train, B=test) over weeks 1-2 Baseline Drift Sampling total unique wk1-2 wk2-3 wk1-3 wk1-4 wk1-2 wk2-3 Header ICMP Dest. Unrea...

Citation Context

...techniques like hashing input keys [27, 4], while efficient, cannot ensure keyword and participant privacy. In contrast, the secure multi-party computation protocols from the cryptographic literature =-=[85, 23, 57, 47, 26, 25, 42, 50, 7]-=- would allow us to achieve our security goals, but are not practical at the scale we have in mind. [82] has a similar intent to our work, but provides much weaker privacy properties (e.g., keys are kn...

Citation Context

...ch compromised hosts are called 2bots—because they are “robots” which can be controlled—and large collections of bots are referred to as botnets [16]. Bots can be used for spam [31, 68], DoS attacks =-=[72]-=-, pump-and-dump schemes [1], click fraud [60, 51, 53], identity theft [8, 13], and a slew of other illicit actions [24, 35, 5]. There is strong reason to believe that the status quo provides the three...

Citation Context

...common, or conversely, avoid the impact of noise from infrequently manifested features. For this reason we group the negative examples into sets with identical features, then apply Threshold Sampling =-=[21]-=- to each group as a whole. This involves selecting the group comprising c examples with probability min{1, c/z} where z is chosen so as to sample a target proportion of the examples. The results for a...

Citation Context

...ed for traffic application classification. Approaches include unsupervised learning of application classes via clustering of flow features and derivation of heuristics for packet-based identification =-=[9]-=-; semi-supervised learning from marked flow data [22] and supervised learning from flow features [54, 37]. 2.3 A Packet Signature Taxonomy We adopt the following model and classification for packet ru...

Citation Context

...ic protocols necessary to provide strong privacy guarantees are still non-trivial. Specifically, our solution makes use of oblivious pseudo-random functions [59, 25, 33], amortized oblivious transfer =-=[58, 36]-=-, and homomorphic encryption with re-randomization. Our experiments show that the performance of our system scales linearly with computing resources, making it easy to improve performance by adding mo...

Citation Context

...ecognize they have received a bogus DNS response or a forged self-signed certificate, by checking that the information they received agrees with that seen by other clients accessing the same Web site =-=[64, 81]-=-. Collaboration is also useful to identify popular Web content 57by having Web users—or proxies monitoring traffic for an entire organization— combine their access logs to determine the most frequent...

Citation Context

... to our work, but provides much weaker privacy properties (e.g., keys are known by the system) and was not evaluated in a distributed setting. Finally, few of these systems have ever been implemented =-=[50, 28, 7]-=-, let alone operate in the real world [10] and at scale. So, a meta-goal of our work is to help bring multi-party computation to life. In this chapter, we design, implement, and evaluate a viable alte...

Citation Context

...n of attacks that could have been mitigated by a set of collaborating victim end-hosts. To mitigate the possibility of false positives, we correlate our detected anomalous events with a DNS blacklist =-=[15]-=-. That is, only anomalies that originated from source 42IP addresses listed in the DNS blacklist were considered. We refreshed our local copy of the DNS blacklist every 12 hours throughout our one-mo...

Citation Context

...nt considerations will determine the best operating threshold for a given operating point. Supervised linear classifiers such as Support Vector Machines (SVMs) [79], Adaboost [69] and Maximum Entropy =-=[19]-=- have been successfully applied to many such problems. There are two primary reasons for this. First, the convex optimization problem is guaranteed to converge and optimization algorithms based either...

Citation Context

...h other DNSBLs [77] and the associated analysis will allow us to (1) understand how rapidly malicious hosts attack victims, and (2) set ∆ to a value smaller than the vast majority of DHCP lease times =-=[83]-=- while still providing most of the benefits of victim collaboration. 453.2.2 Anomaly Detectors We wish to evaluate the effectiveness of collaborative anomaly detection across a range of specific type...

Citation Context

...techniques like hashing input keys [27, 4], while efficient, cannot ensure keyword and participant privacy. In contrast, the secure multi-party computation protocols from the cryptographic literature =-=[85, 23, 57, 47, 26, 25, 42, 50, 7]-=- would allow us to achieve our security goals, but are not practical at the scale we have in mind. [82] has a similar intent to our work, but provides much weaker privacy properties (e.g., keys are kn...

Citation Context

...aly detection: specifically, networks collaborating to identify attacking IP addresses—e.g., belonging to a botnet—with greater confidence. Modern botnets can range up to roughly 100,000 unique hosts =-=[67]-=-, and we would like our system to be able to correlate suspicions of hundreds of participating networks within some numbers of hours. In order to support such a usage scenario, our implementation will...

Citation Context

...pite these simplifications, the cryptographic protocols necessary to provide strong privacy guarantees are still non-trivial. Specifically, our solution makes use of oblivious pseudo-random functions =-=[59, 25, 33]-=-, amortized oblivious transfer [58, 36], and homomorphic encryption with re-randomization. Our experiments show that the performance of our system scales linearly with computing resources, making it e...

Citation Context

...ic protocols necessary to provide strong privacy guarantees are still non-trivial. Specifically, our solution makes use of oblivious pseudo-random functions [59, 25, 33], amortized oblivious transfer =-=[58, 36]-=-, and homomorphic encryption with re-randomization. Our experiments show that the performance of our system scales linearly with computing resources, making it easy to improve performance by adding mo...

Citation Context

...are referred to as botnets [16]. Bots can be used for spam [31, 68], DoS attacks [72], pump-and-dump schemes [1], click fraud [60, 51, 53], identity theft [8, 13], and a slew of other illicit actions =-=[24, 35, 5]-=-. There is strong reason to believe that the status quo provides the three necessary ingredients to ensure that the problem of unwanted traffic cannot be fully eradicated: means, motive, and opportuni...

Citation Context

...f research and educational institutions. We studied all traffic traversing the twenty routers that make up GEANT’s European backbone network, during August 2008. We applied standard anomaly detectors =-=[5, 43]-=- to these traces in order to identify unwanted traffic that collaborating hosts and networks may wish to remove, including DoS, port scanning, and IP scanning events. Our final results calculate the f...

Citation Context

...are referred to as botnets [16]. Bots can be used for spam [31, 68], DoS attacks [72], pump-and-dump schemes [1], click fraud [60, 51, 53], identity theft [8, 13], and a slew of other illicit actions =-=[24, 35, 5]-=-. There is strong reason to believe that the status quo provides the three necessary ingredients to ensure that the problem of unwanted traffic cannot be fully eradicated: means, motive, and opportuni...

Citation Context

...s include unsupervised learning of application classes via clustering of flow features and derivation of heuristics for packet-based identification [9]; semi-supervised learning from marked flow data =-=[22]-=- and supervised learning from flow features [54, 37]. 2.3 A Packet Signature Taxonomy We adopt the following model and classification for packet rules. A packet rule is specified by a set of predicate...

Citation Context

...via Internet worms. Such compromised hosts are called 2bots—because they are “robots” which can be controlled—and large collections of bots are referred to as botnets [16]. Bots can be used for spam =-=[31, 68]-=-, DoS attacks [72], pump-and-dump schemes [1], click fraud [60, 51, 53], identity theft [8, 13], and a slew of other illicit actions [24, 35, 5]. There is strong reason to believe that the status quo ...

Citation Context

...data stored about users’ online behavior explodes. Such privacy is important to end-users to protect against identity theft, and it is important to corporations that wish to protect their reputations =-=[44]-=-. The companies’ desire for privacy is at odds with their desire to monetize the data they keep on their customers, however, and therein lies the challenge. Consider the YouTube-Viacom suit [34], for ...

Citation Context

...ed to flag deviations from baseline behavior of network traffic learned through various unsupervised methods, including clustering, Bayesian networks, PCA anal14ysis and spectral methods; see, e.g., =-=[46, 73, 2, 76, 86, 6]-=-. Our approach is different from these: rather than alarming unknown unusual events based on deviation from observed norms, we regard the set of events alerted by packet rules as representing the most...

Citation Context

...fic mix—e.g., the volume of traffic over various links or the degree of fanout from a particular host—and detect behavior that differs substantially from the statistical norm. For example, Mao et al. =-=[52]-=- found that most DDoS attacks observed within a large ISP were sourced by fewer than 10,000 source IPs, and generated 31,612 alarms over a four-week period (0.8 events per hour). In addition, Soule et...

Citation Context

...lasses via clustering of flow features and derivation of heuristics for packet-based identification [9]; semi-supervised learning from marked flow data [22] and supervised learning from flow features =-=[54, 37]-=-. 2.3 A Packet Signature Taxonomy We adopt the following model and classification for packet rules. A packet rule is specified by a set of predicates that are combined through logical AND and OR opera...

Citation Context

...e they are “robots” which can be controlled—and large collections of bots are referred to as botnets [16]. Bots can be used for spam [31, 68], DoS attacks [72], pump-and-dump schemes [1], click fraud =-=[60, 51, 53]-=-, identity theft [8, 13], and a slew of other illicit actions [24, 35, 5]. There is strong reason to believe that the status quo provides the three necessary ingredients to ensure that the problem of ...

Citation Context

...ecognize they have received a bogus DNS response or a forged self-signed certificate, by checking that the information they received agrees with that seen by other clients accessing the same Web site =-=[64, 81]-=-. Collaboration is also useful to identify popular Web content 57by having Web users—or proxies monitoring traffic for an entire organization— combine their access logs to determine the most frequent...

Citation Context

...ed to flag deviations from baseline behavior of network traffic learned through various unsupervised methods, including clustering, Bayesian networks, PCA anal14ysis and spectral methods; see, e.g., =-=[46, 73, 2, 76, 86, 6]-=-. Our approach is different from these: rather than alarming unknown unusual events based on deviation from observed norms, we regard the set of events alerted by packet rules as representing the most...

Citation Context

...operties (e.g., keys are known by the system) and was not evaluated in a distributed setting. Finally, few of these systems have ever been implemented [50, 28, 7], let alone operate in the real world =-=[10]-=- and at scale. So, a meta-goal of our work is to help bring multi-party computation to life. In this chapter, we design, implement, and evaluate a viable alternative: a “semicentralized” system archit...

Citation Context

...techniques like hashing input keys [27, 4], while efficient, cannot ensure keyword and participant privacy. In contrast, the secure multi-party computation protocols from the cryptographic literature =-=[85, 23, 57, 47, 26, 25, 42, 50, 7]-=- would allow us to achieve our security goals, but are not practical at the scale we have in mind. [82] has a similar intent to our work, but provides much weaker privacy properties (e.g., keys are kn...

Citation Context

...rk to detect or filter malicious activity in isolation. In order to counter this emerging threat, previous 41work has proposed that victim sites collaborate to build a shared defense against attacks =-=[39, 56, 75, 4]-=-. While the notion of victim collaboration has been previously proposed in the literature, the extent to which it improves our ability to detect and isolate malicious traffic has not been rigorously e...

Citation Context

...rk to detect or filter malicious activity in isolation. In order to counter this emerging threat, previous 41work has proposed that victim sites collaborate to build a shared defense against attacks =-=[39, 56, 75, 4]-=-. While the notion of victim collaboration has been previously proposed in the literature, the extent to which it improves our ability to detect and isolate malicious traffic has not been rigorously e...

Citation Context

...n translate many existing packet signatures to instead operate effectively on IP flows. Flow statistics are compact and collected ubiquitously within most ISPs’ networks, often in the form of NetFlow =-=[14]-=-. Our work does not supplant signature-based detection systems, but rather ex11tends their usefulness into new environments where packet inspection is either infeasible or undesirable. We wish to con...

Citation Context

...nt potentially larger scaling challenges due to the potentially large number of keys that could be inserted. According to [38], most hosts execute fewer than 15 DNS lookups per hour, and according to =-=[70]-=-, ssh hosts rarely authenticate with more than 30 remote hosts over long periods of time. Here, we envision our system could simplify the deployment of such schemes, by reducing the amount of informat...

Citation Context

...reproduce packet level rules with complete accuracy; this is the price we pay to be scalable. The idea of deriving flow-level rules from the header portion of a packet-level rule has been proposed in =-=[49]-=-, but this technique only applies to rules that exclusively inspect a packet’s header. What can be done for rules that contain predicates that match on a packet’s payload? Ignoring the rule or removin...

Citation Context

...rk to detect or filter malicious activity in isolation. In order to counter this emerging threat, previous 41work has proposed that victim sites collaborate to build a shared defense against attacks =-=[39, 56, 75, 4]-=-. While the notion of victim collaboration has been previously proposed in the literature, the extent to which it improves our ability to detect and isolate malicious traffic has not been rigorously e...

Citation Context

...rabilities in network software have led to the rapid proliferation of automated attack methods (worms, botnets, viruses). It is estimated that 25% of all personal computers may be infected by malware =-=[80]-=-, and organizations are estimated to lose billions of dollars per year as a result [63]. Defending against attack traffic can be extremely challenging. The stealthy nature of many attacks, where malic...

Citation Context

...e they are “robots” which can be controlled—and large collections of bots are referred to as botnets [16]. Bots can be used for spam [31, 68], DoS attacks [72], pump-and-dump schemes [1], click fraud =-=[60, 51, 53]-=-, identity theft [8, 13], and a slew of other illicit actions [24, 35, 5]. There is strong reason to believe that the status quo provides the three necessary ingredients to ensure that the problem of ...

Citation Context

...nfortunately, even good intentions do not necessarily translate to good security and privacy protections, only too-well demonstrated by the fact that large-scale data breaches have become commonplace =-=[65]-=-. As such, we believe that many useful distributed data-analysis applications will not gain serious traction unless privacy can be ensured. Fortunately, many of these collaborative data-analysis appli...

Citation Context

...system that can translate many packet-level Snort rules into flow-level rules with a high degree of accuracy. The flow-level rules lead to more computationally efficient detection of unwanted traffic =-=[20]-=-. 2. A measurement study that demonstrates that collaboration between victims of unwanted traffic can help improve detection accuracy because many attackers have a high degree of fan-out. 3. A novel c...

Citation Context

...lti-party computation protocols from the cryptographic literature [85, 23, 57, 47, 26, 25, 42, 50, 7] would allow us to achieve our security goals, but are not practical at the scale we have in mind. =-=[82]-=- has a similar intent to our work, but provides much weaker privacy properties (e.g., keys are known by the system) and was not evaluated in a distributed setting. Finally, few of these systems have e...

Citation Context

...methods (worms, botnets, viruses). It is estimated that 25% of all personal computers may be infected by malware [80], and organizations are estimated to lose billions of dollars per year as a result =-=[63]-=-. Defending against attack traffic can be extremely challenging. The stealthy nature of many attacks, where malicious hosts emulate the characteristics of wellbehaved traffic, limits the ability of an...

Citation Context

...led 2bots—because they are “robots” which can be controlled—and large collections of bots are referred to as botnets [16]. Bots can be used for spam [31, 68], DoS attacks [72], pump-and-dump schemes =-=[1]-=-, click fraud [60, 51, 53], identity theft [8, 13], and a slew of other illicit actions [24, 35, 5]. There is strong reason to believe that the status quo provides the three necessary ingredients to e...

Citation Context

...rhaps even on a rotating basis, or third-party commercial or non-profit entities tasked with providing such functionality. For example, Google (which already plays a role in bot and malware detection =-=[32]-=-) or the EFF (which has funded anonymity tools such as Tor [17]), which themselves have no incentive to collude. It should be emphasized that the proxy and database are not treated as trusted parties:...

Citation Context

...tions [44]. The companies’ desire for privacy is at odds with their desire to monetize the data they keep on their customers, however, and therein lies the challenge. Consider the YouTube-Viacom suit =-=[34]-=-, for example. Google—as the owner of YouTube—wishes to keep some amount of data on users’ behavior, but does not wish to reveal this information to third parties such as Viacom. We believe there are ...