TY - GEN
T1 - A Privacy-Preserving Infrastructure to Monitor Encrypted DNS Logs
AU - Abdel-Rahman, Adam Oumar
AU - Levillain, Olivier
AU - Totel, Eric
N1 - Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.
PY - 2024/1/1
Y1 - 2024/1/1
N2 - In the realm of cybersecurity, logging system and application activity is a crucial technique to detect and understand cyberattacks by identifying Indicators of Compromise (IoCs). Since these logs can take vast amounts of disk space, it can be tempting to delegate their storage to an external service provider. This requires to encrypt the data, so the service provider does not have access to possibly sensitive information. However, this usually makes it impossible to search for relevant information in the encrypted log. To address this predicament, this paper delves into the realm of modern cryptographic tools to reconcile the dual objectives of protecting log data from prying eyes while enabling controlled processing. We propose a comprehensive framework that contextualizes log data and presents several mechanisms to solve the outsourcing problem, allowing searchable encryption, and we apply our approach to DNS logs. Our contributions include the introduction of two novel schemes, namely symmetric and asymmetric, which facilitate efficient and secure retrieval of intrusion detection-related information from encrypted outsourced storage. Furthermore, we conduct extensive experiments on a test bed to evaluate and compare the effectiveness of the different solutions, providing valuable insights into the practical implementation of our proposed infrastructure for monitoring encrypted logs.
AB - In the realm of cybersecurity, logging system and application activity is a crucial technique to detect and understand cyberattacks by identifying Indicators of Compromise (IoCs). Since these logs can take vast amounts of disk space, it can be tempting to delegate their storage to an external service provider. This requires to encrypt the data, so the service provider does not have access to possibly sensitive information. However, this usually makes it impossible to search for relevant information in the encrypted log. To address this predicament, this paper delves into the realm of modern cryptographic tools to reconcile the dual objectives of protecting log data from prying eyes while enabling controlled processing. We propose a comprehensive framework that contextualizes log data and presents several mechanisms to solve the outsourcing problem, allowing searchable encryption, and we apply our approach to DNS logs. Our contributions include the introduction of two novel schemes, namely symmetric and asymmetric, which facilitate efficient and secure retrieval of intrusion detection-related information from encrypted outsourced storage. Furthermore, we conduct extensive experiments on a test bed to evaluate and compare the effectiveness of the different solutions, providing valuable insights into the practical implementation of our proposed infrastructure for monitoring encrypted logs.
KW - Forensics
KW - Indicators of Compromise
KW - Searchable Encryption
UR - https://www.scopus.com/pages/publications/85197354807
U2 - 10.1007/978-3-031-61231-2_12
DO - 10.1007/978-3-031-61231-2_12
M3 - Conference contribution
AN - SCOPUS:85197354807
SN - 9783031612305
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 185
EP - 199
BT - Risks and Security of Internet and Systems - 18th International Conference, CRiSIS 2023, Revised Selected Papers
A2 - Ait Wakrime, Abderrahim
A2 - Navarro-Arribas, Guillermo
A2 - Cuppens, Frédéric
A2 - Cuppens, Nora
A2 - Benaini, Redouane
PB - Springer Science and Business Media Deutschland GmbH
T2 - 18th International Conference on Risks and Security of Internet and Systems, CRiSIS 2023
Y2 - 6 December 2023 through 8 December 2023
ER -