早期的分散式入侵偵測系統(DIDS)或是近年來的資訊安全營運管理中心(SOC),當他們在彙整資安警訊時,仍面臨下列兩個重要問題: 1.DIDS以及SOC大都假設可以無條件取得完整的入侵警訊,但事實上,許多公司並不願意和外人分享自己設備所偵測到的資安警訊,以免無意中洩漏了公司網路內種種機密資訊。2. 資安警訊數量太多,裡面甚至有許多誤報,讓管理人員疲於應付,而且資安警訊往往都屬於低階資訊,未能讓管理人員很快地瞭解攻擊者的意圖或入侵行為的全貌。 因此我們提出具隱私防護與關聯能力之入侵偵測警訊轉換方法,首先我們會先以改良自K-Anonymity的方法來達到隱私防護,接著以多種關聯方式來驗證我們的方法確實是可以在達到隱私防護後還能具有關聯與分析的能力。我們的研究是以廣為使用的入侵偵測系統為基礎,以擴大我們方法的實用性。我們的方法流程是先在各個本地端的入侵偵測系統做完匿名化後才將警訊發送出去分享,因此可以避免在傳輸過程中被惡意使用者攔截取得未匿名的資安警訊內容,之後再交由遠端的資訊安全營運管理中心來做彙整分析與關聯。我們的最終目的是為了能達到資訊分享又能讓各警訊具有關聯能力以提升防護的範圍,並且不讓資訊分享者的機密資料外洩,防止惡意使用者濫用此流通的警訊資料,藉以提升使用者分享資安警訊資料的意願。 The Distribution Intrusion Detection (DIDS) or Security Operation Center (SOC), when they want to integrate alerts, still have to overcome the following two problems: 1. DIDS and SOC often assume that they can get the alerts completely for no other condition, but in fact, only if the SOC operating inside a single company or manage by a trustable third part, else most companies are not willing to share the alerts collected from their security equipments, because they afraid that will reveal their privacy information accidently. 2. There are too many alerts, even have lots of false alerts, it make the managers hard to deal with. Security alerts often been low level information, that is hard to let managers realize the full attack scenario or purpose of attackers. We propose a method for privacy-preserving and correlatable alerts translation. First, we use a method modify from K-anonymity to achieve privacy-preservation. Then we will prove when we protect the private information of alerts still have the correlation and analysis ability by using some kinds of correlation methods. Our research is base on the IDS which is popularly used to extend practicality of our method. First of our process is protecting the private information of alerts on the end-side IDS, and then share these alerts. By this reason, we can prevent the information of non-privacy-protecting alerts be intercepted by attackers when it transfer to SOC. Then sharing these alerts to SOC and do so integrating, analysis, and correlation process. Our final purpose is to make the private information of alerts be protected, so the uses can share their alerts with no worry. And when these alerts are privacy protected, they still have the analysis and correlation ability. It not only prevent the private information be misused by attackers, but also improve the willing of users for sharing.
