Collabora've, Privacy‐Preserving Data Aggrega'on at Scale Michael J. Freedman Princeton University Joint work with: Benny Applebaum, Haakon Ringberg, MaHhew Caesar, and Jennifer Rexford
Problem: Network Anomaly Detec'on
Collabora've anomaly detec'on • Some aHacks look like normal traffic – e.g. , SQL‐injec'on, applica'on‐level DoS [Srivatsa TWEB ‘08] • Is it a DDoS aHack or a flash crowd? [Jung WWW ‘02] I’m not sure I’m not sure about Beasty! about Beasty! I’m not sure Google about Beasty! Yahoo! Bing
Collabora've anomaly detec'on • Targets (vic'ms) could correlate aHacks/aHackers [Kad IMC ’05], [Allman Hotnets ‘06], [Kannan SRUTI ‘06], [Moore INFOC ‘03] “ Fool us once, shame on you. Fool us N 2mes, shame on us. ” Google Yahoo! Bing
Problem: Network Anomaly Detec'on Solu'on: • Aggregate suspect IPs from many ISPs • Flag those IPs that appear > threshold τ
Problem: Distributed Ranking Solu'on: • Collect domain sta's'cs from many users • Aggregate data by domain
Problem: … Solu'on: • Aggregate (id, data) from many sources • Analyze data grouped by id
But what about privacy? What inputs are submiHed? Who submiHed what?
Data Aggrega'on Problem • Many par'cipants, each with (key, value) observa'on • Goal: Aggregate observa'ons by key Key Values k 1 ( v a , v b ) A k 2 ( v i , v j , v k ) A … k n ( v x ) A
Data Aggrega'on Problem • Many par'cipants, each with (key, value) observa'on • Goal: Aggregate observa'ons by key Key Values ) k 1 ( v a , v b ) F ( A ) k 2 ( v i , v j , v k ) A F ( … ) k n ( v x ) F ( A PDA: Only release the value column CR‐PDA: Plus keys whose values sa'sfy some func
Data Aggrega'on Problem • Many par'cipants, each with (key, value) observa'on • Goal: Aggregate observa'ons by key Key Values ? k 1 ( 1, 1 ) Σ ≥ τ ? k 2 ( 1, 1, 1 ) Σ ≥ τ … ? k n ( 1 ) Σ ≥ τ PDA: Only release the value column CR‐PDA: Plus keys whose values sa'sfy some func
Goals • Keyword privacy: No party learns anything about keys • Par'cipant privacy: No party learns who submiHed what • Efficiency: Scale to many par'cipants, each with many inputs • Flexibility: Support variety of computa'ons over values • Lack of coordina'on: – No synchrony required, individuals cannot prevent progress – All par'cipants need not be online at same 'me
Poten'al solu'ons Keyword Par5cipant Lack of Approach Privacy Privacy Efficiency Flexibility Coord Decentralized Garbled Circuit Yes Yes Very Poor Yes No Evalua'on Mul'party Yes Yes Poor No No Set Intersec'on
Security Efficiency • Weaken security assump'ons? – Assume honest but curious par'cipants? – Assume no collusion among malicious par'cipants? • In large/open sedng, easy to operate mul'ple nodes (so‐called “Sybil aHack”)
Towards Centraliza'on? DB Par5cipants
Poten'al solu'ons Keyword Par5cipant Lack of Approach Privacy Privacy Efficiency Flexibility Coord Decentralized Garbled Circuit Yes Yes Very Poor Yes No Evalua'on Mul'party Yes Yes Poor No No Set Intersec'on Centralized Hashing No No Very Good Yes Yes Inputs Network No Yes Very Good Yes Yes Anonymiza'on
Towards semi‐centraliza'on Proxy DB Assump5on: Proxy and DB do Par5cipants not collude
Poten'al solu'ons Keyword Par5cipant Lack of Approach Privacy Privacy Efficiency Flexibility Coord Decentralized Garbled Circuit Yes Yes Very Poor Yes No Evalua'on Mul'party Yes Yes Poor No No Set Intersec'on Centralized Hashing No No Very Good Yes Yes Inputs Network No Yes Very Good Yes Yes Anonymiza'on This Yes Yes Good Yes Yes Work
Privacy Guarantees • Privacy of PDA against malicious en''es and par'cipants – Malicious par'cipant may collude with either malicious proxy or DB, but not both – May violate correctness in almost arbitrary ways • Privacy of CR‐PDA against honest‐but‐curious en''es and malicious par'cipants
PDA Strawman #0 k Par5cipant Proxy DB 1. Client sends input k
PDA Strawman #1 E DB (k) E DB (k) Par5cipant Proxy DB k # 1. Client sends encrypted input k ds 1.1.1.1 1 2. Proxy batches and retransmits 2.2.2.2 9 3. DB decrypts input Violates keyword privacy
PDA Strawman #2 E DB ( H (k) ) E DB ( H (k) ) Par5cipant Proxy DB H (k) # 1. Client sends hashes of k H(1.1.1.1) 1 ds 2. Proxy batches and retransmits H(2.2.2.2) 9 3. DB decrypts input S5ll violates keyword privacy: IPs drawn from small domains
PDA Strawman #3 E DB ( F s (k) ) E DB ( F s (k) ) Secret s Par5cipant Proxy DB F s (k) # 1. Client sends keyed hashes of k F s (1.1.1.1) 1 – Keyed hash func'on (PRF) F s (2.2.2.2) 9 – Key s known only by proxy But how do clients learn F s (IP)) ?
Our Basic PDA Protocol F s (k) E DB ( F s (k) ) E DB ( F s (k) ) OPRF Secret s Par5cipant Proxy DB F s (k) # 1. Client sends keyed hashes of k F s (1.1.1.1) 1 – F s (x) learned by client through F s (2.2.2.2) 9 Oblivious PRF protocol 2. Proxy batches and retransmits keyed hash 3. DB decrypts input
Basic CR‐PDA Protocol F s (k) E DB ( F s (k) ) retransmits E DB (E PRX (k)) Secret s E PRX (k) Par5cipant Proxy DB F s (k) F s (k) # Enc’d k # 1. Client sends keyed hashes of k, F s (1.1.1.1) F s (1.1.1.1) 1 E PRX ( 1.1.1.1 ) 1 and encrypted k for recovery F s (2.2.2.2) F s (2.2.2.2) 9 E PRX ( 2.2.2.2 ) 9 2. Proxy retransmits keyed hash 3. DB decrypts input 4. Iden'fy rows to release and transmit E PRX (k) to proxy 5. Proxy decrypts k and releases
Privacy Proper'es F s (k) E DB ( F s (k) ) retransmits E DB (E PRX (k)) Secret s E PRX (k) Par5cipant Proxy DB • Keyword privacy: Nothing learned about unreleased keys • Par'cipant privacy: Key Par'cipant not learned • Any coali'on of HBC par'cipants • HBC coali'on of proxy and par'cipants • HBC database
Privacy Proper'es F s (k) E DB ( F s (k) ) retransmits E DB (E PRX (k)) Secret s E PRX (k) Par5cipant Proxy DB • Keyword privacy: Nothing learned about unreleased keys • Par'cipant privacy: Key Par'cipant not learned • Any coali'on of HBC par'cipants malicious par'cipants • HBC coali'on of proxy and par'cipants • HBC database HBC coali'on of DB and par'cipants
More Robust PDA Protocol F s (k) E DB ( F s (k) ) retransmits E DB (E PRX (k)) Secret s E PRX (k) Par5cipant Proxy DB • ORPF Encrypted OPRF Protocol • Ciphertext re‐randomiza'on by proxy • Proof by par'cipant that submiHed k’s match • Any coali'on of HBC par'cipants malicious par'cipants • HBC coali'on of proxy and par'cipants • HBC database HBC coali'on of DB and par'cipants
Recommend
More recommend