RESEARCH
/2020/Intrusion detection over encrypted network data
A protocol for privately evaluating detection models on system data using lattice-based cryptography to protect both data and model privacy.
PUBLISHED:The Computer Journal
KEYWORDS:
+8
In the current cybersecurity landscape, we face a critical deadlock. To detect attacks effectively, a Security Operation Center (#SOC) needs access to system data (like log files and network packets), but this data often contains sensitive personal information (#PII). At the same time, we (the SOC) invest heavily in proprietary detection models and are reluctant to share them with clients (Data Owners) for fear of intellectual property theft or adversarial manipulation.
In this paper, we propose a solution leveraging #lattice-based #cryptography and the power of Fully Homomorphic Encryption (#FHE). We developed a protocol that allows us to evaluate detection models privately, reversing the usual flow. Instead of asking the client to send their sensitive data to the cloud, our protocol sends the encrypted detection model directly to the data owner. This enables the data owner to evaluate the model locally, ensuring a zero-trust environment: we never see their raw data, and they never see our proprietary rules.
The Protocol
Our protocol fundamentally changes the interaction flow between the SOC and the Data Owner (DO). Instead of the DO sending data to us, we send the encrypted #threat-intelligence to them.
- •Setup: We (the SOC) generate homomorphic encryption keys.
- •Model Encryption: We convert our detection rules (e.g., Snort rules converted to a decision tree format) into polynomials and encrypt them using the Public Key.
- •Transmission: We send the Encrypted Model and Public Key to the DO.
- •Local Evaluation: The DO captures network packets, processes them into feature vectors, and performs homomorphic operations against our encrypted model.
- •Result: The output is an encrypted result vector, which the DO sends back to us. Only we can decrypt it to see if an intrusion occurred.
Here is the sequence of the protocol:
Loading diagram...
Feasibility and Performance
We implemented this protocol using the Microsoft #seal library (version 2.1) and tested it against the ISCX 2012 and CIC-IDS 2016 datasets.
- •Accuracy: Our encrypted model achieved detection accuracy (99.8%) comparable to plaintext tools like WEKA.
- •Speed: By utilizing the Batching technique (SIMD operations) available in #lattice-based #cryptography, we could pack multiple data slots into a single ciphertext. This allowed us to evaluate approximately 4,000 records against our rules in roughly 27 seconds on standard hardware.
This shows that #privacy-preserving intrusion detection is practical, not just theoretical: you can secure a sensitive network without giving up the privacy of the data on it.