Privacy Preservation Techniques to establish Trustworthiness for Distributed, Inter-Provider Monitoring J. Seedorf, S. Niccolini, A. Sarma B. Trammell G. Bianchi NEC Laboratories Europe ETH Zurich University of Rome Heidelberg, Germany Zurich, Switzerland Rome, Italy seedorf/niccolini/sarma@neclab.eu trammell@tik.ee.ethz.ch giuseppe.bianchi@uniroma2.it November 29, 2010 1 Introduction and Background The increasing scale of the Internet and the growing heterogeneity of applications and devices attached to it, combined with the distributed impact and cascading nature of operational failures and the widespread diffusion of large-scale, inter-domain, coordinated attack infrastructures such as botnets, call for a novel approach to the design, deployment, and operation of threat monitoring and mitigation infrastructure. The EU research project DEMONS 1 fosters a new, resilient, scalable, and privacy-preserving approach to network monitoring and security management through the design of a trustworthy, coordinated monitoring network, composed on flexible and programmable nodes capable of supporting in-network traffic processing and analysis tasks. As its main goal, the DEMONS project is building the infrastructure of a novel cooperative network monitoring and mitigation system which is completely decentralized, application-aware, and privacy-preserving. In this paper, we highlight the privacy considerations for decentralized, inter-domain network monitoring. We then present the DEMONS vision and approach for an architecture which enables large-scale, distributed network monitoring in a privacy preserving way. Our view is that the use of adequate privacy-preservation techniques is necessary to a) ensure trustworthiness in such a system by its user as well as to b) enable legal compliance in a multi-jurisdictional scenario. 2 Privacy Considerations for Network Monitoring The process of monitoring networks poses severe concerns on the protection of the network customers’ privacy, ac- knowledged by European legislation as a fundamental right of the individual [1] [2] [3]. Even in a single-organization case, network traffic monitoring activities, especially at higher layers of the network stack, pose a serious risk to indi- vidual privacy, since they may result in tracking the personal online activities of end users without their knowledge. Monitoring activities undertaken without transparency or accountability with respect to data processing (i.e., without privacy-awareness) lead to a loss of trust in the network as a whole. As a result, care must be taken that privacy concerns are addressed, and that privacy rights and data protection laws are not violated. Network monitoring is necessarily concerned with traffic data, which from a privacy perspective of individuals poses a serious risk. An individual’s network traffic may be combined and analyzed in any number of ways, and these activities may encroach severely into the individual’s private sphere. These concerns are only amplified when sharing information in order to carry out cooperative network defense activities. Information sharing is further complicated by the fact that such cooperative defense activities will often cross jurisdictional boundaries, requiring the collection, storage and processing of network traffic data to comply with data protection laws of several different jurisdictions. Trust among operators is also an important consideration. Operators are generally loath to share information with outside parties. Despite this, many incidents are cross-domain, so operators are forced to rely on a cooperative defense process which is both informal, based on links of trust between individuals at network operations centers (NOCs) and computer security incident response teams (CSIRTs); and manual, without any specific technological support beyond electronic mail and the public telephone network. 3 The DEMONS Vision and Approach: Privacy-Preservation Techniques to enable Trustworthy Network Monitoring The privacy issues detailed in section 2 have previously prevented large-scale monitoring solutions from being widely deployed and have therefore rendered them ineffective. It is therefore absolutely necessary to take such privacy consider- 1 This work was partially supported by DEMONS, a research project supported by the European Commission under its 7th Framework Program (contract no. 257315). The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the DEMONS project or the European Commission. 1