1. Field
The present disclosure relates to private collaborative analytics. More specifically, this disclosure relates to a method and system that facilitates privacy-preserving centralized computation of similarity values for collaborative threat mitigation.
2. Related Art
Organizations today are exposed to an increasingly large number of cyber threats, including malware and software vulnerabilities as well as botnet, zeroday, and denial of service attacks. In compliance with risk management frameworks, industry practices usually recommend implementation of standard security countermeasures, such as firewalls, antivirus software, patch management, and security/log audits.
Some security solutions go beyond passive defense mechanisms and offer proactive measures to predict attackers' next move. Prediction techniques rely on attack information—so-called “security data” —that companies retain: Internet Protocol (IP) addresses, domains, Uniform Resource Locators (URLs), hostnames, vulnerabilities, phishing emails, metadata (e.g., attack technique, malware, activity description), incident parameters, Threats Techniques and Procedures (TTPs), etc. The more security data a company has, the better the understanding of adversarial strategies and thus the success of its prediction techniques.
Threat modeling requires as much information as possible about threats but information is usually scarce. In practice, companies have a limited view of malicious cyber activities and can only achieve limited prediction performance. Previous work showed that collaboration would curb this challenge as companies are often hit by the same attacks (see, e.g., Zhang, J. and Porras, P. and Ulrich, J. Highly Predictive Blacklisting. Proceedings of Usenix Security, 2008). Therefore, companies can enhance the accuracy of security intelligence and analytics mitigation techniques if companies share security data with each other, thereby increasing the availability of information about attacks.
Unfortunately, a number of problems often prevent companies from sharing security data. Companies may need to determine which other companies they should partner with. To do so, they compare the expected benefits of collaborating with different companies. However, it may be inefficient for each company to separately determine the expected benefits because of the computations required. Without an effective process for determining the expected benefits from collaborating, the companies might not be able to benefit from collaborating and sharing security data.