Privacy-Preserving Distributed Event Correlation

Janak J. Parekh, Columbia University. Computer Science
Event correlation is a widely-used data processing methodology for a broad variety of applications, and is especially useful in the context of distributed monitoring for software faults and vulnerabilities. However, most existing solutions have typically been focused on 'intra-organizational' correlation; organizations typically employ privacy policies that prohibit the exchange of information outside of the organization. At the same time, the promise of 'inter-organizational' correlation is
more » ... nificant given the broad availability of Internet-scale communications, and its potential role in both software maintenance and software vulnerability exploits. In this proposal, I present a framework for reconciling these opposing forces in event correlation via the use of privacy preservation integrated into the event processing framework. By integrating flexible privacy policies, we enable the correlation of organizations' data without actually releasing sensitive information. The framework supports both source anonymity and data privacy, yet allows for the time-based correlation of a broad variety of data. The framework is designed as a lightweight collection of components to enable integration with existing COTS platforms and distributed systems. I also present two different implementations of this framework: XUES (XML Universal Event Service), an event processor used as part of a software monitoring platform called KX (Kinesthetics eXtreme), and Worminator, a collaborative Intrusion Detection System. KX comprised a series of components, connected together with a publish-subscribe content-based routing event subsystem, for the autonomic software monitoring of complex distributed systems. Sensors were installed in legacy systems. XUES' two modules then performed event processing on sensor data: information was collected and processed by the Event Packager, and correlated using the Event Distiller. While XUES itself was not privacy-preserving, it laid the groundwork for this thesis by supporting event typing, the use of [...]
doi:10.7916/d8sb4hxf fatcat:lbdng3xksvgrxlzimwisi2g7nm