Anonymising security event logs to protect against privacy identification attacks while maintaining utility
Abstract
Many small to medium organisations outsource their security services such as monitoring services and
incident response. Therefore, their managed security service providers (MSSPs) handle very sensitive or
private data about their employees and clients. Moreover, security monitoring systems such as Intrusion
Detection Systems (IDS) logs some personally identifiable information that could lead to privacy
consequences if not handled properly. This research provides an approach to protect against such privacy
identification attacks that may result by using these systems and outsourcing security services. It will study
how to apply robust anonymisation techniques while maintaining the ability to analyse malicious behaviour
and attacks. Therefore, it will address the utility/analysis trade-off. The dissertation is focused on analysing
spear phishing attacks by collecting end-point logs such as Sysmon event logs. The study uses the
Elasticsearch, Logstash, and Kibana for anonymising and as a Security Information Event Management (SIEM)
solution. Moreover, the analysis will show how the proposed technique has succeeded in providing answers
to the analysis phase and maintained the utility of the data as well as protecting privacy by the use of keyhashed functions.