Towards privacy preserving threat intelligence

As modern threats become more sophisticated, it is imperative for organizations to defend with the global context. Many cloud based services provide threat intelligence pertaining to modern advanced persistent threats (APTs). Cloud services such as: Google Safe Browsing, PhishTank, and Malwr offer black lists of known malicious URLs, domains, emails etc. Querying such services require users to share their browsing history and files in order to know whether their machines got infected or not. One of the major concerns/hindrances remained to be addressed to benefit from such services is the users' privacy. In this paper, we concretely identify various privacy concerns in different threat intelligence services. We introduce the general notion of Privacy Preserving Threat Intelligence (PPTI) to address such concerns. As one of the major effort s towards addressing the users' privacy concerns while querying public databases, Private Information Retrieval (PIR) techniques have been proposed. They enable a User to retrieve an element from a public database privately. Many of the traditional PIR techniques assume that User is aware of the address of the element to be retrieved. In this paper, we identify two major advancements that are needed for PIR in designing the privacy preserving threat intelligence services: (i) private retrieval of the elements using keyword(s), and (ii) private retrieval of matching documents. In doing so, we introduce relevant schemes needed and propose a generic architecture. We also identify a specific use case for privacy preserving spam intelligence and present our experimental results. Although our experimental evidence show some limitations, we believe our work aides in formulating and advancing the technology and we present our future direction towards addressing the limitations presented. All our source code is open sourced and publicly available. (C) 2017 Elsevier Ltd. All rights reserved.