A Model for Secure and Mutually Beneficial Software Vulnerability Sharing

In this work we propose a model for conducting efficient and mutually beneficial information sharing between two competing entities, focusing specifically on software vulnerability sharing. We extend the two-stage game-theoretic model proposed by Khouzani et al. [18] for bug sharing, addressing two key features: we allow security information to be associated with different categories and severities, but also remove a large proportion of player homogeneity assumptions the previous work makes. We then analyse how these added degrees of realism affect the trading dynamics of the game. Secondly, we develop a new private set operation (PSO) protocol that enables the removal of the trusted mediation requirement. The PSO functionality allows for bilateral trading between the two entities up to a mutually agreed threshold on the value of information shared, keeping all other input information secret. The protocol scales linearly with set sizes and we give an implementation that establishes the practicality of the design for varying input parameters. The resulting model and protocol provide a framework for practical and secure information sharing between competing entities.

[1]  Vijay S. Mookerjee,et al.  Knowledge sharing and investment decisions in information security , 2011, Decis. Support Syst..

[2]  Katherine Lai The Knapsack Problem and Fully Polynomial Time Approximation Schemes (FPTAS) , 2006 .

[3]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[4]  Levente Buttyán,et al.  A Survey of Interdependent Information Security Games , 2014, ACM Comput. Surv..

[5]  Hal R. Varian,et al.  Information rules - a strategic guide to the network economy , 1999 .

[6]  Dan Boneh,et al.  Location Privacy via Private Proximity Testing , 2011, NDSS.

[7]  Nicolas Christin,et al.  Uncertainty in Interdependent Security Games , 2010, GameSec.

[8]  Henk Norde,et al.  Information Sharing Games , 2000 .

[9]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[10]  Vitaly Shmatikov,et al.  Privacy-Preserving Graph Algorithms in the Semi-honest Model , 2005, ASIACRYPT.

[11]  Rolf Egert,et al.  Privately Computing Set-Union and Set-Intersection Cardinality via Bloom Filters , 2015, ACISP.

[13]  Ratna Dutta,et al.  Secure and Efficient Private Set Intersection Cardinality Using Bloom Filter , 2015, ISC.

[14]  T. C. Ting,et al.  Information sharing and security in dynamic coalitions , 2002, SACMAT '02.

[15]  Sanjay Goel,et al.  Estimating the market impact of security breach announcements on firm values , 2009, Inf. Manag..

[16]  Carlos Cid,et al.  Computing Private Set Operations with Linear Complexities , 2016, IACR Cryptol. ePrint Arch..

[17]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[18]  Changyu Dong,et al.  When private set intersection meets big data: an efficient and scalable protocol , 2013, CCS.

[19]  M. Jackson,et al.  Games on Networks , 2014 .

[20]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[21]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[22]  Keith B. Frikken Privacy-Preserving Set Union , 2007, ACNS.

[23]  Carlos Cid,et al.  Strategic Discovery and Sharing of Vulnerabilities in Competitive Environments , 2014, GameSec.

[24]  Florian Kerschbaum,et al.  Outsourced private set intersection using homomorphic encryption , 2012, ASIACCS '12.

[25]  Rainer Böhme,et al.  Mandatory Security Information Sharing with Authorities: Implications on Investments in Internal Controls , 2015, WISCS@CCS.

[26]  Claudio Orlandi,et al.  The Simplest Protocol for Oblivious Transfer , 2015, IACR Cryptol. ePrint Arch..

[27]  Benny Pinkas,et al.  Faster Private Set Intersection Based on OT Extension , 2014, USENIX Security Symposium.

[28]  Rafail Ostrovsky,et al.  Privacy preserving protocol for detecting genetic relatives using rare variants , 2014, Bioinform..

[29]  Emiliano De Cristofaro,et al.  Practical Private Set Intersection Protocols with Linear Complexity , 2010, Financial Cryptography.

[30]  Dawn Xiaodong Song,et al.  Privacy-Preserving Set Operations , 2005, CRYPTO.

[31]  K. Hausken Information sharing among firms and cyber attacks , 2007 .