SigML: Supervised Log Anomaly with Fully Homomorphic Encryption

Abstract

Security (and Audit) log collection and storage is a crucial process for enterprises around the globe. Log analysis helps identify potential security breaches and, in some cases, is required by law for compliance. However, enterprises often delegate these responsibilities to a third-party cloud service provider, where the logs are collected and processed for anomaly detection and stored in a cold data warehouse for archiving. Prevalent schemes rely on plain (unencrypted) data for log anomaly detection. More often, these logs can reveal much sensitive information about an organization or the customers of that organization. Hence it is in the best interest of everyone to keep it encrypted at all times. This paper proposes “SigML” utilizing Fully Homomorphic Encryption (FHE) with the Cheon-Kim-Kim-Song (CKKS) scheme for supervised log anomaly detection on encrypted data. We formulate a binary classification problem and propose a novel “Aggregate” configuration using the Sigmoid function for resource-strained (wireless sensors or IoT) devices to reduce communication and computation requirements by a factor of n, where n is the number of ciphertexts received by the clients. We further approximate the Sigmoid activation function ( $$\sigma (x)$$ ) with first, third, and fifth-order polynomials in the encrypted domain and evaluate the supervised models with NSL-KDD and HDFS datasets in terms of performance metrics and computation time.