Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Proteus: A Practical Framework for Privacy-Preserving Device Logs

Sanket Goutam, Hunter Kippen, Mike Grace, Amir Rahmati

TL;DR

Proteus is presented, a privacy-preserving device logging framework that enables forensic analysis without disclosing plaintext PII or compromising fidelity, even when facing adversaries with access to multiple snapshots of the log files.

Abstract

Device logs are essential for forensic investigations, enterprise monitoring, and fraud detection; however, they often leak personally identifiable information (PII) when exported for third-party analysis. Existing approaches either fail to minimize PII exposure across all stages of log collection and analysis or sacrifice data fidelity, resulting in less effective analysis. We present Proteus, a privacy-preserving device logging framework that enables forensic analysis without disclosing plaintext PII or compromising fidelity, even when facing adversaries with access to multiple snapshots of the log files. To achieve this, Proteus proposes a two-layer scheme that employs keyed-hash pseudonymization of PII fields and time-rotating encryption with ratcheted ephemeral keys to prevent multi-snapshot correlation. For controlled sharing, clients export ratchet states that grant time-bounded access, permitting decryption of pseudonymized tokens that enable linkage and timeline reconstruction without exposing the underlying PII. Subsequent ratchet rotations ensure forward secrecy, while DICE-based attestation authenticates device provenance. We implement Proteus as a transparent extension to Android's logcat and evaluate it across three generations of hardware. Our results demonstrate a median latency of 0.2 ms per message and an average per-PII-field size overhead of only 97.1 bytes.

Proteus: A Practical Framework for Privacy-Preserving Device Logs

TL;DR

Proteus is presented, a privacy-preserving device logging framework that enables forensic analysis without disclosing plaintext PII or compromising fidelity, even when facing adversaries with access to multiple snapshots of the log files.

Abstract

Device logs are essential for forensic investigations, enterprise monitoring, and fraud detection; however, they often leak personally identifiable information (PII) when exported for third-party analysis. Existing approaches either fail to minimize PII exposure across all stages of log collection and analysis or sacrifice data fidelity, resulting in less effective analysis. We present Proteus, a privacy-preserving device logging framework that enables forensic analysis without disclosing plaintext PII or compromising fidelity, even when facing adversaries with access to multiple snapshots of the log files. To achieve this, Proteus proposes a two-layer scheme that employs keyed-hash pseudonymization of PII fields and time-rotating encryption with ratcheted ephemeral keys to prevent multi-snapshot correlation. For controlled sharing, clients export ratchet states that grant time-bounded access, permitting decryption of pseudonymized tokens that enable linkage and timeline reconstruction without exposing the underlying PII. Subsequent ratchet rotations ensure forward secrecy, while DICE-based attestation authenticates device provenance. We implement Proteus as a transparent extension to Android's logcat and evaluate it across three generations of hardware. Our results demonstrate a median latency of 0.2 ms per message and an average per-PII-field size overhead of only 97.1 bytes.
Paper Structure (20 sections, 5 figures, 2 tables, 5 algorithms)

This paper contains 20 sections, 5 figures, 2 tables, 5 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Limitations of Current Approaches
  4. Threat Model and System Formalization
  5. Proteus
  6. Client-Side Components
  7. Server-Side Design
  8. Evaluation
  9. Experimental Setup
  10. Macro Evaluation
  11. Micro Evaluation
  12. Security Analysis
  13. Security Objectives
  14. Comparison with Signal's Double Ratchet
  15. Security Guarantees
  16. ...and 5 more sections

Figures (5)

  • Figure 1: Simple pseudonymization preserves linkage but exposes correlation patterns to multi-snapshot adversaries. Proteus's two-layer protection scheme protects against unauthorized correlation while enabling controlled, user-authorized decryption for forensic analysis.
  • Figure 2: Proteus is designed as a client-server system geared towards forensic data logging and collection, introducing an in-situ framework for sensitive data protection.
  • Figure 3: PII analysis and storage overhead measurements using the end-to-end Proteus prototype.
  • Figure 4: Latency budget observed by Proteus client and server for each component during bulk processing of logs.
  • Figure 5: Comprehensive on-device performance evaluation of Proteus client.