C-SOC developed a set of privacy-preserving tools to enable the secure sharing and analysis of cybersecurity intelligence without exposing sensitive operational data. These tools allow organizations to collaborate on threat detection and research while protecting internal telemetry, infrastructure details, and potentially sensitive identifiers. By applying techniques such as private set intersection, secret sharing, k-anonymity, and differential privacy, the platform ensures that only the necessary insights are revealed while the underlying data remains protected. This approach strengthens collaboration between security teams and supports the responsible use of cybersecurity data for analysis, reporting, and defense improvement.

K-Anonymous Threat Intelligence Sharing

Security researchers hesitate to share honeypot attack data because raw IP addresses raise privacy concerns, regulatory compliance issues, and potential ethical questions about exposing attacker identities. Our k-anonymity solution addresses this by transforming individual attacker IPs into privacy-preserving subnet aggregates. By grouping IP addresses into the smallest subnets that contain at least k distinct attackers, organizations can share meaningful attack intelligence — revealing geographic and network-level threat patterns — while mathematically guaranteeing that no individual attacker can be singled out. Lightweight, auditable, and requiring no external libraries, it turns sensitive honeypot logs into shareable, privacy-compliant threat intelligence.

Differential Privacy Attack Query System

Honeypot operators face a critical dilemma: analyzing attack patterns requires querying daily statistics, but returning exact counts exposes individual attacker behavior. An adversary who knows they launched 500 attacks on a specific date can use precise totals to confirm their presence in the dataset, creating both privacy and legal concerns. This differential privacy implementation solves the problem through mathematical noise injection. The system automatically calculates how much any single IP address could influence the daily count, then adds proportional random noise drawn from a Laplace distribution. The result: security teams get actionable intelligence about attack volumes and temporal trends, while the mathematics guarantees that individual attackers remain hidden in the statistical uncertainty. With adjustable privacy budgets and a real-time web interface, the tool demonstrates how modern privacy techniques can make honeypot data queryable without compromising anonymity — no complex infrastructure required, just provable privacy guarantees backed by rigorous theory.

PSI

Organizations often hesitate to share raw threat data because doing so exposes sensitive telemetry, customer information, and internal detection signals. Our PSI-based solution solves this problem by enabling two parties to securely compute the intersection of their attacker IP lists — revealing only the IPs they both observed — while keeping the rest of each organization’s data confidential. Fast, auditable, and deployable on-premise or in the cloud, it turns guarded intelligence into actionable collaboration.

Shamir Secret Sharing (SSS)

Sensitive cyber threat data is often too valuable and too risky to store in a single location. Our software addresses this by applying Shamir’s Secret Sharing, a proven cryptographic technique, to the storage of attacker IP addresses. Instead of keeping the entire dataset on one server, the IP information is split into multiple cryptographic “shares” distributed across at least two servers. No single server contains usable data; only when the threshold of shares is brought together can the original IP set be reconstructed.

This architecture provides:

• Privacy by design: IP data cannot be exposed by breaching a single system.
• Resilience: Protects against tampering, or insider misuse.
• Compliance support: Aligns with strict data governance, GDPR, and auditability needs.
• Flexible deployment: Works in on-premise, hybrid, or cloud environments.
• Integration-ready: Easily combined with PSI or other threat intelligence sharing tools.

By using our system, organizations can confidently store and protect attacker IP intelligence while maintaining operational security and compliance.