Analyzing Privacy in Enterprise Packet Trace Anonymization

Accurate network measurement through trace collection is critical for advancing network design and for maintaining secure, reliable networks. Unfortunately, the release of network traces to analysts is highly constrained by privacy concerns. Several host anonymization schemes have been proposed to address this issue. Preservation of prefix relationships among anonymized addresses is an important aspect of trace utility, but also causes a number of vulnerabilities in trace anonymization. In this work we present an efficient host fingerprint attack targeting prefix-preserving anonymized traces. The attack is general (encompassing a range of fingerprinting host de-anonymization attacks proposed by others) and flexible (it can be adapted to emerging variants of prefix-preserving anonymization). Perhaps most importantly, we develop analysis tools that allow data publishers to quantify the worst-case vulnerability of their traces given assumptions about the kind of external information that is available to the adversary. Using this analysis we quantify the trade-off between privacy and utility of alternatives to full prefix-preserving anonymization.

[1]  André Årnes,et al.  Anonymization of IP Traffic Monitoring Data: Attacks on Two Prefix-Preserving Anonymization Schemes and Some Proposed Remedies , 2005, Privacy Enhancing Technologies.

[2]  Kuo-Chung Tai,et al.  The Tree-to-Tree Correction Problem , 1979, JACM.

[3]  Charles V. Wright,et al.  Playing Devil's Advocate: Inferring Sensitive Information from Anonymized Network Traces , 2007, NDSS.

[4]  Hans-Werner Braun,et al.  The NLANR network analysis infrastructure , 2000, IEEE Commun. Mag..

[5]  Mostafa H. Ammar,et al.  Prefix-preserving IP address anonymization: measurement-based security evaluation and a new cryptography-based scheme , 2004, Comput. Networks.

[6]  Horst Bunke,et al.  Automatic learning of cost functions for graph edit distance , 2007, Inf. Sci..

[7]  Charles V. Wright,et al.  On Web Browsing Privacy in Anonymized NetFlows , 2007, USENIX Security Symposium.

[8]  Jason Lee,et al.  The devil and packet trace anonymization , 2006, CCRV.

[9]  R. Ramaswamy,et al.  High-Speed Prefix-Preserving IP Address Anonymization for Passive Measurement Systems , 2007, IEEE/ACM Transactions on Networking.

[10]  Angelos D. Keromytis,et al.  Taming the Devil: Techniques for Evaluating Anonymized Network Data , 2008, NDSS.

[11]  Vern Paxson,et al.  A high-level programming environment for packet trace anonymization and transformation , 2003, SIGCOMM '03.

[12]  Li Xiao,et al.  Location-aware topology matching in P2P systems , 2004, IEEE INFOCOM 2004.

[13]  Andreas Terzis,et al.  Fast and Evasive Attacks: Highlighting the Challenges Ahead , 2006, RAID.

[14]  Spyros Antonatos,et al.  On the Privacy Risks of Publishing Anonymized IP Network Traces , 2006, Communications and Multimedia Security.

[15]  William Yurcik,et al.  Sharing computer network logs for security and privacy: a motivation for new methodologies of anonymization , 2005, Workshop of the 1st International Conference on Security and Privacy for Emerging Areas in Communication Networks, 2005..

[16]  Philip Bille,et al.  A survey on tree edit distance and related problems , 2005, Theor. Comput. Sci..