Making Quantitative Measurements of Privacy/Analysis Tradeoffs Inherent to Packet Trace Anonymization

Anonymization provides a mechanism for sharing data while obscuring private/sensitive values within the shared data. However, anonymization for sharing also sets up a fundamental tradeoff --- the stronger the anonymization protection, the less information remains for analysis. This privacy/analysis tradeoff has been descriptively acknowledged by many researchers but no one has yet attempted to quantify this tradeoff. We perform anonymization options on network packet traces and make empirical measurements using IDS alarms as an indicator for security analysis capability. Preliminary results show most packet fields have unexpected complex tradeoffs while only two fields exhibiting the classic zero sum tradeoff.

[1]  Dan Suciu,et al.  The Boundary Between Privacy and Utility in Data Publishing , 2007, VLDB.

[2]  William Yurcik,et al.  SCRUB-tcpdump: A multi-level packet anonymizer demonstrating privacy/analysis tradeoffs , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[3]  William Yurcik,et al.  Toward Trusted Sharing of Network Packet Traces Using Anonymization: Single-Field Privacy/Analysis Tradeoffs , 2007, ArXiv.

[4]  Erland Jonsson,et al.  Privacy vs. Intrusion Detection Analysis , 1999, Recent Advances in Intrusion Detection.

[5]  Kai Rannenberg,et al.  Pseudonymous audit for privacy enhanced intrusion detection , 1997, SEC.