Toward Trusted Sharing of Network Packet Traces Using Anonymization: Single-Field Privacy/Analysis Tradeoffs

Network data needs to be shared for distributed security analysis. Anonymization of network data for sharing sets up a fundamental tradeoff between privacy protection versus security analysis capability. This privacy/analysis tradeoff has been acknowledged by many researchers but this is the first paper to provide empirical measurements to characterize the privacy/analysis tradeoff for an enterprise dataset. Specifically we perform anonymization options on single-fields within network packet traces and then make measurements using intrusion detection system alarms as a proxy for security analysis capability. Our results show: (1) two fields have a zero sum tradeoff (more privacy lessens security analysis and vice versa) and (2) eight fields have a more complex tradeoff (that is not zero sum) in which both privacy and analysis can both be simultaneously accomplished.

[1]  BratusSurgey What Hackers Learn that the Rest of Us Don't , 2007, S&P 2007.

[2]  Jason Lee,et al.  The devil and packet trace anonymization , 2006, CCRV.

[3]  William Yurcik,et al.  SCRUB-tcpdump: A multi-level packet anonymizer demonstrating privacy/analysis tradeoffs , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[4]  Christian Damsgaard Jensen,et al.  Trading Privacy for Trust , 2004, iTrust.

[5]  Sergey Bratus Dartmouth,et al.  What Hackers Learn that the Rest of Us Don't , 2007 .

[6]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[7]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[8]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[9]  Stephen Hailes,et al.  A distributed trust model , 1998, NSPW '97.

[10]  Ali A. Ghorbani,et al.  Just-in-time information sharing architectures in multiagent systems , 2002, AAMAS '02.

[11]  William Yurcik,et al.  Sharing computer network logs for security and privacy: a motivation for new methodologies of anonymization , 2005, Workshop of the 1st International Conference on Security and Privacy for Emerging Areas in Communication Networks, 2005..

[12]  Virgílio A. F. Almeida,et al.  Disclosing users' data in an environment that preserves privacy , 2002, WPES '02.

[13]  Chris McNab Network Security Assessment , 2004 .

[14]  Jason Lee,et al.  A first look at modern enterprise traffic , 2005, IMC '05.

[15]  Sebastian Zander,et al.  Dynamics of the IP Time To Live Field in Internet Traffic Flows , 2007 .

[16]  Mukesh Singhal,et al.  Trust Management in Distributed Systems , 2007, Computer.

[17]  Spyros Antonatos,et al.  On the Privacy Risks of Publishing Anonymized IP Network Traces , 2006, Communications and Multimedia Security.

[18]  William Yurcik,et al.  Outsourcing Security Analysis with Anonymized Logs , 2006, 2006 Securecomm and Workshops.

[19]  Marcin Zalewski,et al.  Strange attractors and tcp/ip sequence number analysis , 2004 .

[20]  Stephen Marsh,et al.  Formalising Trust as a Computational Concept , 1994 .

[21]  Ali A. Ghorbani,et al.  Architectural Components of Information–Sharing Societies , 2002, Comput. Intell..

[22]  Yifan Li,et al.  SCRUB-PA: A Multi-Level Multi-Dimensional Anonymization Tool for Process Accounting , 2006, ArXiv.

[23]  Frank Stajano,et al.  The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks , 1999, Security Protocols Workshop.

[24]  Christian Damsgaard Jensen,et al.  Trust Transfer: Encouraging Self-recommendations Without Sybil Attack , 2005, iTrust.

[25]  Darren Reed,et al.  Security Considerations for IP Fragment Filtering , 1995, RFC.