In recent years, academic literature has analyzed many attacks on network trace anonymization techniques. These attacks usually correlate external information with anonymized data and successfully de-anonymize objects with distinctive signatures. However, analyses of these attacks still underestimate the real risk of publishing anonymized data, as the most powerful attack against anonymization is traffic injection. We demonstrate that performing live traffic injection attacks against anonymization on a backbone network is not difficult, and that potential countermeasures against these attacks, such as traffic aggregation, randomization or field generalization, are not particularly effective. We then discuss tradeoffs of the attacker and defender in the so-called injection attack space. An asymmetry in the attack space significantly increases the chance of a successful de-anonymization through lengthening the injected traffic pattern. This leads us to re-examine the role of network data anonymization. We recommend a unified approach to data sharing, which uses anonymization as a part of a technical, legal, and social approach to data protection in the research and operations communities.

The availability of realistic network data plays a significant role in fostering collaboration and ensuring U.S. technical leadership in network security research. Unfortunately, a host of technical, legal, policy, and privacy issues

Research in the field of computer forensics is hobbled by the lack of realistic data. Academics are not developing automated techniques and tools because they lack the raw data necessary to develop and validate algorithms. Investigators that have access to real data operate under legal and practical restraints that prevent the data from being used in research. To make progress, we must “prime the pump ” by collecting or creating forensic corpora that can be used by researchers. We must also pursue targeted technical developments in forensic file formats, knowledge representation, inference techniques, and the presentation of forensic results. 1 Computer Forensics and Today’s Forensic Tools Today’s computer forensic research is largely divided according to the kind of data being analyzed, rather than the kind of analysis being performed. There is disk forensics, network forensics, RAM forensics, cell phone and small device forensics, document forensics and software forensics. Research in all of these areas is limited by the inability of experimenters to obtain large datasets that are realistic, varied, and representative of the data from the field. Because they lack data, researchers can’t pursue many of the problems faced by today’s forensic practitioners. Today much of the work in the field of computer forensics is focused on visualizing tools, data extraction techniques, and algorithm development. But this work is generally performed on small data sets provided by the experiment. Few algorithms are validated on a wide range of data, and few tools developed by researchers work reliably in the field when they are exposed to data that is not conformant with the test sets. Even more troubling, researchers are missing algorithms and techniques that require massive amounts of information for proper operation. This paper proposes the creation of large-scale forensic corpora that meet these requirements: 1. Representative of data encountered during the course of criminal investigations, civil litigation, and intelligence operations.

Network operators are reluctant to share traffic data due to security and privacy concerns. Consequently, there is a lack of publicly available traces for validating and generalizing the latest results in network and security research. Anonymization is a possible solution in this context; however, it is unclear how the sanitization of data preserves characteristics important for traffic analysis. In addition, the privacypreserving property of state-of-the-art IP address anonymization techniques has come into question by recent attacks that successfully identified a large number of hosts in anonymized traces. In this paper, we examine the tradeoff between data utility for anomaly detection and the risk of host identification for IP address truncation. Specifically, we analyze three weeks of unsampled and non-anonymized network traces from a medium-sized backbone network to assess data utility. The risk of de-anonymizing individual IP addresses is formally evaluated, using a metric based on conditional entropy. Our results indicate that truncation effectively prevents host identification but degrades the utility of data for anomaly detection. However, the degree of degradation depends on the metric used and whether network-internal or external addresses are considered. Entropy metrics are more resistant to truncation than unique counts and the detection quality of anomalies degrades much faster in internal addresses than in external addresses. In particular, the usefulness of internal address counts is lost even for truncation of only 4 bits whereas utility of external address entropy is virtually unchanged even for truncation of 20 bits.

Recent trends in Internet computing have led to the popularization of many forms of virtual organizations. Examples include supply chain management, grid computing, and collaborative research environments like PlanetLab. Unfortunately, when it comes to the security analysis of these systems, the whole is certainly greater than the sum of its parts. That is, local intrusion detection and audit practices are insufficient for detecting distributed attacks such as coordinated network reconnaissance, stepping-stone attacks, and violations of application-level trust constraints between security domains. A distributed process that coordinates information from each member could detect these types of violations, but privacy concerns between member organizations or safety concerns about centralizing sensitive information often restrict this level of information flow. In this paper, we propose a privacy-preserving framework for distributed audit that allows member organizations to detect distributed attacks without requiring the release of excessive private information. We discuss both the architecture and mechanisms used in our approach and comment on the performance of a prototype implementation.

Abstract—Netflow is a protocol widely adopted by the security and performance measurements community. Nowadays, many distributed applications and architectures base their functionality on Netflow data collected at diverse environments. However, communities and administrators are reluctant to share exported Netflow data for privacy reasons. As a consequence, the effectiveness of distributed approaches is limited due to lack of input data. To overcome this limitation, anonymization on Netflow data is proposed for sharing. However, the available tools are either proprietary or of very limited functionality. Towards this direction, we propose and implement anontool, that allow administrators to anonymize Netflow data in a highly customizable way. A comparison of anontool with existing solutions is provided along two dimensions: functionality and performance. Anontool can anonymize traffic even at high bandwidth rates, outperforming most of the tools and having same performance with specialized – but very limited in functionality – approaches. I.

The sharing of network traces is an important prerequisite for the development and evaluation of efficient anomaly detection mechanisms. Unfortunately, privacy concerns and data protection laws prevent network operators from sharing these data. Anonymization is a promising solution in this context; however, it is unclear if the sanitization of data preserves the traffic characteristics or introduces artifacts that may falsify traffic analysis results. In this paper, we examine the utility of anonymized flow traces for anomaly detection. We quantitatively evaluate the impact of IP address anonymization, namely variations of permutation and truncation, on the detectability of large-scale anomalies. Specifically, we analyze three weeks of un-sampled and non-anonymized network traces from a medium-sized backbone network. We find that all anonymization techniques, except prefixpreserving permutation, degrade the utility of data for anomaly detection. We show that the degree of degradation depends to a large extent on the nature and mix of anomalies present in a trace. Moreover, we present a case study that illustrates how traffic characteristics of individual hosts are distorted by anonymization. 1.

Abstract—User association logs play an important role in wireless network research. One concern of sharing such logs with other researchers, however, is that they pose potential privacy risks for the network users. Today, the common practice in sanitizing these logs before releasing them to the public is to anonymize users ’ sensitive information, such as their devices’ MAC addresses and their exact association locations. In this work, we aim to study whether such sanitization measures are sufficient to protect user privacy. By simulating an adversary’s role, we propose a novel type of correlation attack in which the adversary uses the anonymized association log to build signatures against each user, and when combined with auxiliary information, such signatures can help to identify users within the anonymized log. Using a user association log that contains more than four thousand users and millions of association records, we demonstrate that this attack technique, under certain circumstances, is able to pinpoint the victim’s identity exactly with a probability as high as 70%, or narrow it down to a set of 20 candidates with a probability close to 100%. We further evaluate the effectiveness of standard anonymization techniques, including generalization and perturbation, in mitigating correlation attacks; our experimental results reveal only limited success of these methods, suggesting that more thorough treatment is needed when anonymizing wireless user association logs before public release. I.

Organizations owning cyber-infrastructure assets face large scale distributed attacks on a regular basis. In the face of increasing complexity and frequency of such attacks, we argue that it is insufficient to rely on organizational incident response teams or even trusted coordinating response teams. Instead, there is need to develop a framework that enables responders to establish trust and achieve an effective collaborative response and investigation process across multiple organizations and legal entities to track the adversary, eliminate the threat and pursue prosecution of the perpetrators. In this work we develop such a framework for effective collaboration. Our approach is motivated by our experiences in dealing with a large-scale distributed attack that took place in 2004 known as Incident 216. Based on our approach we present the Palantir system that comprises conceptual and technological capabilities to adequately respond to such attacks. To the best of our knowledge this is the first work proposing a system model and implementation for a collaborative multi-site incident response and investigation effort.

Since then, he has been working as scientific