the devil and packet trace anonymization

The Devil and Packet Trace Anonymization

Authors: Ruoming Pangy, Mark Allmanz, Vern Paxsonz, Jason Lee

Princeton University, International Computer Science Institute, Lawrence Berkeley National Laboratory (LBNL)

Publication: Computer Communication Review, January 2006.

Presenter: Radha V. Maldhure

AGENDA

ANONYMIZATION PROBLEM WITH CURRENT TECHNIQUES USE OF ANONYMIZATION PAPER’S CONTENTS METHODOLOGY ANONYMIZATION POLICY INFORMATION LOSS VALIDATION CONCLUSION CONTRIBUTIONS WEAKNESSES SUGGESTIONS

INTRODUCTION

Released data

RESEARCHER

ATTACKER

RESEARCHER

ATTACKER

TO IMPROVE / TO DEVELOP

TO ATTACK

Released data

anonymization

DATA

e.g. packet traces

ANONYMIZATION

o Releasing network measurement data to research community

o Publishing traces require balance between security needs of organization and research usefulness

o Example: “tcpdpriv” removes TCP options from traces, no physical fingerprinting, no research value

Research

Usefulness Security Needs

Security Needs

Research

Usefulness

AGENDA


PROBLEM WITH CURRENT TECHNIQUES

Existing publicly released traces have problems as:

• No careful guidance on anonymization policy for public release

• No tool that adapts to particular policy

• Example : NLANR’s PMA packet traces

AGENDA


USE OF ANONYMIZATION

Some uses of anonymization:

• Your web site's performance and availability

• Understanding of the Internet’s structure and behavior

AGENDA


PAPER’S CONTENTS

o Arrives at acceptable anonymization policy

o Presents a tool “tcpmkpub” that implements the suggested transformations

o Provides meta-data about each trace for analysis

AGENDA


METHODOLOGY

Precise method for anonymization

Purpose of transform

Concerns for appearing

traffic

Policy decisions

Anonymization tool

Example Specification

Specification of IP Header anonymization:

AGENDA


ANONYMIZATION POLICY

• Focuses on traces that include only packet headers

• A possible policy but not completely a correct policy

• It is crucial to prevent users of the trace files from determining:

identities of specific hosts

identities of internal hosts such that a map could be constructed of which hosts support which services

security practices of the organization

Protocol Stack

ApplicationLayer

NetworkInterface

Layer

InternetLayer

TransportLayer

FTP/ Telnet/ SNMP/ DNS

TCP/ UDP

IP/ ARP/ ICMP/ IGMP

Ethernet/ ATM/ FR

CHECKSUMS

Reason to anonymize:

Re-calculate checksums in traces for two reasons: Gives content of data even when application

data removed To determine if original checksum were valid

Way to anonymize: Original checksum Co, Calculated checksum Cc

Replace Co by Cc Insert “1” into appropriate checksum field to

mark packet as failed checksum

NETWORK INTERFACE LAYER: Ethernet Address

Reason to anonymize:

Ethernet Addresses are distinct to individual NICs Can be used by an attacker to uncover actions of

given user

Way to anonymize:

Three Different methods of randomizing Ethernet addresses Scrambling the entire 6 byte address Scrambling only the lower 3 bytes of address Scrambling lower 3 and upper 3 bytes independently

INTERNET LAYER: IP AddressReason to anonymize:

Attacker can attain accounting of user’s activities if he knows IP Address

Can plan an attack using information about services running on the host

Way to anonymize:

Remap addresses differently based on type of addresses

Multicast addresses preserved in anonymized trace

TRANSPORT LAYER: TCP/UDP

Reason to anonymize: Not given

Way to anonymize:

Preserves port number and sequence number but not the timestamp

They transform timestamps into separate monotonically increasing counters

Research use: uniqueness and transmission order of segments

AGENDA


INFORMATION LOSS

The effectiveness in preserving information is checked by analyzing original and anonymized traces

Two tools for analysis: “tcpsum” and “pOF”

tcpsum : Used to find number of packets and bytes sent in each direction Crunches each Tcp connection in trace Except for IP addresses, crunching original and transformed

traces matched No value lost in transformation

pOF : Did not get what they tried to explain!

AGENDA


VALIDATION

Need to validate information intended to mask was indeed transformed or left out of anonymized trace

Two ad hoc validations: Inspected the log created by “tcpmkpub”

Flags all unexpected aspects of a packet trace

Used “ipsumdump” to dump Tcp options Picked timestamps, sorted and verified Timestamp re-numbering appears accurate

AGENDA

ANONYMIZATION PROBLEM WITH CURRENT TECHNIQUES USE OF ANONYMIZATION PAPER’S CONTENTS METHODOLOGY ANONYMIZATION POLICY INFORMATION LOSS VALIDATION CONTRIBUTIONS WEAKNESSES SUGGESTIONS

CONTRIBUTIONS

Enumerated and explored devil-ish details in preparing packet traces

A framework for implementing anonymization policy and developed “tcpmkpub”

Sets framework for future work of packet trace anonymization

AGENDA

ANONYMIZATION PROBLEM WITH CURRENT TECHNIQUES USE OF ANONYMIZATION PAPER’S CONTENTS METHODOLOGY ANONYMIZATION POLICY INFORMATION LOSS VALIDATION CONTRIBUTIONS WEAKNESSES SUGGESTIONS

WEAKNESSES

No timing information for analyzing TCP dynamics

Preserving port number may lead to identification of a particular machine

No performance analysis

AGENDA


SUGGESTIONS

Needs to deal with different protocols at each layer of protocol stack

Should present performance analysis that indicates

tool’s efficiency in terms of maintaining security needs

preserving research values

QUESTIONS?????????????????

the devil and packet trace anonymization

Documents

current techniquesexisting

security needs of organization

research usefulnessexample

services security practices

trace files

particular policy example

tool tcpmkpub

computer communication