Abstract
In recent years, academic literature has analyzed many attacks on network trace anonymization techniques. These attacks usually correlate external information with anonymized data and successfully de-anonymize objects with distinctive signatures. However, analyses of these attacks still underestimate the real risk of publishing anonymized data, as the most powerful attack against anonymization is traffic injection. We demonstrate that performing live traffic injection attacks against anonymization on a backbone network is not difficult, and that potential countermeasures against these attacks, such as traffic aggregation, randomization or field generalization, are not particularly effective. We then discuss tradeoffs of the attacker and defender in the so-called injection attack space. An asymmetry in the attack space significantly increases the chance of a successful de-anonymization through lengthening the injected traffic pattern. This leads us to re-examine the role of network data anonymization. We recommend a unified approach to data sharing, which uses anonymization as a part of a technical, legal, and social approach to data protection in the research and operations communities.
- Directive 95/46/EC of the European Parliament and of the Council. OJ L 281, 23.11.1995, p. 31, October 1995.Google Scholar
- M. Allman and V. Paxson. Issues and etiquette concerning use of shared measurement data. In ACM SIGCOMM conference on Internet measurement (IMC), 2007. Google ScholarDigital Library
- J. Bethencourt, J. Franklin, and M. Vernon. Mapping internet sensors with probe response attacks. In USENIX Security Symposium, 2005. Google ScholarDigital Library
- E. Boschi. Legal requirements and issues in network traffic data protection. In ACM Workshop on Network Data Anonymization (NDA), 2008. Google ScholarDigital Library
- T. Brekne and A. Årnes. Circumventing IP-address pseudonymization. In IASTED International Conference on Communications and Computer Networks, 2005.Google Scholar
- T. Brekne, A. Årnes, and A. Øslebø. Anonymization of IP traffic data: Attacks on two prefix-preserving anonymization schemes and some proposed remedies. In Workshop on Privacy Enhancing Technologies, 2005. Google ScholarDigital Library
- M. Burkhart, D. Brauckhoff, M. May, and E. Boschi. The Risk-Utility Tradeoff for IP Address Truncation. In ACM Workshop on Network Data Anonymization (NDA), 2008. Google ScholarDigital Library
- A. Burstein. An Uneasy Relationship: Cyber Security Information Sharing, Communications Privacy, and the Boundaries of the Firm. In Workshop on the Economics of Information Security (WEIS), 2007.Google Scholar
- S. Cabuk, C.E. Brodley, and C. Shields. IP covert timing channels: design and detection. In ACM conference on Computer and communications security (CCS), 2004. Google ScholarDigital Library
- S. Coull, C. Wright, A. Keromytis, F. Monrose, and M. Reiter. Taming the devil: Techniques for evaluating anonymized network data. In Network and Distributed System Security Symposium (NDSS), 2008.Google Scholar
- S. Coull, C. Wright, F. Monrose, M. Collins, and M.K. Reiter. Playing devil's advocate: Inferring sensitive information from anonymized network traces. In Network and Distributed System Security Symposium (NDSS), 2007.Google Scholar
- D. Dietrich. Bogons and bogon filtering. In 33rd meeting of the North American Network Operator's Group (NANOG 33), Feb. 2005.Google Scholar
- J. Fan, J. Xu, M.H. Ammar, and S.B. Moon. Prefix-preserving IP address anonymization. Comput. Networks, 46(2):253--272, 2004. Google ScholarDigital Library
- M. Foukarakis, D. Antoniades, S. Antonatos, and E. Markatos. Flexible and High-Performance Anonymization of NetFlow Records using Anontool. In SECURECOMM Conference, 2007.Google ScholarCross Ref
- kc claffy. A Day in the Life of the Internet: Proposed community-wide experiment. ACM SIGCOMM Computer Communications Review, 36(5):39--40, Oct. 2006. Google ScholarDigital Library
- J. King, K. Lakkaraju, and A. Slagell. A taxonomy and adversarial model for attacks against network log anonymization. In ACM symposium on Applied Computing (SAC), 2009. Google ScholarDigital Library
- D. Koukis, S. Antonatos, and K.G. Anagnostakis. On the privacy risks of publishing anonymized IP network traces. In Communications and Multimedia Security, 2006. Google ScholarDigital Library
- J. Mirkovic. Privacy-safe network trace sharing via secure queries. In ACM Workshop on Network Data Anonymization (NDA), 2008. Google ScholarDigital Library
- P. Ohm. The rise and fall of invasive ISP surveillance. University of Illinois Law Review, 2009(5).Google Scholar
- R. Pang, M. Allman, V. Paxson, and J. Lee. The devil and packet trace anonymization. ACM SIGCOMM Computer Communications Review, 36(1):29--38, 2006. Google ScholarDigital Library
- R. Pang and V. Paxson. A high-level programming environment for packet trace anonymization and transformation. In ACM SIGCOMM, 2003. Google ScholarDigital Library
- B. Ribeiro, W. Chen, G. Miklau, and D. Towsley. Analyzing privacy in enterprise packet trace anonymization. In Network and Distributed System Security Symposium (NDSS), 2008.Google Scholar
- D. Sauter. Invasion of Privacy Using Fingerprinting Attacks. Master Thesis MA-2008-22, ETH Zurich, 2009.Google Scholar
- V. Shmatikov and M.-H. Wang. Security against probe-response attacks in collaborative intrusion detection. In Workshop on Large scale attack defense (LSAD), 2007. Google ScholarDigital Library
- A. Slagell, K. Lakkaraju, and K. Luo. FLAIM: A Multi-level Anonymization Framework for Computer and Network Logs. In USENIX Large Installation System Administration Conference (LISA), 2006. Google ScholarDigital Library
- A. Slagell and W. Yurcik. Sharing computer network logs for security and privacy: A motivation for new methodologies of anonymization. In Workshop on the Value of Security through Collaboration (SECOVAL), 2005.Google ScholarCross Ref
- L. Sweeney. k-anonymity: A model for protecting privacy. International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 10(5):557--570, 2002. Google ScholarDigital Library
Index Terms
- The role of network trace anonymization under attack
Recommendations
Preserving Both Privacy and Utility in Network Trace Anonymization
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityAs network security monitoring grows more sophisticated, there is an increasing need for outsourcing such tasks to third-party analysts. However, organizations are usually reluctant to share their network traces due to privacy concerns over sensitive ...
Side-Channel Attacks on Query-Based Data Anonymization
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications SecurityA longstanding problem in computer privacy is that of data anonymization. One common approach is to present a query interface to analysts, and anonymize on a query-by-query basis. In practice, this approach often uses a standard database back end, and ...
An evolutionary feature set decomposition based anonymization for classification workloads: Privacy Preserving Data Mining
Privacy has become an important concern while publishing micro data about a population. The emerging area called privacy preserving data mining (PPDM) focus on individual privacy without compromising data mining results. An adversarial exploitation of ...
Comments