Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Devil and Packet Trace Anonymization

Published byAlyson Janice Holmes Modified over 6 years ago

Similar presentations

Presentation on theme: "The Devil and Packet Trace Anonymization"— Presentation transcript:

1 The Devil and Packet Trace Anonymization
Authors: Ruoming Pangy, Mark Allmanz, Vern Paxsonz, Jason Lee Princeton University, International Computer Science Institute, Lawrence Berkeley National Laboratory (LBNL) Publication: Computer Communication Review, January 2006. Presenter: Radha V. Maldhure

2 AGENDA ANONYMIZATION PROBLEM WITH CURRENT TECHNIQUES
USE OF ANONYMIZATION PAPER’S CONTENTS METHODOLOGY ANONYMIZATION POLICY INFORMATION LOSS VALIDATION CONCLUSION CONTRIBUTIONS WEAKNESSES SUGGESTIONS

3 INTRODUCTION Released data Released data anonymization DATA
TO IMPROVE / TO DEVELOP RESEARCHER Released data ATTACKER TO ATTACK DATA e.g. packet traces RESEARCHER Released data anonymization ATTACKER

4 ANONYMIZATION Releasing network measurement data to research community
Publishing traces require balance between security needs of organization and research usefulness Example: “tcpdpriv” removes TCP options from traces, no physical fingerprinting, no research value Research Usefulness Research Usefulness Security Needs Security Needs

5 AGENDA ANONYMIZATION PROBLEM WITH CURRENT TECHNIQUES
USE OF ANONYMIZATION PAPER’S CONTENTS METHODOLOGY ANONYMIZATION POLICY INFORMATION LOSS VALIDATION CONCLUSION CONTRIBUTIONS WEAKNESSES SUGGESTIONS

6 PROBLEM WITH CURRENT TECHNIQUES
Existing publicly released traces have problems as: No careful guidance on anonymization policy for public release No tool that adapts to particular policy Example : NLANR’s PMA packet traces

7 AGENDA ANONYMIZATION PROBLEM WITH CURRENT TECHNIQUES
USE OF ANONYMIZATION PAPER’S CONTENTS METHODOLOGY ANONYMIZATION POLICY INFORMATION LOSS VALIDATION CONCLUSION CONTRIBUTIONS WEAKNESSES SUGGESTIONS

8 USE OF ANONYMIZATION Some uses of anonymization:
Your web site's performance and availability Understanding of the Internet’s structure and behavior

9 AGENDA ANONYMIZATION PROBLEM WITH CURRENT TECHNIQUES
USE OF ANONYMIZATION PAPER’S CONTENTS METHODOLOGY ANONYMIZATION POLICY INFORMATION LOSS VALIDATION CONCLUSION CONTRIBUTIONS WEAKNESSES SUGGESTIONS

10 PAPER’S CONTENTS Arrives at acceptable anonymization policy
Presents a tool “tcpmkpub” that implements the suggested transformations Provides meta-data about each trace for analysis

11 AGENDA ANONYMIZATION PROBLEM WITH CURRENT TECHNIQUES
USE OF ANONYMIZATION PAPER’S CONTENTS METHODOLOGY ANONYMIZATION POLICY INFORMATION LOSS VALIDATION CONCLUSION CONTRIBUTIONS WEAKNESSES SUGGESTIONS

12 METHODOLOGY Precise method for anonymization Concerns for Purpose of
transform Concerns for appearing traffic Policy decisions Anonymization tool

13 Example Specification
Specification of IP Header anonymization:

14 AGENDA ANONYMIZATION PROBLEM WITH CURRENT TECHNIQUES
USE OF ANONYMIZATION PAPER’S CONTENTS METHODOLOGY ANONYMIZATION POLICY INFORMATION LOSS VALIDATION CONCLUSION CONTRIBUTIONS WEAKNESSES SUGGESTIONS

15 ANONYMIZATION POLICY Focuses on traces that include only packet headers A possible policy but not completely a correct policy It is crucial to prevent users of the trace files from determining: identities of specific hosts identities of internal hosts such that a map could be constructed of which hosts support which services security practices of the organization

16 Protocol Stack Application FTP/ Telnet/ SNMP/ DNS Layer Transport
TCP/ UDP Internet Layer IP/ ARP/ ICMP/ IGMP Network Interface Layer Ethernet/ ATM/ FR

17 CHECKSUMS Re-calculate checksums in traces for two reasons:
Reason to anonymize: Re-calculate checksums in traces for two reasons: Gives content of data even when application data removed To determine if original checksum were valid Way to anonymize: Original checksum Co, Calculated checksum Cc Replace Co by Cc Insert “1” into appropriate checksum field to mark packet as failed checksum

18 NETWORK INTERFACE LAYER: Ethernet Address
Reason to anonymize: Ethernet Addresses are distinct to individual NICs Can be used by an attacker to uncover actions of given user Way to anonymize: Three Different methods of randomizing Ethernet addresses Scrambling the entire 6 byte address Scrambling only the lower 3 bytes of address Scrambling lower 3 and upper 3 bytes independently

19 INTERNET LAYER: IP Address
Reason to anonymize: Attacker can attain accounting of user’s activities if he knows IP Address Can plan an attack using information about services running on the host Way to anonymize: Remap addresses differently based on type of addresses Multicast addresses preserved in anonymized trace

20 TRANSPORT LAYER: TCP/UDP
Reason to anonymize: Not given Way to anonymize: Preserves port number and sequence number but not the timestamp They transform timestamps into separate monotonically increasing counters Research use: uniqueness and transmission order of segments

21 AGENDA ANONYMIZATION PROBLEM WITH CURRENT TECHNIQUES
USE OF ANONYMIZATION PAPER’S CONTENTS METHODOLOGY ANONYMIZATION POLICY INFORMATION LOSS VALIDATION CONCLUSION CONTRIBUTIONS WEAKNESSES SUGGESTIONS

22 INFORMATION LOSS The effectiveness in preserving information is checked by analyzing original and anonymized traces Two tools for analysis: “tcpsum” and “pOF” tcpsum : Used to find number of packets and bytes sent in each direction Crunches each Tcp connection in trace Except for IP addresses, crunching original and transformed traces matched No value lost in transformation pOF : Did not get what they tried to explain!

23 AGENDA ANONYMIZATION PROBLEM WITH CURRENT TECHNIQUES
USE OF ANONYMIZATION PAPER’S CONTENTS METHODOLOGY ANONYMIZATION POLICY INFORMATION LOSS VALIDATION CONCLUSION CONTRIBUTIONS WEAKNESSES SUGGESTIONS

24 VALIDATION Need to validate information intended to mask was indeed transformed or left out of anonymized trace Two ad hoc validations: Inspected the log created by “tcpmkpub” Flags all unexpected aspects of a packet trace Used “ipsumdump” to dump Tcp options Picked timestamps, sorted and verified Timestamp re-numbering appears accurate

25 AGENDA ANONYMIZATION PROBLEM WITH CURRENT TECHNIQUES
USE OF ANONYMIZATION PAPER’S CONTENTS METHODOLOGY ANONYMIZATION POLICY INFORMATION LOSS VALIDATION CONTRIBUTIONS WEAKNESSES SUGGESTIONS

26 CONTRIBUTIONS Enumerated and explored devil-ish details in preparing packet traces A framework for implementing anonymization policy and developed “tcpmkpub” Sets framework for future work of packet trace anonymization

27 AGENDA ANONYMIZATION PROBLEM WITH CURRENT TECHNIQUES
USE OF ANONYMIZATION PAPER’S CONTENTS METHODOLOGY ANONYMIZATION POLICY INFORMATION LOSS VALIDATION CONTRIBUTIONS WEAKNESSES SUGGESTIONS

28 WEAKNESSES No timing information for analyzing TCP dynamics
Preserving port number may lead to identification of a particular machine No performance analysis

29 AGENDA ANONYMIZATION PROBLEM WITH CURRENT TECHNIQUES
USE OF ANONYMIZATION PAPER’S CONTENTS METHODOLOGY ANONYMIZATION POLICY INFORMATION LOSS VALIDATION CONCLUSION CONTRIBUTIONS WEAKNESSES SUGGESTIONS

30 SUGGESTIONS Needs to deal with different protocols at each layer of protocol stack Should present performance analysis that indicates tool’s efficiency in terms of maintaining security needs preserving research values

31 QUESTIONS?????????????????

Download ppt "The Devil and Packet Trace Anonymization"

Similar presentations

Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
CCNA – Network Fundamentals

CCNA – Network Fundamentals
Lecture 7 Transport Layer

Lecture 7 Transport Layer
BZUPAGES.COM 1 User Datagram Protocol - UDP RFC 768, Protocol 17 Provides unreliable, connectionless on top of IP Minimal overhead, high performance –No.

BZUPAGES.COM 1 User Datagram Protocol - UDP RFC 768, Protocol 17 Provides unreliable, connectionless on top of IP Minimal overhead, high performance –No.
CCNA 1 v3.1 Module 11 Review.

CCNA 1 v3.1 Module 11 Review.
CSCI 4550/8556 Computer Networks Comer, Chapter 21: IP Encapsulation, Fragmentation, and Reassembly.

CSCI 4550/8556 Computer Networks Comer, Chapter 21: IP Encapsulation, Fragmentation, and Reassembly.
Internet Networking Spring 2003

Internet Networking Spring 2003
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
Chapter Overview TCP/IP Protocols IP Addressing.

Chapter Overview TCP/IP Protocols IP Addressing.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
TRANSPORT LAYER T.Najah Al-Subaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.

TRANSPORT LAYER T.Najah Al-Subaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.
Module 10. Internet Protocol (IP) is the routed protocol of the Internet. IP addressing enables packets to be routed from source to destination using.

Module 10. Internet Protocol (IP) is the routed protocol of the Internet. IP addressing enables packets to be routed from source to destination using.
Lecture 2 TCP/IP Protocol Suite Reference: TCP/IP Protocol Suite, 4 th Edition (chapter 2) 1.

Lecture 2 TCP/IP Protocol Suite Reference: TCP/IP Protocol Suite, 4 th Edition (chapter 2) 1.
What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.

What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.
What is FORENSICS? Why do we need Network Forensics?

What is FORENSICS? Why do we need Network Forensics?
TCP/IP Yang Wang 103301 Professor: M.ANVARI.

TCP/IP Yang Wang Professor: M.ANVARI.
1 7-Oct-15 OSI transport layer CCNA Exploration Semester 1 Chapter 4.

1 7-Oct-15 OSI transport layer CCNA Exploration Semester 1 Chapter 4.
10/8/2015CST 415 - Computer Networks1 IP Routing CST 415.

10/8/2015CST Computer Networks1 IP Routing CST 415.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

Similar presentations

Ads by Google