Presentation is loading. Please wait.

Presentation is loading. Please wait.

Balancing Risk and Utility in Flow Trace Anonymization

Published byRenate Lange Modified over 5 years ago

Similar presentations

Presentation on theme: "Balancing Risk and Utility in Flow Trace Anonymization"— Presentation transcript:

1 Balancing Risk and Utility in Flow Trace Anonymization
Martin Burkhart, ETH Zurich Joint work with Daniela Brauckhoff, Elisa Boschi, Martin May

2 Motivation Sharing of traffic measurements is crucial
Only a limited set of sources available Reproducibility of results Dynamics / variability of traffic Get the big picture (e.g. Internet Storm Center) Keep up with globalized attacks (e.g. botnets) More and more traces are collected but not shared Data protection legislation Security concerns Competitive advantage

3 State-Of-The-Art: Anonymization
Black Marking Truncation E.g. last bits of IP addresses Permutation Random (Partial) Prefix-preserving IP address permutation Enumeration E.g. Timestamps: keep the logical order of events Categorization Randomization (data mining community) K-Anonymity (data mining community)

4 The Tradeoff in Anonymization
It‘s a trade-off RU-Maps t: Anony. Strength X-Axis: Utility(t) Y-Axis: Risk(t) Not quantitatively studied, lack of metrics Strongly dependent on the application / attacker model Risk(t) Algorithm X X t=0.1 X t=0.2 X t=0.4 X Prefix Pres. X Random Perm. X t=0.7 Sweet Spot Utility(t)

5 A Case Study: IP Address Truncation
Techniques that permute IP addresses 1:1 are reversible Characteristic object sizes/frequencies, behavioral profiling, fingerprint active ports, exploit prefix structure Apply IP address truncation and evaluate the risk and utility dimensions Lower risk: Hosts are aggregated to subnets Lower utility: Resolution of entities is reduced Quantifying the tradeoff: How bad is it in numbers? IP address 8 bits trunc. 16 bits trunc.

6 Internal vs. External Prefixes
Factor 3 Factor 53 x = 8 Asymmetry in prefixes external Internal (AS 559) Is this reflected in Risk reduction? Utility reduction? Unique Count (log) Prefix length (32-x)

7 Measuring Utility of Truncated Data
Specific application: anomaly detection Compare detection quality of scans and (D)DoS attacks in original and truncated data Two IP-based metrics Unique address count Address entropy 3 weeks of NetFlow data ~ 43 billion flows SWITCH network

8 Measuring Detection Quality
Ground truth: Manual identification of scans/(D)DoS attacks Run a Kalman filter on metric timeseries Utility measured by AUC (area under the ROC curve) Vary threshold

9 Utility of Truncated Data
Internal metrics degrade faster than external metrics Counts degrade faster than Entropy

10 Approximating Risk of Host Identification
In general: Truncation of x bits leads to 2^(32-x) prefixes with 2^x addresses per prefix But: only a fraction (A) of potential addresses is usually active Hence, On average A*2^x addresses per prefix 1, 2, 3, , 11, 12, ... 240, 241, , 255 e.g. A = 10%

11 Risk of Truncated Data (total: 2.2 million) (total: 4.3 billion) Risk for external addresses is higher due to sparcity! Constant offset:

12 The Risk-Utility Tradeoff
No truncation 4 bits 8 bits 12 bits 16 bits best tradeoff Metric x Utility Risk internal entropy 8 0.94 0.035 12 0.87 0.002 external entropy 16 0.97 0.02

13 Conclusion We made a quantitative evaluation of the risk-utility tradeoff in anonymization Entropy is much more resistant to truncation than unique counts Risk and utility degrade faster for internal addresses For detection of scans and (D)DoS attacks, it is possible to get a good tradeoff with high utility and low risk

14 Thank You for the Attention

Download ppt "Balancing Risk and Utility in Flow Trace Anonymization"

Similar presentations

Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.

Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
FLAME: A Flow-level Anomaly Modeling Engine

FLAME: A Flow-level Anomaly Modeling Engine
MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA

MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA
Robust Network Compressive Sensing Lili Qiu UT Austin NSF Workshop Nov. 12, 2014.

Robust Network Compressive Sensing Lili Qiu UT Austin NSF Workshop Nov. 12, 2014.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
1 Internet Networking Spring 2004 Tutorial 1 Subnetting and CIDR Proxy ARP.

1 Internet Networking Spring 2004 Tutorial 1 Subnetting and CIDR Proxy ARP.
Outsourcing Security Analysis with Anonymized Logs Jianqing Zhang, Nikita Borisov, William Yurcik 2 nd International Workshop on the Value of Security.

Outsourcing Security Analysis with Anonymized Logs Jianqing Zhang, Nikita Borisov, William Yurcik 2 nd International Workshop on the Value of Security.
Shivkumar KalyanaramanRensselaer Q1-1 ECSE-6600: Internet Protocols Quiz 1 Time: 60 min (strictly enforced) Points: 50 YOUR NAME: Be brief, but DO NOT.

Shivkumar KalyanaramanRensselaer Q1-1 ECSE-6600: Internet Protocols Quiz 1 Time: 60 min (strictly enforced) Points: 50 YOUR NAME: Be brief, but DO NOT.
Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.

Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.
National Center for Supercomputing Applications Adam Slagell, Jun Wang and William Yurcik, National Center for Supercomputing Applications (NCSA) University.

National Center for Supercomputing Applications Adam Slagell, Jun Wang and William Yurcik, National Center for Supercomputing Applications (NCSA) University.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.

A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.
0 Mining call data to increase the robustness of cellular networks to DoS attacks Hui Zang and Jean Bolot Sprint

0 Mining call data to increase the robustness of cellular networks to DoS attacks Hui Zang and Jean Bolot Sprint
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.

Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.
Connect communicate collaborate Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool Wayne Routly, Maurizio Molina.

Connect communicate collaborate Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool Wayne Routly, Maurizio Molina.
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.

Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
APPLYING EPSILON-DIFFERENTIAL PRIVATE QUERY LOG RELEASING SCHEME TO DOCUMENT RETRIEVAL Sicong Zhang, Hui Yang, Lisa Singh Georgetown University August.

APPLYING EPSILON-DIFFERENTIAL PRIVATE QUERY LOG RELEASING SCHEME TO DOCUMENT RETRIEVAL Sicong Zhang, Hui Yang, Lisa Singh Georgetown University August.

Similar presentations

Ads by Google