Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Devil and Packet Trace Anonymization Authors: Ruoming Pang, Mark Allman, Vern Paxson and Jason Lee Published: ACM SIGCOMM Computer Communication Review,

Published byChester Stephens Modified over 9 years ago

Similar presentations

Presentation on theme: "The Devil and Packet Trace Anonymization Authors: Ruoming Pang, Mark Allman, Vern Paxson and Jason Lee Published: ACM SIGCOMM Computer Communication Review,"— Presentation transcript:

1 The Devil and Packet Trace Anonymization Authors: Ruoming Pang, Mark Allman, Vern Paxson and Jason Lee Published: ACM SIGCOMM Computer Communication Review, Volume 36, Issue 1,January 2006 Presenter: Ping Wang

2 Overview Problem  How to anonymize the packet traces before released Goal  Try to preserve as much as possible information

3 Background Why share?  Verify the previous results  Compare to the competing ideas on the same data  Provide a broader view Who share?  NLANR’s PMA packet traces  CAIDA’s skitter measurement  LBNL’s internal traffic

4 Background cont. Available anonymization tools  tcpdpriv  Ipsumdump  tcpurify Not general enough, and most of them focus on only the header field, primarily IP addresses

5 A New tool - tcpmkpub Provides a general framework for anonymizing traces It is based on explicit rules for each header field

6 An example specification All fileds must be specified with a name, length, action(“KEEP”, “ZERO”, function)

7 An example specification cont. Supports case statement for the header fields which can vary

8 Anonymization Policy Checksums Link layer Network layer Transport layer

9 Checksums Replace the original checksum C 0 with C c For those cannot be verified checksum  The packet has been corrupted Insert “1”  The original packet is truncated Use C c (note in meta-data) For those checksum is optional, like UCP, use zero as the checksum

10 Link layer Ethernet address is 6 bytes  High 3 bytes represent the NIC vendor Scrambling the entire 6 byte address is not good for research Scrambling only the lower 3 bytes is not good for the vendor Remapping these two parts seperately

11 Network layer (1) – focus on IP address External addresses  Use the prefix-preserving address anonymization scheme proposed in other paper Internal addresses  not use prefix-preserving address anonymization scheme  Use a prefix which is not used by external addresses within anonymous packet  subnet and host portions are mapped seperately.

12 Network layer (1) Scanners  Many organizations run a scanner as part of security operation  Trend to hit addresses in some order, like a.b.c.1, a.b.c.2, a.b.c.3, etc.  Keep the scanner’s IP address uniform across the trace, and flag it in the meta-data. And for the destinations of the sans, use different mapping. For exmaple: X1, X2 belongs to one subnet Y Not involve scanner, map to X’1, X’2 in subnet Y’ Involve scanner, map to X’’1, X’’2 in subnet Z1 and Z2

13 Network layer (3) Multicast addresses  preserved Private addresses  preserved Invalid addresses  Remap it as the subnet existed, but note this information in the meta-data.

14 Transport layer Preserve both port numbers and sequence numbers Rewrite timestamp options  Transform the timestamp into separate increasing counters  Reason: Clock drift manifest in timestamp options can be leveraged to fingerprint a physical machine

15 Testing Can the transformed traces really be used?  Use p0f to do OS fingerprinting  Use tcpsum to find the number of packets and bytes in both the original and transformed traces

16 Test cont. Are the transformed traces really anonymous?  Check tcpmkpub’s own log file  Look for some string in the anonymized traces e.g. “Document”, “Setting”, “ConfirmFIleOp”  Look for like IP addresses  Look for string versions of IP addresses  MAC addresses  Check timestamps

17 Paper contributions Develop a tool, tcpmkpub, for implementing arbitrary anonymization policy; Use meta-data to help researchers to deal with lost information  Invalid checksum, scanner IP Beyond IP address obfuscation, explore many other dangerous details  timestamp, Ethernet addresses, etc.

18 Paper weaknesses Only give two experiments to show the anonymized traces are useful Could have given some anonymization results to make the policy more clear.  For example, in the scanner case, addresses a.b.c.1, a.b.c.2, a.b.c.3, what they would look like if they are involved in scaning traffic, and what if not

19 Future work Keep more consistency between the original and anonymized traces Study online anonymization Provide a tool which can be easily used for validation the anonymized traces Provide a tool for creating an anonymization policy for tcpmkpub

20 Questions?

Download ppt "The Devil and Packet Trace Anonymization Authors: Ruoming Pang, Mark Allman, Vern Paxson and Jason Lee Published: ACM SIGCOMM Computer Communication Review,"

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
CS 453 Computer Networks Lecture 20 Layer 3Network Layer Network Layer of the Internet.

CS 453 Computer Networks Lecture 20 Layer 3Network Layer Network Layer of the Internet.
IPv4 - The Internet Protocol Version 4

IPv4 - The Internet Protocol Version 4
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Jaringan Komputer Dasar Network Layer dan IP (1) Aurelio Rahmadian.

Jaringan Komputer Dasar Network Layer dan IP (1) Aurelio Rahmadian.
ECE Department: University of Massachusetts, Amherst ECE 354 Lab 3: Transmitting and Receiving Ethernet Packets.

ECE Department: University of Massachusetts, Amherst ECE 354 Lab 3: Transmitting and Receiving Ethernet Packets.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
Network Layer Packet Forwarding IS250 Spring 2010

Network Layer Packet Forwarding IS250 Spring 2010
1 Internet Networking Spring 2005 Tutorial 2 IP Checksum, Fragmentation.

1 Internet Networking Spring 2005 Tutorial 2 IP Checksum, Fragmentation.
ECE Department: University of Massachusetts, Amherst ECE 354 Spring 2009 Lab 3: Transmitting and Receiving Ethernet Packets.

ECE Department: University of Massachusetts, Amherst ECE 354 Spring 2009 Lab 3: Transmitting and Receiving Ethernet Packets.
Internet Networking Spring 2003

Internet Networking Spring 2003
Report by: Loizos Konomou EL933 Fall 2005 Prof: Yong Liu Ruoming Pang, Mark Allman, Mike Bennett, Jason Lee, Vern Paxson, Brian Tierney Princeton University,

Report by: Loizos Konomou EL933 Fall 2005 Prof: Yong Liu Ruoming Pang, Mark Allman, Mike Bennett, Jason Lee, Vern Paxson, Brian Tierney Princeton University,
National Center for Supercomputing Applications Adam Slagell, Jun Wang and William Yurcik, National Center for Supercomputing Applications (NCSA) University.

National Center for Supercomputing Applications Adam Slagell, Jun Wang and William Yurcik, National Center for Supercomputing Applications (NCSA) University.
1 Internet Networking Spring 2002 Tutorial 2 IP Checksum, Fragmentation.

1 Internet Networking Spring 2002 Tutorial 2 IP Checksum, Fragmentation.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—4-1 LAN Connections Constructing a Network Addressing Scheme.

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—4-1 LAN Connections Constructing a Network Addressing Scheme.
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
CS 6401 IPv6 Outline Background Structure Deployment.

CS 6401 IPv6 Outline Background Structure Deployment.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
IP Addressing INTW 1325. 2 What is an IP address? An unique identifier for a computer or device (host) on a TCP/IP network A 32-bit binary number usually.

IP Addressing INTW What is an IP address? An unique identifier for a computer or device (host) on a TCP/IP network A 32-bit binary number usually.

Similar presentations

Ads by Google