1,211 research outputs found
Preserving Both Privacy and Utility in Network Trace Anonymization
As network security monitoring grows more sophisticated, there is an
increasing need for outsourcing such tasks to third-party analysts. However,
organizations are usually reluctant to share their network traces due to
privacy concerns over sensitive information, e.g., network and system
configuration, which may potentially be exploited for attacks. In cases where
data owners are convinced to share their network traces, the data are typically
subjected to certain anonymization techniques, e.g., CryptoPAn, which replaces
real IP addresses with prefix-preserving pseudonyms. However, most such
techniques either are vulnerable to adversaries with prior knowledge about some
network flows in the traces, or require heavy data sanitization or
perturbation, both of which may result in a significant loss of data utility.
In this paper, we aim to preserve both privacy and utility through shifting the
trade-off from between privacy and utility to between privacy and computational
cost. The key idea is for the analysts to generate and analyze multiple
anonymized views of the original network traces; those views are designed to be
sufficiently indistinguishable even to adversaries armed with prior knowledge,
which preserves the privacy, whereas one of the views will yield true analysis
results privately retrieved by the data owner, which preserves the utility. We
present the general approach and instantiate it based on CryptoPAn. We formally
analyze the privacy of our solution and experimentally evaluate it using real
network traces provided by a major ISP. The results show that our approach can
significantly reduce the level of information leakage (e.g., less than 1\% of
the information leaked by CryptoPAn) with comparable utility
FLAIM: A Multi-level Anonymization Framework for Computer and Network Logs
FLAIM (Framework for Log Anonymization and Information Management) addresses
two important needs not well addressed by current log anonymizers. First, it is
extremely modular and not tied to the specific log being anonymized. Second, it
supports multi-level anonymization, allowing system administrators to make
fine-grained trade-offs between information loss and privacy/security concerns.
In this paper, we examine anonymization solutions to date and note the above
limitations in each. We further describe how FLAIM addresses these problems,
and we describe FLAIM's architecture and features in detail.Comment: 16 pages, 4 figures, in submission to USENIX Lis
Sharing Computer Network Logs for Security and Privacy: A Motivation for New Methodologies of Anonymization
Logs are one of the most fundamental resources to any security professional.
It is widely recognized by the government and industry that it is both
beneficial and desirable to share logs for the purpose of security research.
However, the sharing is not happening or not to the degree or magnitude that is
desired. Organizations are reluctant to share logs because of the risk of
exposing sensitive information to potential attackers. We believe this
reluctance remains high because current anonymization techniques are weak and
one-size-fits-all--or better put, one size tries to fit all. We must develop
standards and make anonymization available at varying levels, striking a
balance between privacy and utility. Organizations have different needs and
trust other organizations to different degrees. They must be able to map
multiple anonymization levels with defined risks to the trust levels they share
with (would-be) receivers. It is not until there are industry standards for
multiple levels of anonymization that we will be able to move forward and
achieve the goal of widespread sharing of logs for security researchers.Comment: 17 pages, 1 figur
Simpleweb/University of Twente Traffic Traces Data Repository
The computer networks research community lacks of shared measurement information. As a consequence, most researchers need to expend a considerable part of their time planning and executing measurements before being able to perform their studies. The lack of shared data also makes it hard to compare and validate results. This report describes our efforts to distribute a portion of our network data through the Simpleweb/University of Twente Traffic Traces Data Repository
Asymptotic Loss in Privacy due to Dependency in Gaussian Traces
The rapid growth of the Internet of Things (IoT) necessitates employing
privacy-preserving techniques to protect users' sensitive information. Even
when user traces are anonymized, statistical matching can be employed to infer
sensitive information. In our previous work, we have established the privacy
requirements for the case that the user traces are instantiations of discrete
random variables and the adversary knows only the structure of the dependency
graph, i.e., whether each pair of users is connected. In this paper, we
consider the case where data traces are instantiations of Gaussian random
variables and the adversary knows not only the structure of the graph but also
the pairwise correlation coefficients. We establish the requirements on
anonymization to thwart such statistical matching, which demonstrate the
significant degree to which knowledge of the pairwise correlation coefficients
further significantly aids the adversary in breaking user anonymity.Comment: IEEE Wireless Communications and Networking Conferenc
Novel Approaches to Preserving Utility in Privacy Enhancing Technologies
Significant amount of individual information are being collected and analyzed today through a wide variety of applications across different industries. While pursuing better utility by discovering
knowledge from the data, an individual’s privacy may be compromised during an analysis: corporate networks monitor their online behavior, advertising companies collect and share their private
information, and cybercriminals cause financial damages through security breaches. To this end,
the data typically goes under certain anonymization techniques, e.g., CryptoPAn [Computer Networks’04], which replaces real IP addresses with prefix-preserving pseudonyms, or Differentially
Private (DP) [ICALP’06] techniques which modify the answer to a query by adding a zero-mean
noise distributed according to, e.g., a Laplace distribution. Unfortunately, most such techniques
either are vulnerable to adversaries with prior knowledge, e.g., some network flows in the data, or
require heavy data sanitization or perturbation, both of which may result in a significant loss of data
utility. Therefore, the fundamental trade-off between privacy and utility (i.e., analysis accuracy) has
attracted significant attention in various settings [ICALP’06, ACM CCS’14]. In line with this track
of research, in this dissertation we aim to build utility-maximized and privacy-preserving tools for
Internet communications. Such tools can be employed not only by dissidents and whistleblowers,
but also by ordinary Internet users on a daily basis. To this end, we combine the development of
practical systems with rigorous theoretical analysis, and incorporate techniques from various disciplines such as computer networking, cryptography, and statistical analysis. During the research,
we proposed three different frameworks in some well-known settings outlined in the following.
First, we propose The Multi-view Approach to preserve both privacy and utility in network trace
anonymization, Second, The R2DP Approach which is a novel technique on differentially private
mechanism design with maximized utility, and Third, The DPOD Approach that is a novel framework on privacy preserving Anomaly detection in the outsourcing setting
- …