Strengthening Privacy and Cybersecurity through Anonymization and Big Data

L'abstract è presente nell'allegato / the abstract is in the attachmen

α-MON: Traffic Anonymizer for Passive Monitoring

Packet measurements at scale are essential for several applications, such as cyber-security, accounting and troubleshooting. They, however, threaten users’ privacy by exposing sensitive information. Anonymization has been the answer to this challenge, i.e., replacing sensitive information with obfuscated copies. Anonymization of packet traces, however, comes with some challenges and drawbacks. First, it reduces the value of data. Second, it requires to consider diverse protocols because information may leak from many non-encrypted fields. Third, it must be performed at high speeds directly at the monitor, to prevent private data from leaking, calling for real-time solutions. We present , a flexible tool for privacy-preserving packet monitoring. It replicates input packet streams to different consumers while anonymizing protocol fields according to flexible policies that cover all protocol layers. Beside classic anonymization mechanisms such as IP address obfuscation, supports z-anonymization, a novel solution to obfuscate rare values that can be uniquely traced back to limited sets of users. Differently from classic anonymization approaches, works on a streaming fashion, with zero delay, operating at high-speed links on a packet-by-packet basis. We quantify the impact of on traffic measurements, finding that it introduces minimal error when it comes to finding heavy-hitter services. We evaluate performance using packet traces collected from an ISP network and show that it achieves a sustainable rate of 40 Gbit/s on a Commercial Off-the Shelf server. is available to the community as an open-source project

α-MON: Anonymized Passive Traffic Monitoring

Packet measurements are essential for several applications, such as cyber-security, accounting and troubleshooting. They, however, threaten privacy by exposing sensitive information. Anonymization has been the answer to this challenge, i.e., replacing sensitive information by obfuscated copies. Anonymization of packet traces, however, comes with some drawbacks. First, it reduces the value of data. Second, it requires to consider diverse protocols because information may leak from many non-encrypted fields. Third, it must be performed at high speeds directly at the monitor, to prevent private data from leaking, calling for real-time solutions.We present α-MON, a flexible tool for privacy-preserving packet monitoring. It replicates input packet streams to different consumers while anonymizing values according to flexible policies that cover all protocol layers. Beside classic anonymization mechanisms such as IP address obfuscation, α-MON supports α-anonymization, a novel solution to obfuscate values that can be uniquely traced back to limited sets of users. Differently from classic anonymization approaches, α-anonymity works on a streaming fashion, with zero delay, operating at high-speed links on a packet-by-packet basis. We evaluate α-MON performance using packet traces collected from an ISP network. Results show that it enables α-anonymity in real-time. α-MON is available to the community as an open-source project

Privacy-preserving network monitoring at high-speed

Network monitoring represents a key step for several applications, such as cyber-security and traffic engineering. Examples of the data include packet traces captured in the network and log files obtained from services like the DNS and BGP. It is widely known that monitoring may expose privacy-sensitive information. Deep packet inspection, for example, exposes the destination servers contacted by users, and non-encrypted fields of certain protocols, such as Service Name Indication (SNI) in TLS handshakes. New privacy regulations (e.g. GDPR) impose strict rules when handling data that carry privacy-sensitive information. They guarantee the protection of personal data, provide the interested parties certain rights, and assign powers to the regulators to enforce them. As network monitoring data carries information that reveals users' identity, it must be treated in the light of these regulations. Network monitoring infrastructure must guarantee that sensitive information is not leaked or, preferably, must not collect any unnecessary data that may threat users' privacy. Historically, the solution to these problems has been anonymization -- i.e., replacing sensitive fields with obfuscated copies. This approach however has two drawbacks: First, anonymization reduces the value of the collected information. For instance, while anonymizing client and server IP addresses in traffic logs helps to protect privacy, it renders it impossible to evaluate particular services that could be identified by their server IP addresses. Second, anonymization of protocol fields in isolation is not sufficient, as users' identity might be revealed by subtler techniques. For example, even if one obfuscates the client IP addresses in DNS traffic logs, the set of hostnames resolved by a client (if exposed in the logs) may still help to uncover identities. We are building a flexible tool that exposes to monitors only the information strictly required, thus reducing at the source risks to people's privacy. Our solution satisfies three requirements: (i)~it automatically searches for protocol fields that can be linked to particular users; (ii)~it anonymizes information considering all protocol stack, and uses a stateful approach, employing k-anonymization algorithms; (iii)~it is light-weight and scalable, thus deployable in high-speed links at multiple Gb/s. Our solution is based on the Intel Data Plane Development Kit, a set of libraries and drivers for fast packet processing. We have built a prototype that is deployed in a campus network. At the present, the prototype is able to handle multiple 10~Gb/s links with zero packet losses, performing several anonymization steps on packets. Anonymized packets are forwarded to legacy monitoring systems that receive information already deprived of privacy sensitive fields. We are testing k-anonymization approaches to perform selective anonymization of sensitive fields, such as TLS SNIs and server IP addresses, with the aim to obfuscate only cases in which the information helps to uncover users behind the traffic. In this poster we will present our architecture and system design, as well as show preliminary results of the prototype deployment

What Scanners do at L7? Exploring Horizontal Honeypots for Security Monitoring

Honeypots are a common means to collect data useful for threat intelligence. Most efforts in this area rely on vertical systems and target a specific scenario or service to analyse data collected in such deployment. We here extend the analysis of the visibility of honeypots, by revisiting the problem from a horizontal perspective. We deploy a flexible honeypot system hosting multiple services, relying on the T-Pot project. We collect data for 5 months, recording millions of application requests from tens of thousands of sources. We compare if and how the attackers interact with multiple services. We observe attackers that always focus on one or few services, and others that target tens of services simultaneously. We dig further into the dataset, providing an initial horizontal analysis of brute-force attacks against multiple services. We show, for example, clear groups of attackers that rely on different password lists on different services. All in all, this work is our initial effort to build a horizontal system that can provide insights on attacks

DPI Solutions in Practice: Benchmark and Comparison

Having a clear insight on the protocols carrying traffic is crucial for network applications. Deep Packet Inspection (DPI) has been a key technique to provide visibility into traffic. DPI has proven effective in various scenarios, and indeed several open source DPI solutions are maintained by the community. Yet, these solutions provide different classifications, and it is hard to establish a common ground truth. Independent works approaching the question of the quality of DPI are already aged and rely on limited datasets. Here, we test if open source DPI solutions can provide useful information in practical scenarios, e.g., supporting security applications. We provide an evaluation of the performance of four open-source DPI solutions, namely nDPI, Libprotoident, Tstat and Zeek. We use datasets covering various traffic scenarios, including operational networks, IoT scenarios and malware. As no ground truth is available, we study the consistency of classification across the solutions, investigating root-causes of conflicts. Important for on-line security applications, we check whether DPI solutions provide reliable classification with a limited number of packets per flow. All in all, we confirm that DPI solutions still perform satisfactorily for well-known protocols. They however struggle with some P2P traffic and security scenarios (e.g., with malware traffic). All tested solutions reacha final classification after observing few packets with payload, showing adequacy for on-line application

z-anonymity: Zero-Delay Anonymization for Data Streams

With the advent of big data and the birth of the data markets that sell personal information, individuals' privacy is of utmost importance. The classical response is anonymization, i.e., sanitizing the information that can directly or indirectly allow users' re-identification. The most popular solution in the literature is the k-anonymity. However, it is hard to achieve k-anonymity on a continuous stream of data, as well as when the number of dimensions becomes high.In this paper, we propose a novel anonymization property called z-anonymity. Differently from k-anonymity, it can be achieved with zero-delay on data streams and it is well suited for high dimensional data. The idea at the base of z-anonymity is to release an attribute (an atomic information) about a user only if at least z - 1 other users have presented the same attribute in a past time window. z-anonymity is weaker than k-anonymity since it does not work on the combinations of attributes, but treats them individually. In this paper, we present a probabilistic framework to map the z-anonymity into the k-anonymity property. Our results show that a proper choice of the z-anonymity parameters allows the data curator to likely obtain a k-anonymized dataset, with a precisely measurable probability. We also evaluate a real use case, in which we consider the website visits of a population of users and show that z-anonymity can work in practice for obtaining the k-anonymity too

The New Abnormal: Network Anomalies in the AI Era

Anomaly detection aims at finding unexpected patterns in data. It has been used in several problems in computer networks, from the detection of port scans and DDoS attacks to the monitoring of time-series collected from Internet monitoring systems. Data-driven approaches and machine learning have seen widespread application on anomaly detection too, and this trend has been accelerated by the recent developments on Artificial Intelligence research. This chapter summarizes ongoing recent progresses on anomaly detection research. In particular, we evaluate how developments on AI algorithms bring new possibilities for anomaly detection. We cover new representation learning techniques such as Generative Artificial Networks and Autoencoders, as well as techniques that can be used to improve models learned with machine learning algorithms, such as reinforcement learning. We survey both research works and tools implementing AI algorithms for anomaly detection. We found that the novel algorithms, while successful in other fields, have hardly been applied to networking problems. We conclude the chapter with a case study that illustrates a possible research direction

Enlightening the Darknets: Augmenting Darknet Visibility with Active Probes

Darknets collect unsolicited traffic reaching unused address spaces. They provide insights into malicious activities, such as the rise of botnets and DDoS attacks. However, darknets provide a shallow view, as traffic is never responded. Here we quantify how their visibility increases by responding to traffic with interactive responders with increasing levels of interaction. We consider four deployments: Darknets, simple, vertical bound to specific ports, and, a honeypot that responds to all protocols on any port. We contrast these alternatives by analyzing the traffic attracted by each deployment and characterizing how traffic changes throughout the responder lifecycle on the darknet. We show that the deployment of responders increases the value of darknet data by revealing patterns that would otherwise be unobservable. We measure Side-Scan phenomena where once a host starts responding, it attracts traffic to other ports and neighboring addresses. uncovers attacks that darknets and would not observe, e.g. large-scale activity on non-standard ports. And we observe how quickly senders can identify and attack new responders. The “enlightened” part of a darknet brings several benefits and offers opportunities to increase the visibility of sender patterns. This information gain is worth taking advantage of, and we, therefore, recommend that organizations consider this option

Increased carotid IMT in overweight and obese women affected by Hashimoto's thyroiditis: an adiposity and autoimmune linkage?

<p>Abstract</p> <p>Background</p> <p>Hashimoto's thyroiditis is the most important cause of hypothyroidism. It is a systemic disease that can even affect the cardiovascular system, by accelerating the atherosclerotic process. Aim of this study was to examine whether autoimmune thyroiditis has an effect on the intima-media thickness of the common carotid artery (IMT-CCT), independently of the thyroid function and well-known cardiovascular risk factors. Hashimoto's thyroiditis is a systemic disease. The aim is to examine whether autoimmune thyroiditis and adiposity can effect carotid IMT independently of thyroid hormones and cardiovascular risk factors.</p> <p>Methods</p> <p>A total of 104 obese women (BMI ≥ 25.0 kg/m^-2), with FT3 and FT4 serum levels in the normal range and TSH levels < 4.5 μU/ml, were investigated. None of these patients was taking any kind of drug influencing thyroid function. Measurements were made of the IMT-CCT, BMI, waist circumference, blood pressure levels, as well as fasting TSH, FT3, FT4, anti-thyroid antibodies, insulin, fasting glycemia, triglycerides, total and HDL-cholesterol serum concentrations.</p> <p>Results</p> <p>Of the 104 women, 30 (28.8%) were affected by autoimmune thyroiditis. Significantly higher values of IMT-CCT (p < 0.05), TSH (p < 0.05), and triglycerides (p < 0.05) were obtained, and significantly lower values of FT4 (p < 0.05), in patients with Hashimoto's thyroiditis as compared to those with a normal thyroid function. When examining the whole group together, at multiple regression analysis Hashimoto's thyroiditis maintained a positive association with the IMT (p < 0.001), independently of age, hypertension, BMI, and the fasting serum levels of TSH, FT3, FT4, insulin, fasting glycemia, triglycerides, total and HDL-cholesterol levels.</p> <p>Conclusions</p> <p>The present study shows that Hashimoto's thyroiditis is associated to an increased IMT only in overweight and obese, independently of the thyroid function, BMI and cardiovascular risk factors. These results suggest that Hashimoto's thyroiditis is a marker of evolution of the atherosclerosis if combined to adiposity.</p