Evaluating the utility of anonymized network traces for intrusion detection

Authors:
Kiran Lakkaraju;Adam Slagell
Affiliations:
University of Illinois, Urbana, Illinois;University of Illinois, Urbana, Illinois
Venue:
Proceedings of the 4th international conference on Security and privacy in communication netowrks
Year:
2008

Citing 11
Cited 2

The 1999 DARPA off-line intrusion detection evaluation

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory

ACM Transactions on Information and System Security (TISSEC)
Prefix-Preserving IP Address Anonymization: Measurement-Based Security Evaluation and a New Cryptography-Based Scheme

ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
A high-level programming environment for packet trace anonymization and transformation

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Remote Physical Device Fingerprinting

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Scalability, fidelity, and containment in the potemkin virtual honeyfarm

Proceedings of the twentieth ACM symposium on Operating systems principles
The devil and packet trace anonymization

ACM SIGCOMM Computer Communication Review
Privacy-preserving sharing and correction of security alerts

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Mapping internet sensors with probe response attacks

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
FLAIM: a multi-level anonymization framework for computer and network logs

LISA '06 Proceedings of the 20th conference on Large Installation System Administration
Legal issues surrounding monitoring during network research

Proceedings of the 7th ACM SIGCOMM conference on Internet measurement

A taxonomy and adversarial model for attacks against network log anonymization

Proceedings of the 2009 ACM symposium on Applied Computing
Short paper: the NetSANI framework for analysis and fine-tuning of network trace sanitization

Proceedings of the fourth ACM conference on Wireless network security

Quantified Score

Hi-index	0.00

Visualization

Abstract

To intelligently create policies governing the anonymization of network logs, one must analyze the effects of anonymization on both the security and utility of sanitized data. In this paper, we focus on analyzing the utility of network traces post-anonymization. Any measure of utility is subjective to the type of analysis being performed. This work focuses on utility for the task of attack detection since attack detection is an important part of an incident responders daily responsibilities. We employ a methodology we developed that analyzes the effect of anonymization on Intrusion Detection Systems (IDS), and we provide the first rigorous analysis of single field anonymization on IDS effectiveness. Through this work we can begin to answer the questions of whether the field affects anonymization more than the algorithm; which fields have a larger impact on utility; and which anonymization algorithms have a larger impact on utility.