Workshop Paper
Title: New directions in privacypreserving anomaly detection for network traffic
Authors: G. Bianchi, S. Teofili, M. Pomposini

Conference: ACM SigSac NDA 2008, 31st October, Alexandria, USA
Abstract: The enormous amount of traffic data gathered by network monitoring systems poses a serious threat on the privacy of the network customers. To face this issue, this paper promotes a new approach to privacy-preserving network monitoring. With concrete reference to a simplified anomaly detection scenario, we show how a monitoring application can be decomposed in two parts running in different components. A front-end stage is devised to support a fast and stateless Counting Bloom filter. Captured packets are cryptographically protected and delivered to a back-end stage along with suitably designed cryptographic material determined by the output of the counting filter. The system is conceived to technically restrict decryption only to data packets which belong to a flow for which an anomalous behavior is suspected. Legitimate traffic is by construction guaranteed that no further data processing nor, to some extent, statistical analysis may occur in the system back-end. Although the anomaly detection application used as operative reference throughout this work is somewhat simplified with respect to real-world approaches, the resulting problem is significantly more complex than traditional pattern searching techniques over encrypted data. Hence, albeit preliminary and with room for improvements, we believe that our proposed approach suggests new promising research directions in privacy-preserving network monitoring.

 
Workshop Paper
Title: The Risk-Utility Tradeoff for IP Address Truncation
Authors: Martin Burkhart, Daniela Brauckhoff, Martin May, Elisa Boschi

Conference: ACM SigSac NDA 2008, 31st October, Alexandria, USA
Abstract: Network operators are reluctant to share traffic data due to security and privacy concerns. Consequently, there is a lack of publicly available traces for validating and generalizing latest results in network and security research. Anonymization is a promising solution in this context; however, it is unclear how sanitization of data preserves characteristics for traffic analysis. In addition, the privacy-preserving property of state-of-the-art IP address anonymization techniques has been questioned by recent attacks that successfully identify a large number of hosts in anonymized traces. In this paper, we examine the tradeoff between data utility for anomaly detection and the risk of host identification for IP address truncation. Specifically, we analyze three weeks of un-sampled and nonanonymized network traces from a medium-sized backbone  network to assess data utility. The risk of deanonymizing individual IP addresses is formally evaluated, using a metric based on  conditional entropy. Our results indicate that truncation effectively prevents host identification but degrades the utility of data for anomaly detection. However, the degree of degradation depends on the metric used and whether internal or external addresses are considered. Entropy metrics are more resistant to truncation than unique counts and the detectability of anomalies degrades much faster in internal addresses than in external addresses. In particular, the usefulness of internal address counts is lost even for truncation of only 4 bits whereas utility of external address entropy is virtually unchanged even for truncation of 20 bits.