Anonym: A Tool for Anonymization of the Internet ljilja/cnl/presentations/ljilja/cybconf2013/... Supports

  • View
    0

  • Download
    0

Embed Size (px)

Text of Anonym: A Tool for Anonymization of the Internet ljilja/cnl/presentations/ljilja/cybconf2013/......

  • Anonym: A Tool for Anonymization of the

    Internet Traffic

    Tanjila Farah and Ljiljana Trajkovic {tfarah, ljilja}@sfu.ca

    Communication Networks Laboratory

    http://www.ensc.sfu.ca/cnl School of Engineering Science

    Simon Fraser University

  • Roadmap

    n  Introduction n  Collection of network traffic n  Anonymization fields, algorithms, and tools n  Anonym tool n  Conclusion

    CYBCONF 2013, Lausanne 2 June 14, 2013

  • Motivation

    n  Measurement, characterization, and classification of Internet traces help enhance network security

    n  Real-time network analysis relies on collection of trace logs

    n  Sharing traces may reveal the network architecture, user identity, and user information

    CYBCONF 2013, Lausanne 3 June 14, 2013

  • Anonymization

    n  Modifies network traces to protect user identity n  Removes the ability to identify the connection

    between two end-users n  Preserves the usefulness of the datasets n  Considers the type of analysis to be performed n  Considers the requirements of the company sharing

    the datasets

    June 14, 2013 CYBCONF 2013, Lausanne 4

  • Anonym tool

    n  Developed code in gawk is used to parse pcap and mrt input files

    n  Anonym tool: n  introduces the IPv6 address anonymization n  implements data analysis and visualization options n  validates the tool performance

    June 14, 2013 CYBCONF 2013, Lausanne 5

    gawk: GNU AWK MRT : Multi-Threaded Routing Toolkit PCAP: Packet Capture

  • Roadmap

    n  Introduction n  Collection of network traffic n  Anonymization fields, algorithms, and tools n  Anonym tool n  Conclusion

    CYBCONF 2013, Lausanne 6 June 14, 2013

  • Collection of network traffic

    n  Internet is a collection of ASes exchanging information and delivering data

    n  Process of delivering data creates network traffic n  Network performance and QoS rely on network traffic

    characteristics n  Analyzing and understanding the network traffic helps

    ensure network security and QoS n  Network traffic collection helps:

    n  traffic engineering n  discovering the Internet topology n  analyzing network security

    CYBCONF 2013, Lausanne 7 June 14, 2013

    AS : Autonomous System QoS: Quality of Service

  • Role of traffic engineering

    n  Network troubleshooting: n  deals with issues that disrupt or degrade the

    performance of a network: incorrect network address assignments and network anomalies

    n  Protocol debugging: n  analyzes the existing and new protocols and

    performance of applications to determine required improvements

    n  Workload characterization: n  examines the growth of network traffic volume due to

    new applications, protocols, and increasing number of users

    June 14, 2013 CYBCONF 2013, Lausanne 8

  • Role of traffic engineering (cont.)

    n  Network performance evaluation: n  estimates the network QoS by measuring traffic

    throughput and response time n  Capacity planning:

    n  deals with network planning and managing by measuring bandwidth usage and availability

    June 14, 2013 CYBCONF 2013, Lausanne 9

  • Discovering the Internet topology

    n  Discovering the Internet topology is important for: n  simulating deployed networks n  managing networks n  mapping a network to determine location of the

    nearest servers and ISPs n  designing and implementing new topology-aware

    protocols and algorithms

    June 14, 2013 CYBCONF 2013, Lausanne 10

    ISP: Internet Service Provider

  • Network security analysis

    n  Monitors policies adopted by network administrators to prevent the intruders from misusing the network

    n  It encompasses: n  determining abnormal events: anomalies, attacks,

    and viruses n  testing network firewalls

    n  controlling access and network usage

    June 14, 2013 CYBCONF 2013, Lausanne 11

  • Network trace collection

    n  BCNET: n  British Columbia's advance communication network n  collected data are private n  data are collected in the pcap format

    n  Cooperative Association for Internet Data Analysis (CAIDA): n  collects, monitors, and visualizes various Internet data n  collected data are public n  data are collected in pcap and text formats

    June 14, 2013 CYBCONF 2013, Lausanne 12

  • Network trace collection

    n  Route Views: n  project at the University of Oregon n  provides data and tools to the network administrators n  collected data are public n  data are collected in the mrt format

    n  Réseaux IP Européens (RIPE): n  supports network operators in Europe, Middle East,

    Asia, and Africa n  collected data are public n  data are collected in the mrt format

    June 14, 2013 CYBCONF 2013, Lausanne 13

  • Roadmap

    n  Introduction n  Collection of network traffic n  Anonymization fields, algorithms, and tools n  Anonym tool n  Conclusion

    CYBCONF 2013, Lausanne 14 June 14, 2013

  • Anonymization fields

    n  Network traffic logs include data packet headers with: n  time-stamp n  IP addresses n  MAC addresses n  packet length n  protocol

    June 14, 2013 CYBCONF 2013, Lausanne 15

    IP : Internet Protocol MAC: Media Access Control

    (2013) Summary of anonymization best practice techniques [Online]. Available: http://www.caida.org/projects/predict/anonymization/.

  • Anonymization algorithms

    n  Black marker: n  deletes all the information or replaces the information

    by a fixed value

    n  Enumeration: n  sorts the dataset, chooses a value higher then the first

    value, and adds the value to all data points

    June 14, 2013 CYBCONF 2013, Lausanne 16

    Time IP Length 0.0534 253.36.88.92 143

    Time IP Length 0.0000 1.1.1.1 0

    Length 143 60 1514

    Length 203 120 1574

  • Anonymization algorithms (cont.)

    n  Precision degradation: n  removes the most precise components of a data field

    n  Prefix-preserving: n  if two IP addresses share the first n bits, then their

    anonymized IP addresses will also share the first n bits

    June 14, 2013 CYBCONF 2013, Lausanne 17

    1.017851 1.017852 1.017915

    1.017000 1.017000 1.017000

    IP un-anonymized IP anonymized

    112.116.186.8 115.23.40.51 235.251.46.4 240.48.153.85

    112.116.186.8 115.23.40.51 235.251.46.4 240.48.153.85

  • Anonymization algorithms (cont.)

    n  Random shift: n  shifts each data point by adding a random number

    n  Truncation:

    n  deletes the n least significant bits from an IP or MAC address

    June 14, 2013 CYBCONF 2013, Lausanne 18

    Packet length un-anonymized 143 60 1514

    Packet length anonymized 150 230 1674

    MAC address Anonymized MAC address

    Cisco_e7:a1:c0 (00:1b:0d:e7:a1:c0) Cisco_0:0:0 (00:1b:0d:0:0:0)

    JuniperN_3e:ba:bd(78:19:f7:3e:ba:bd) JuniperN_0:0:0(78:19:f7:0:0:0)

  • Anonymization algorithms (cont.)

    n  Reverse truncation: n  deletes the n most significant bits from an IP or MAC

    address

    June 14, 2013 CYBCONF 2013, Lausanne 19

    MAC address Anonymized MAC address

    Cisco_e7:a1:c0 (00:1b:0d:e7:a1:c0) Cisco_e7:a1:c0 (0:0:0:e7:a1:c0)

    JuniperN_3e:ba:bd (78:19:f7:3e:ba:bd) JuniperN_3e:ba:bd (0:0:0:3e:ba:bd)

  • Anonymization tools

    n  Cryptography based Prefix-preserving Anonymization: Crypto-PAn

    n  Anontool n  Framework for Log Anonymization and Information

    Management: FLAIM

    June 14, 2013 CYBCONF 2013, Lausanne 20

  • Crypto-PAn

    n  Properties: n  one-to-one mapping n  prefix-preserving anonymization n  consistent across traces n  cryptography-based

    June 14, 2013 CYBCONF 2013, Lausanne 21

    Input Output

    Time IP address 0.000010 10.1.3.143 0.000015 10.1.3.156

    Time IP address 0.000010 117.14.240.136 0.000015 117.14.240.85

  • Anontool

    n  Anontool supports per-field anonymization n  Supports log files: pcap, netflow v5, and netflow v9 n  Four-step anonymization process:

    n  cooking function n  assembles the flows according to protocols

    n  filtering function n  distinguishes the flows according to protocol and determine

    policy for anonymization

    n  anonymization function n  anonymizes the fields according to policy

    n  un-cooking function n  re-assembles the flows in the original format

    June 14, 2