Elisa Boschi

The role of network trace anonymization under attack

In recent years, academic literature has analyzed many attacks on network trace anonymization techniques. These attacks usually correlate external information with anonymized data and successfully de-anonymize objects with distinctive signatures. However, analyses of these attacks still underestimate the real risk of publishing anonymized data, as the most powerful attack against anonymization is traffic injection. We demonstrate that performing live traffic injection attacks against anonymization on a backbone network is not difficult, and that potential countermeasures against these attacks, such as traffic aggregation, randomization or field generalization, are not particularly effective. We then discuss tradeoffs of the attacker and defender in the so-called injection attack space. An asymmetry in the attack space significantly increases the chance of a successful de-anonymization through lengthening the injected traffic pattern. This leads us to re-examine the role of network data anonymization. We recommend a unified approach to data sharing, which uses anonymization as a part of a technical, legal, and social approach to data protection in the research and operations communities.

An introduction to IP flow information export (IPFIX)

The IP Flow Information Export protocol (IPFIX) is an IETF Proposed Standard for the export of information about network flows in IP networks. It is the logical successor to Cisco Net- Flow version 9, upon which it is based. The key innovations of IPFIX are the flexible definition of a network flow and the runtime description of record formats through templates based on a well defined, extensible information model. These allow IPFIX to export flow information from present as well as future networks, and make it applicable to network management beyond the network and transport layers. In this article, we describe the protocol, from its motivation and history through its design and implementation, and explore its deployment within a network monitoring research project.

The risk-utility tradeoff for IP address truncation

Network operators are reluctant to share traffic data due to security and privacy concerns. Consequently, there is a lack of publicly available traces for validating and generalizing the latest results in network and security research. Anonymization is a possible solution in this context; however, it is unclear how the sanitization of data preserves characteristics important for traffic analysis. In addition, the privacy-preserving property of state-of-the-art IP address anonymization techniques has come into question by recent attacks that successfully identified a large number of hosts in anonymized traces. In this paper, we examine the tradeoff between data utility for anomaly detection and the risk of host identification for IP address truncation. Specifically, we analyze three weeks of unsampled and non-anonymized network traces from a medium-sized backbone network to assess data utility. The risk of de-anonymizing individual IP addresses is formally evaluated, using a metric based on conditional entropy. Our results indicate that truncation effectively prevents host identification but degrades the utility of data for anomaly detection. However, the degree of degradation depends on the metric used and whether network-internal or external addresses are considered. Entropy metrics are more resistant to truncation than unique counts and the detection quality of anomalies degrades much faster in internal addresses than in external addresses. In particular, the usefulness of internal address counts is lost even for truncation of only 4 bits whereas utility of external address entropy is virtually unchanged even for truncation of 20 bits.

Measurement Data Reduction through Variation Rate Metering

We present an efficient network measurement primitive that measures the rate of variations, or unique values for a given characteristic of a traffic flow. The primitive is widely applicable to a variety of data reduction and pre-analysis tasks at the measurement interface, and we show it to be particularly useful for building data-reducing preanalysis stages for scan detection within a multistage network analysis architecture. The presented approach is based upon data structures derived from Bloom filters, and as such yields high performance with probabilistic accuracy and controllable worst-case time and memory complexity. This predictability makes it suitable for hardware implementation in dedicated network measurement devices. One key innovation of the present work is that it is self-tuning, adapting to the characteristics of the measured traffic.

Towards Privacy-Preserving Network Monitoring: Issues and Challenges

Passive network monitoring is required for the operation and maintenance of communication networks as well as to detect frauds and attacks. Typically, raw packet-level traffic traces are collected using suitable traffic probe devices and fed to monitoring applications (IDSs, antivirus, etc.) for analysis, with potential risks for the legitimate privacy rights of the customers. This paper aims to discuss the technical feasibility and the underlying research challenges of a two-tiered privacy-preserving network monitoring system, where carefully designed data protection mechanisms can coexist with suitably adapted monitoring applications.

Identifying skype traffic in a large-scale flow data repository

We present a novel method for identifying Skype clients and supernodes on a network using only flow data, based upon the detection of certain Skype control traffic. Flow-level identification allows long-term retrospective studies of Skype traffic as well as studies of Skype traffic on much larger scale networks than existing packet-based approaches. We use this method to identify Skype hosts and connection events to the network in a historical flow data set containing 182 full days of data over the six years from 2004 to 2009, in order to explore the evolution of the Skype network in general and a large observed portion thereof in particular. This represents, to the best of our knowledge, the first long-term retrospective analysis of the behavior of the Skype network based solely on flow data, and the first successful application of a Skype detection algorithm to flow data collected from a production network.

A measurement framework for inter-domain SLA validation

Validating network services conformance to the guarantees given in an SLA becomes particularly challenging in inter-domain environments. We propose a system that enables the remote configuration of measurement processes across domains, allowing providers to perform coordinated non-intrusive inter-domain measurements. The system incorporates AAA functions for authorization of neighbor providers. Since the amount of result data can grow immense for non-intrusive measurements, we propose the use of sampling techniques to reduce the exported traffic load. The efficiency of the system has been validated through measurements obtained during a distributed gaming session.

Requirements for a Standardized Flow Storage Solution

IP flow data provides input for accounting, traffic engineering and security applications. The storage of flow data is required to allow off-line processing, archiving, and sharing of traffic traces. Currently this is achieved with a variety of proprietary solutions, which results in a variety of formats as input for flow processing tools and hinders data sharing and tool reusability. In this paper we analyze the requirements for a standard file format for storing flow data, and propose using the upcoming standard IP flow information export protocol (IPFIX) as a basis for its design

Validating Inter-domain SLAs with a Programmable Traffic Control System

For network users and service providers it is important to validate the compliance of network services to the guarantees given in Service Level Agreements (SLAs). This is particularly challenging in inter-domain environments. In this paper, we propose a novel solution for inter-domain SLA validation, based on programmable traffic processing devices that are attached to routers and located in several autonomous systems. Using our service management infrastructure, the measurement logic is deployed on the traffic processing devices in a flexible and secure way. We safely delegate partial network management capability from network operators to network users, which are enabled to configure service logic on the traffic processing devices. At the same time, the management infrastructure guarantees against negative influence of the network users configuration on network stability or other users traffic. Via the flexible configuration of service logic, our system gives network users powerful means to observe quality of service parameters agreed upon in SLAs. We present a detailed scenario of the SLA validation service and its deployment across several administrative domains.