Evaluating the Utility of Anonymized Network Traces for Intrusion Detection

TL;DR

This paper empirically evaluates how different anonymization policies affect the utility of network logs for intrusion detection, focusing on alert generation and identifying key fields impacting utility.

Contribution

It provides the first thorough analysis of how single field anonymization policies influence log utility for intrusion detection.

Findings

Certain fields significantly affect alert generation when anonymized.

Anonymizing specific fields reduces detection effectiveness.

Key fields identified that impact log utility the most.

Abstract

Anonymization is the process of removing or hiding sensitive information in logs. Anonymization allows organizations to share network logs while not exposing sensitive information. However, there is an inherent trade off between the amount of information revealed in the log and the usefulness of the log to the client (the utility of a log). There are many anonymization techniques, and there are many ways to anonymize a particular log (that is, which fields to anonymize and how). Different anonymization policies will result in logs with varying levels of utility for analysis. In this paper we explore the effect of different anonymization policies on logs. We provide an empirical analysis of the effect of varying anonymization policies by looking at the number of alerts generated by an Intrusion Detection System. This is the first work to thoroughly evaluate the effect of single field anonymization policies on a data set. Our main contributions are to determine a set of fields that have a large impact on the utility of a log.