The Utility vs. Strength Tradeoff: Anonymization for Log Sharing

Many organizations, and in particular the network security teams within those organizations, have come to the conclusion that sharing their network logs is essential in the detection and prevention of intrusions. Log sharing is also useful in network research and education. The main impediment to sharing network logs is the potential loss of sensitive information that can be used by malicious entities to break into the organizations systems. At NCSA we are developing a log sharing infrastructure that utilizes anonymization to remove sensitive information from logs. Anonymization is the process of modifying the data in the log so that sensitive information is not shared, but the log can still be useful to other users.

The main problem in applying anonymization to logs is deciding on how much information to remove from the logs. This has a direct impact on the ability of an attacker to use the shared logs to attack the organizers system. We dub this the Utility vs Strength tradeoff: Utility refers to the usefulness of the log, and Strength refers to the difficulty an attacker will have in "deanonymizing" the log. Under the auspices of a NSF Cybertrust grant we are studying this tradeoff for network security logs in order to create a log sharing system that will allow our security engineers to quickly share logs with a multitude of clients. In this talk I will speak on the utility vs. strength tradeoff. In addition I will mention FLAIM—a tool developed at NCSA that allows multi-level anonymization and is easily extensible to many logs.