Analyzing Privacy in Enterprise Packet Trace Anonymization

Accurate network measurement through trace collection is critical for advancing network design and for maintain- ing secure, reliable networks. Unfortunately, the release of network traces to analysts is highly constrained by privacy concerns. Several host anonymization schemes have been proposed to address this issue. Preservation of prefix re- lationships among anonymized addresses is an important aspect of trace utility, but also causes a number of vulnera- bilities in trace anonymization. In this work we present an efficient host fingerprint attack targeting prefix-preserving anonymized traces. The attack is general (encompassing a range of fingerprinting host de-anonymization attacks pro- posed by others) and flexible (it can be adapted to emerg- ing variants of prefix-preserving anonymization). Perhaps most importantly, we develop analysis tools that allow data publishers to quantify the worst-case vulnerability of their traces given assumptions about the kind of external infor- mation that is available to the adversary. Using this analy- sis we quantify the trade-off between privacy and utility of alternatives to full prefix-preserving anonymization.