new ranonymize() tool
Carter Bullard <carter <at> qosient.com>
2002-10-10 12:35:02 GMT
I'd like to get some conversation going on ranonymize(). It's
a very interesting tool for scrambling argus data so that the data
retains enough semantics so it can still be analyzed, but anonymized
enough so that the data can be shared as well.
I think the goal of anonymization is to minimize discovery and
traffic engineering capabilities from argus data when you share
it, or even store it for long periods of time. This means that
obvious identifiers, such as addresses and port numbers need to
be modified, but also non-obvious values like TCP base sequence
numbers, ESP spi values, and TTL's. Because the purpose of sharing
argus data is generally to convey some set of semantics, like the
relationship of addresses and ports that are of interest, or some
aspect of time, you need some flexibility in scrambling the data.
Maybe you want to demonstrate how two hosts are interacting among
other traffic, so you want to translate two addresses of interest
to known values and randomize the rest. Or maybe you want to preserve
the concept of local vs. remote hosts, so you need to retain some
aspect of the address hierarchy. Simply randomizing every 8, 16
and 32-bit objects in an argus record isn't going to be the most
Ranonymize has a rich set of configuration parameters to provide
anonymization with exceptions. You can tell ranonymize, "don't
translate these objects", "translate this value to this value",
and you tell it "use these techniques to translate these objects".
These options are primarily focused on MAC and IPv4 addresses, port
values, time, IP header fields, such as the ip_id, TOS and TTL,
and dealing with sequence numbers in the various supported protocols.