Network operators are reluctant to share traffic data due to security and privacy concerns. Consequently, there is a lack of publicly available traces for validating and generalizing the latest results in network and security research. Anonymization is a possible solution in this context; however, it is unclear how the sanitization of data preserves characteristics important for traffic analysis. In addition, the privacy-preserving property of state-of-the-art IP address anonymization techniques has come into question by recent attacks that successfully identified a large number of hosts in anonymized traces. In this paper, we examine the tradeoff between data utility for anomaly detection and the risk of host identification for IP address truncation. Specifically, we analyze three weeks of unsampled and non-anonymized network traces from a medium-sized backbone network to assess data utility. The risk of de-anonymizing individual IP addresses is formally evaluated, using a metric based on conditional entropy. Our results indicate that truncation effectively prevents host identification but degrades the utility of data for anomaly detection. However, the degree of degradation depends on the metric used and whether network-internal or external addresses are considered. Entropy metrics are more resistant to truncation than unique counts and the detection quality of anomalies degrades much faster in internal addresses than in external addresses. In particular, the usefulness of internal address counts is lost even for truncation of only 4 bits whereas utility of external address entropy is virtually unchanged even for truncation of 20 bits.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	M. Bezzi. An entropy-based method for measuring anonymity. In IEEE/CreateNet SECOVAL Workshop on the Value of Security through Collaboration, September 2007.
	2	A. Bradley. The use of the area under the ROC curve in the evaluation of machine learning algorithms. Pattern Recognition, 30:1145--1159, 1997.
	3	Daniela Brauckhoff , Bernhard Tellenbach , Arno Wagner , Martin May , Anukool Lakhina, Impact of packet sampling on anomaly detection metrics, Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil  [doi>10.1145/1177080.1177101]
	4	T. Brekne, A. °Arnes, and A. Øslebø. Anonymization of IP traffic data: Attacks on two prefix-preserving anonymization schemes and some proposed remedies. In Workshop on Privacy Enhancing Technologies, pages 179--196, 2005.
	5	S. Coull, C. Wright, A. Keromytis, F. Monrose, and M. Reiter. Taming the devil: Techniques for evaluating anonymized network data. In 15th Annual Network and Distributed System Security Symposium (NDSS 08), February 2008.
	6	S. Coull, C. Wright, F. Monrose, M. Collins, and M.K.Reiter. Playing devil's advocate: Inferring sensitive information from anonymized network traces. In 14th Annual Network and Distributed System Security Symposium, February 2007.
	7	G. T. Duncan, S. A. Keller-McNulty, and S. L. Stokes. Disclosure risk vs. data utility: The r-u confidentiality map. Technical Report 121, National Institute of Statistical Sciences, December 2001.
	8	EU. Directive 95/46/ec of the European parliament and of the council. OJ L 281, 23.11.1995, p. 31, October 1995.
	9	EU. Directive 2002/58/ec of the European parliament and of the council. OJ L 201, 31.07.2002, p. 37, July 2002.
	10	Jinliang Fan , Jun Xu , Mostafa H. Ammar , Sue B. Moon, Prefix-preserving IP address anonymization: measurement-based security evaluation and a new cryptography-based scheme, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.46 n.2, p.253-272, 7 October 2004  [doi>10.1016/j.comnet.2004.03.033]
	11	D. Koukis, S. Antonatos, and K. G. Anagnostakis. On the privacy risks of publishing anonymized IP network traces. In Communications and Multimedia Security, volume 4237 of Lecture Notes in Computer Science, pages 22--32. Springer, 2006.
	12	A. Kounine and M. Bezzi. Assessing disclosure risk in anonymized datasets. In FloCon 2008, January 2008.
	13	Anukool Lakhina , Mark Crovella , Christophe Diot, Diagnosing network-wide traffic anomalies, Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, August 30-September 03, 2004, Portland, Oregon, USA
	14	J. Mai, A. Sridharan, C.-N. Chuah, H. Zang, and T. Ye. Impact of packet sampling on portscan detection. Selected Areas in Communications, IEEE Journal on, 24(12):2285--2298, Dec. 2006.
	15	G. Minshall. Tcpdpriv. http://ita.ee.lbl.gov/html/contrib/tcpdpriv.html.
	16	Douglas C. Sicker , Paul Ohm , Dirk Grunwald, Legal issues surrounding monitoring during network research, Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, p.141-148, October 24-26, 2007, San Diego, California, USA  [doi>10.1145/1298306.1298307]
	17	Ruoming Pang , Mark Allman , Vern Paxson , Jason Lee, The devil and packet trace anonymization, ACM SIGCOMM Computer Communication Review, v.36 n.1, January 2006  [doi>10.1145/1111322.1111330]
	18	B. Ribeiro, W. Chen, G. Miklau, and D. Towsley. Analyzing privacy in enterprise packet trace anonymization. In 15th Annual Network and Distributed System Security Symposium (NDSS 08), February 2008.
	19	Haakon Ringberg , Augustin Soule , Jennifer Rexford , Christophe Diot, Sensitivity of PCA for traffic anomaly detection, Proceedings of the 2007 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, June 12-16, 2007, San Diego, California, USA
	20	Adam Slagell , Kiran Lakkaraju , Katherine Luo, FLAIM: a multi-level anonymization framework for computer and network logs, Proceedings of the 20th conference on Large Installation System Administration, p.6-6, December 03-08, 2006, Washington, DC
	21	A. Soule, H. Larsen, F. Silveira, J. Rexford, and C. Diot. Detectability of traffic anomalies in two adjacent networks. In Passive And Active Measurement Conference (PAM), 2007.
	22	Augustin Soule , Kavé Salamatian , Nina Taft, Combining filtering and statistical methods for anomaly detection, Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement, p.31-31, October 19-21, 2005, Berkeley, CA
	23	Latanya Sweeney, k-anonymity: a model for protecting privacy, International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, v.10 n.5, p.557-570, October 2002  [doi>10.1142/S0218488502001648]
	24	SWITCH. The swiss education and research network. http://www.switch.ch.
	25	Arno Wagner , Bernhard Plattner, Entropy Based Worm and Anomaly Detection in Fast IP Networks, Proceedings of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise, p.172-177, June 13-15, 2005  [doi>10.1109/WETICE.2005.35]
	26	William Yurcik , Clay Woolam , Greg Hellings , Latifur Khan , Bhavani Thuraisingham, Privacy/Analysis Tradeoffs in Sharing Anonymized Packet Traces: Single-Field Case, Proceedings of the 2008 Third International Conference on Availability, Reliability and Security, p.237-244, March 04-07, 2008  [doi>10.1109/ARES.2008.189]
	27	J. Zhang, N. Borisov, and W. Yurcik. Outsourcing security analysis with anonymized logs. In Securecomm and Workshops, 2006, pages 1--9, Aug. 28 2006-Sept. 1 2006.