Markov Models for Network-Behavior Modeling and Anonymization Yingbo Song Salvatore J. Stolfo Tony Jebara Intrusion Detection Sys. Lab Intrusion Detection Sys. Lab Machine Learning Lab Dept. of Computer Science Dept. of Computer Science Dept. of Computer Science Columbia University Columbia University Columbia University [email protected] [email protected] [email protected] ABSTRACT This would encourage both collaboration, and facilitate confirma- Modern network security research has demonstrated a clear need tion of research results. To date, however, sharing of large-scale for open sharing of traffic datasets between organizations, a need network traffic datasets, such as packet or Netflow captures, has that has so far been superseded by the challenge of removing sen- been relatively limited in scale. This is due primarily to the fact sitive content beforehand. Network Data Anonymization (NDA) that such datasets often contain sensitive content, including but not is emerging as a field dedicated to this problem, with its main limited to, personally identifiable information of third parties not direction focusing on removal of identifiable artifacts that might directly involved in the research – where the inadvertent release of pierce privacy, such as usernames and IP addresses. However, re- such information may cause damage to the releasing entity. As a cent research has demonstrated that more subtle statistical artifacts, result, researchers often evaluate their technologies solely on their also present, may yield fingerprints that are just as differentiable own organization’s own traffic, making direct comparisons of re- as the former. This result highlights certain shortcomings in cur- lated systems difficult to achieve. rent anonymization frameworks – particularly, ignoring the behav- Network Data Anonymization (NDA) is emerging as a field that ioral idiosyncrasies of network protocols, applications, and users. is dedicated to solving this problem [1]. The predominant direction Recent anonymization results have shown that the extent to which in NDA is content removal and masking, which includes deletion utility and privacy can be obtained is mainly a function of the in- of packet payloads and masking of headers; such as the removal formation in the data that one is aware and not aware of. This paper of flags, and one-way transforms on IP addresses. The most well leverages the predictability of network behavior in our favor to aug- known tool in this area, for example, is tcpmkpub [21], which is ment existing frameworks through a new machine-learning-driven a policy-driven framework for utilizing a range of such transforma- anonymization technique. Our approach uses the substitution of in- tions. Tools such as these facilitate the removal of human-identified dividual identities with group identities where members are divided signatures which might fingerprint users, hosts, or services which based on behavioral similarities, essentially providing anonymity- should otherwise remain anonymous. by-crowds in a statistical mix-net. We derive time-series mod- However, recent research has demonstrated that beyond superfi- els for network traffic behavior which quantifiably models the dis- cially observable datums such as IP addresses, more subtle statisti- criminative features of network ”behavior” and introduce a kernel- cal artifacts are also present in these traces which may yield finger- based framework for anonymity which fits together naturally with prints that are just as differentiable as the former. Further, statistical network-data modeling. models trained on these artifacts may be used to breach confiden- tiality. For example, previous work with hidden Markov models (HMM) trained on packet timings for network protocols demon- Keywords strate that, even if the traces are encrypted, HMMs were still able Network behavior, Anonymity, Markov, Time-series, Kernel to reliably isolate these protocols from the encrypted dataset [29]. This examples highlight certain shortcomings in current anonymiza- 1. INTRODUCTION tion frameworks; particularly, in ignoring the idiosyncrasies of net- Modern network security research has demonstrated a clear ne- work protocols, applications, and users. As the field of network cessity for the open sharing of large network traffic datasets be- traffic anonymization progresses, it is certain that behavioral fin- tween research organizations. Many security-related research fields, gerprints should be taken into account. such as detecting exploits, DDoS attacks, or worm outbreaks, would 1.1 Motivation benefit greatly if researchers had the ability to easily correlate in- This paper aims to demonstrate that in a state of uncertainty, it is formation between several different resources, thus allowing them possible to leverage behavioral idiosyncrasies in our favor, by using to extend their scope beyond their own organization’s networks. machine-learning-driven methods to conceal both the known and the unknown data. Through the substitution of individual identities with group identities, each host is assigned to a particular group based on the similarity of their own behavior to those of other group Permission to make digital or hard copies of all or part of this work for members. In addition, perturbation of user-behavior is used, and personal or classroom use is granted without fee provided that copies are synthetic data drawn from learned behavioral-profiles are inserted not made or distributed for profit or commercial advantage and that copies into the dataset. We draw from the well-known principle of mixed- bear this notice and the full citation on the first page. To copy otherwise, to nets to provide anonymity by crowds. The intermixing (or ”clus- republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. tering”) of these identities effectively anonymizes each member of Copyright 2011 ACM X-XXXXX-XX-X/XX/XX ...$5.00. that cluster (providing k-anonymity) while simultaneously preserv- 1 ing, in the aggregate, the statistics that characterize the members of efforts were hampered by the inability of the individual organiza- that group. ”Mixing” data in a group identity takes the form of tions to freely share data amongst themselves. This was due to source aggregation; for example, assigning a single IP address to the fact that, among the fingerprints and clues that forensic experts all members of a group. Normally, any aggregation of statistics might want to extract from such network traffic, the data contained naturally causes data-loss, as this translates to capturing a coarser private sensitive information which could not be released, which snapshot of the data. However, using statistical-modeling theory the owners of such data could not easily remove. from machine learning allows us to drive these transformations in Beyond forensics, it is a common goal of all scientific commu- a way such that information-dilution is minimized. As this process nities to share data, for purposes of cross-environment testing of is independent of other anonymization transforms, it is compatible proposed algorithms, as well as results verification and reproduc- with existing frameworks [21, 12] and can be considered as another tion. It is because of this need that organizations such as Open- layer in existing anonymization chains. Packet [4], and the more recent U.S. Department of Homeland Importantly, our research is founded on a kernel-based1 frame- Security-sponsored PREDICT [5], were recently created. How- work, using graph-cutting methods for clustering, and closely re- ever, unlike other disciplines, raw network traffic data often include lated low-dimensional embedding techniques for visualization which sensitive information. A packet capture of all network traffic, for extend directly from this work. This approach, as we demonstrate, example, would include web traffic showing which websites users is a natural fit for the network-traffic domain. By jointly leverag- visited, where they transfer files to and from, the locations of their ing both Network Security and Machine Learning using this time- email, banking, and other private accounts, as well as any creden- series kernel-based framework, we explore a new field of potential tials not protected by encryption. In addition to personal informa- opportunities at the intersection of these domains. tion, the disclosure of network profiles such as vulnerability fin- gerprints in existing machines, firewall policies, details of existing 1.2 Novel contributions security services, location of database and other sensitive servers, This paper presents the following novel contributions: 1) We and network infrastructure in general, can all lead to unintended present new feature extraction algorithms that effectively quantifies negative consequences for the releasing party. host-behavior based on network traffic. 2) We derive new time- A 2008 survey by Mirkovic showed that out of a total of 144 series models for network behavior as well as kernel similarity papers published in Special Interest Group on Data Communica- functions for these models. 3) We present a clustering and visu- tion (SIGCOMM) and Internet Measurement Conference (IMC) in alization framework based on graph-cutting algorithms and time- 2006 and 2007, 49 of these had utilized network traces in their eval- series kernels, to identify groups of similarly-behaving hosts. 4) uations, but only 10 had used publicly available datasets [18]. This We use these techniques to derive a new anonymization