Netshuffle: Improving Traffic Trace Anonymization through Graph Distortion

Traffic traces provide valuable data to researchers and organizations alike. However, organizations that provide this information do not wish to expose the internal workings of their networks to potential attack. Traffic trace anonymization attempts to mitigate this concern by hiding sensitive information while preserving most of the empirical value of the trace. Unfortunately, many attacks such as statistical fingerprinting, known-plaintext, and port evaluation can serve to identify communications within a trace which can lead an attacker to the real-world identities of anonymized devices. The inherent graph structure embedded in network traffic stands as a primary lever in achieving such de-anonymization. We propose Netshuffle, a method that distorts the graph structure in the anonymized trace such that an attacker cannot rely on the edges (communications) to identify a particular end-node (device). In essence, we shuffle the edges of the graph like a deck of cards so that even if an attacker can identify an edge, that edge does not necessarily connect to the intended target. Thus, inferences based on features of communications will either lead an attacker astray, or force the attacker to guess as to the identity of the targeted node from several indistinguishable candidates. Netshuffle provides a complimentary vector of protection to current anonymization techniques at limited cost in data utility.