Anonymizing Network Traces with Temporal Pseudonym Consistency

The need for network traces has always been a critical element for the success of network, and network security, research. However, the plethora of privacy, legal and policy issues has often prevented access to collected traces. This has created the need for developing anonymization methods and tools to protect the privacy of the released traces while preserving utility in the data. A key dilemma in anonymizing network traces is whether to preserve IP pseudonym consistency, i.e., whether the same IP address is replaced by the same pseudo IP. On one hand, globally-consistent prefix-preserving IP address anonymization is subject to various privacy attacks. On the other hand, many usages of the trace data require some levels of consistency. We solve this dilemma by observing that a better privacy-utility tradeoff can be obtained by maintaining temporal pseudonym consistency. That is, we divide flows into buckets based on temporal closeness, and anonymize the flows within each bucket separately such that pseudonym consistency is maintained within each bucket, but broken across buckets. We present a new anonymization method based on these insights. Furthermore, our experimental results show that our method provides the needed privacy protections with little adverse effects on the utility of the trace.