A Graded Approach To Network Forensics With Privacy Concerns

Anomaly detection in recent or historic traffic traces is a typical approach in applying network forensics to analyze previous security incidents in networks, as well as for real-time network monitoring for detecting intrusions or other security incidents without known signatures. However, even in the aftermath of a security incident, privacy expectations of legitimate users remain a primary concern. In this paper, we describe our findings regarding the preference of network administrators for releasing data. We then go on to describe a methodology that balances the motivations of preserving maximum privacy for legitimate users and obtaining maximum possible information regarding potentially anomalous behavior. Our methodology is based on a graded approach to progressing from highly anonymized data to further disclosure for targeted traffic streams. In particular, we show that it is possible to obtain significant progress from highly aggregated data that is typically considered essentially valueless for the purpose of anomaly detection. We present the result of these first steps as executed on a real enterprise network, showing how the graded approach can work in practice.