Internet Monitoring with PRivacy-PReserving Encoding and Selective Access

Scientific coordinators: L. Salgarelli & F. Gringoli, UniBS

IMPRESA is a 2-year research project sponsored in part by the MiUR - MINISTERO DELL'UNIVERSITÀ E DELLA RICERCA SCIENTIFICA RESEARCH PROGRAMS (PRIN), 2010-2012. The total budget is 388,400 EUR.

Project abstract

The continuing evolution of modern networks into secure, reliable and ubiquitous infrastructures is increasingly dependent on advanced network monitoring and traffic analysis techniques. However, monitoring tools in use today, starting with the ones that collect network traces, present at least two fundamental flaws.

First, their effectiveness is achieved at the price of collecting, inspecting and processing data generated by, or related to, the network users, thus infringing their right to privacy. Although anonymization mechanisms can alleviate the issue, they cannot effectively support a usage model that balances privacy and utility: they can either offer very good privacy guarantees, producing in this case monitoring data that is practically useless, or they can provide good monitoring data, at the price of ephemeral privacy protection.

Second, network monitoring activities do not scale, and may need to handle a huge amount of data, costly to store, transmit and process. It is nowadays common for network monitoring activities produce traces in the order of Terabytes, with an exponentially growing trend due to the unabated increase in link capacity. Once more, data reduction mechanisms proposed to date face a dichotomy, this time expressed in terms of trace size versus utility: achieving good rates in terms of data reduction today means voiding the vast majority of effectiveness of the monitoring activity.

We believe that these two flaws are intrinsic in the traditional ”gather first, process later” network monitoring paradigm, which envisions data protection and data reduction as static mechanisms applied in an on-off fashion regardless of the specific intent behind the monitoring process. IMPRESA aims at solving these issues by radically transforming traditional monolithic monitoring architectures into modular mechanisms, split into three main components. The core of the “front-end” revolves around the new concept of monitoring widgets, which are lightweight monitoring programs dynamically injected and ran directly where data is captured in real-time (a traffic probe) or stored offline (a trace repository). Each widget provides a controlled, minimized, and privacy-safe output specifically tailored to the needs of the “back-end” monitoring applications, which represent the second main component of the architecture. Finally, a new monitoring control interface will be designed, not only for managing the security aspects of each widget (e.g., by supporting widget code certification mechanisms), but also for enforcing a comprehensive authorization framework devised to control the widget’s operation over the traffic data, to guarantee that the back-end monitoring application will receive only the absolutely necessary data, thus technically enforcing the proportionality principle behind privacy preservation.

By modularizing the monitoring architecture in these components, IMPRESA aims at achieving major research advances with respect to the two problems mentioned above. First, high-speed, scalable monitoring will be made possible by the design of a new generation of hardware-accelerated network monitoring probes, integrating a set of elementary, yet powerful traffic analysis and data protection functions, controlled and extended by a real-time software layer capable of executing dynamically loadable monitoring widgets. Second, tunable privacy protection will allow the balance between utility and privacy to be dynamically adjusted depending on the desired output and on the time-varying state of the monitoring process itself. The IMPRESA monitoring interface will support advanced data protection mechanisms and will apply a finely configurable set of authorization policies so that only specific traffic data from the probes will be accessible from the back-end, and only through specific operations. This is a major research advance with respect to ordinary access control mechanisms which typically provide static policies devised to restrict access to raw data only.

The parallel development of novel techniques in these areas, and their integration into a usable prototype, is expected to open new paths for network monitoring. In particular, practical applications of network monitoring, such as traffic classification and anomaly detection will be significantly transformed, by opening the door to monitoring tools that, either for efficiency reasons or for privacy ones, were up to now inadequate for the job. Furthermore, the new monitoring interface that enables a fine-grained control of the information returned by capture devices may allow a widespread diffusion of monitoring probes, whose deployment will no longer limited by privacy concerns and by the problem of getting access to sensitive data in the network provider domain, hence improving the capacity of analyzing and understanding network dynamics.