|
ABSTRACT:
|
Intrusion alert data sets are critical for security research such as
alert correlation. However, privacy concerns about the data sets from
different data owners may prevent data sharing and investigation. It is
always desirable and sometimes mandatory to anonymize sensitive data in
alert sets before they are shared and analyzed. To address privacy
concerns, in this paper we propose three schemes to flexibly perform
alert anonymization. These schemes are closely related but can also be
applied independently. In Scheme I, we generate artificial alerts and
mix them with original alerts to help hide original attribute values. In
Scheme II, we further map sensitive attributes to random values based on
concept hierarchies. In Scheme III, we propose to partition an alert set
into multiple subsets and apply Scheme II in each subset
independently. To evaluate privacy protection and guide alert
anonymization, we define local privacy and global privacy, and use
entropy to compute their values. Though we emphasize alert anonymization
techniques in this paper, to examine data usability, we further perform
correlation analysis for anonymized data sets. We focus on estimating
similarity values between anonymized attributes and building attack
scenarios from anonymized data sets. Our experimental results
demonstrated the effectiveness of our techniques.
|