new ranonymize() tool
Carter Bullard
carter at qosient.com
Mon Oct 14 15:15:10 EDT 2002
Hey Peter,
The new ranonymize() by default subtracts a separate
random constant from the seconds and uSecs in the flow timestamp
values, to anonymize time. The technique preserves the relative
timing of all the records in a flow file or stream, so transaction
duration, inter-flow gaps, etc, are all still there.
Would this have worked for your situation?
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York 10022
carter at qosient.com
Phone +1 212 588-9133
Fax +1 212 588-9134
http://qosient.com
-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Peter Van
Epp
Sent: Monday, October 14, 2002 3:04 PM
To: argus
Subject: Re: new ranonymize() tool
I expect this will be fine. The case I posted was us trying to
see if we could publish our traces from our network while preserving all
the timing issues to allow traffic research (much like the traces from
CAIDA).
Unfortunatly in that case we don't want to change the timing
relationships in
the traffic, but given the constraints I don't think that is possible
for the
reasons I posted. For things that don't care so much about the overall
relationship of traffic (i.e. attack signatures that aren't timeing
sensitive or more correctly timing change sensitve) your anonymizer
looks to do the job just fine and is a valuable addition.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list