new ranonymize() tool

[Carter Bullard]

Hey Peter,
   The new ranonymize() by default subtracts a separate
random constant from the seconds and uSecs in the flow timestamp
values, to anonymize time.  The technique preserves the relative
timing of all the records in a flow file or stream, so transaction
duration, inter-flow gaps, etc, are all still there.

Would this have worked for your situation?

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com
 

-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Peter Van
Epp
Sent: Monday, October 14, 2002 3:04 PM
To: argus
Subject: Re: new ranonymize() tool


	I expect this will be fine. The case I posted was us trying to
see if we could publish our traces from our network while preserving all
the timing issues to allow traffic research (much like the traces from
CAIDA). 
Unfortunatly in that case we don't want to change the timing
relationships in 
the traffic, but given the constraints I don't think that is possible
for the 
reasons I posted. For things that don't care so much about the overall 
relationship of traffic (i.e. attack signatures that aren't timeing
sensitive or more correctly timing change sensitve) your anonymizer
looks to do the job just fine and is a valuable addition.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada