Deep packet anonymization

Network traces of Internet attacks are among the most valuable resources for network analysts and security researchers. However, organizations and researchers are usually reluctant to share their network data, as network packets may contain private or sensitive information. To alleviate the problem of information leakage, network traces are often anonymized before being shared. Typical anonymization approaches sanitize, or in some cases completely remove, certain packet header fields, higher-level protocol fields, or even payload information that could reveal the source and destination of an attack incident. Although there exists a variety of network trace anonymization techniques, in this paper we show that in certain cases they are proven inadequate, because attack traces may contain sensitive information not only in the packet headers and the packet payload, which are both exposed "on the wire," but also in the encrypted payload of the self-decrypting shell-code carried in the attack vector of code-injection attacks. To overcome this limitation, we extend an existing network trace anonymization framework to identify and anonymize sensitive information contained in the shellcode of code-injection attack packets. Our approach takes advantage of the certain structure of widely used shellcode decryption schemes to produce fully anonymized attack traces.