CRAWDAD tools/sanitize/generic/AnonTool

AnonTool - an open-source implementation of Anonymization API.

AnonTool, an open-source implementation of Anonymization API, provides an easy to use, flexible and efficient library of functions that can be used to anonymize live traffic, or packet traces in libpcap file format. Currently, IP, TCP/UDP, HTTP, FTP and Netflow v5 and v9 are supported. Three ready-to-use applications have been implemented on top of this library; one provides basic anonymization functionality for the IP/TCP/UDP protocols, and two more which can perform anonymization on every field of a Netflow datagram, one for v5 and one for v9 respectively.

Lastmodified :

2006-11-09

Dataname :

tools/sanitize/generic/AnonTool

File :

anontool-v0.8.tar.gz, API-v0.8.txt

Releasedate :

2006-09-26

Equiversion :

v0.8

References :

koukis-anonymization
 README

Website :

http://www.ics.forth.gr/dcs/Activities/Projects/anontool.html

Keyword :

packet trace
tcpdump

License :

/*
* anontool Copyright Notice, License and Disclaimer
*
* Copyright 2006 by Antonatos Spiros, Koukis Demetres and Foukarakis Michael
*
* Permission to use, copy, modify, and distribute this software and its
* documentation for any purpose and without fee is hereby granted, provided
* that the above copyright notice appear in all copies and that both the
* copyright notice and this permission notice and warranty disclaimer appear
* in supporting documentation, and that the names of the authors not be used
* in advertising or publicity pertaining to distribution of the software without
* specific, written prior permission.
*
* The authors disclaim all warranties with regard to this software, including all
* implied warranties of merchantability and fitness.  In no event shall we be liable
* for any special, indirect or consequential damages or any damages whatsoever
* resulting from loss of use, data or profits, whether in an action of contract,
* negligence or other tortious action, arising out of or in connection with the
* use or performance of this software.
*/

Support :

The tool is being maintained by mfukar@ics.forth.gr and antonat@ics.forth.gr.
Please report any bugs you come across.

Autoconf and automake support are currently on their way.

If you want anonymization for another protocol to be implemented, drop us a line,
we might even consider it. Be informed, however, that the tool was designed with
the thought of new protocols being added constantly in mind, so it follows a simple
modular architecture to allow this, without requiring extensive knowledge of the code.

Build :

Compilation:
-Just make :) (pcap, libnet, pcre libraries needed)

Debian users can do : apt-get install libnet1 libpcre3 libpcap0.8
to install dependencies

-anonlib.so is the shared library containing the anonymization framework.
-There are 3 anonymization applications provided, in the folder applications/
-Also in the applications/ folder, are included 2 small tcpdump traces for testing
(small_trace -> various TCP traffic, netflow_v9_small -> what it says)

Output :

anonymized network traces

Parameters :

see the usage for details

Usage :

The first of these, is a sample application that uses the framework in order to anonymize TCP and UDP packets.
The tool is able to anonymize IP addresses, tcp ports, TCP/UDP payload, checksums, IP options, as well as printing
the packets. The application reads packets from a pcap trace file or from an network interface and dumps the anonymized
packets to a pcap file. Note that -f or -i option must preceed all other options

./anon_packets [ -f input_file | -i interface ] [-a -t -d -c -z -p -h] output
-a ANONYMIZE IP addresses (PREFIX, MAP, ZERO)
-t ANONYMIZE TCP ports (MAP, ZERO)
-d ANONYMIZE TCP/UDP payload (STRIP, ZERO, HASH)
-c Fix checksums
-z Zero tcp and ip options
-p Print anonymized packets
-h Print this help message

Examples:

1) Prefix-preserving anonymization for IP addressses, mapping to intergers for TCP ports, zero TCP/IP options,
replace TCP/UDP payload with hash and fix checksums. Read packets from pcap file input_file and dump anonymized
packets to pcap file output_file

./anon_packets -f input_file -c -z -a PREFIX -t MAP -d HASH output_file

2) Map IP addressses to integers, zero TCP/IP options, remove TCP/UDP payload with hash, fix checksums and print
anonymized packets.Read packets from eth0 interface and dump anonymized packets to pcap file output_file

./anon_packets -i eth0 -p -c -z -a MAP -d STRIP output_file

Usage :

The second and third applications are able to perform anonymization of Netflow datagrams, as exported by a Cisco router. The Netflow
datagram export format is defined in excruciating detail here:
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_white_paper09186a00800a3db9.shtml  (version 9)
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/nfc/nfc_3_0/nfc_ug/nfcform.htm      (version 5, amongst others)
Every field that might be included in a Netflow datagram can be anonymized. The application, as probably expected, can read from a pcap
compatible trace file or a live NIC and dump the anonymized packets to a pcap compatible file.
One could as easily feed the file to another NIC through the use of UNIX pipes and tools such as tcpreplay.

Run ./anonymize_netflow_v9 or ./anonymize_netflow_v5 for a message explaining the usage of those 2 applications. Most options
are common with previous two applications

Algorithm :

The key point is configurability where the user can define
any anonymization policy as a series of functions that are
applied on packets.  Our main design goal is to facilitate
the development of custom anonymization tools, that are able
to implement both simple and complex policies, in only a few
lines of simple code. The usefulness of the output trace
depends solely on the decisions of the user and the anonymization
policy that is defined and is not addressed in this work.

The major advantage of our framework is that it works up
to application-level offering a large set of anonymization
primitives and in parallel trying to optimize the necessary
functions.  All in all this work constitutes currently the most
complete framework for anonymization of realtime traffic
and offline traces. Furthermore, the framework is implemented
in a modular way so it is fully extensible in terms
of functionality, protocols and new traffic sources. Finally,
we measured the performance of our anonymization primitives
and their combination. Our results have shown that in
most commonly used policies, AAPI outperforms existing
similar applications, which offer only a subset of the AAPI
functionality.

For detailed algorithm, please refer to [koukis-anonymization].
Also, please read the API.txt (linked below) for the API
documentation. It contains all needed fields and functions to develop
you own applications along with source code of a sample application.