About NCSA    Projects    User Info    News     

University of Illinois
at Urbana-Champaign

About
News
FLAIM Tool
Publications
Presentations
Team Members
Other LAIM
Anonymizers
NSF Logo
ONRLogo

Research is funded in part or whole by the National Science Foundation and the Office of Naval Research.

Valid HTML 4.01 Strict
Valid CSS!

Log Anonymization and Information Management (LAIM) Working Group

The LAIM Working Group was started by funding from a 3 year NSF Cyber Trust project, 0524643, in September of 2005, and LAIM continues with additional funding from the Office of Naval Research through the National Center for Advanced Secure Systems Research (NCASSR). This project, led by PI Adam Slagell, seeks to (1) investigate the trade-offs between information loss and privacy inherent in the anonymization process, and (2) develop a flexible framework and prototype tool to anonymize multiple log types to varying levels. This framework is called FLAIM (Framework for Log Anonymization and Information Management).

FLAIM is modular in design to support the needs of three parties: the users, the module developers and FLAIM developers. We, the LAIM working group, are the FLAIM developers. We provide a policy engine driven by XML schemas and XML policies as well as a suite of anonymization algorithms—which form the core of the anonymization engine. The module developer creates a dynamically loadable library—according to our API specifications—that parses the logs and performs all file and/or network I/O. In this way, it is easier for a third party to add support for a new type of log, and they are not restricted in how they do I/O. Data can be from a file; it can be streamed; it can even be from an open network socket. This is all independent of the rest of FLAIM. Upgrades to FLAIM on our part will mostly include new anonymization algorithms, though the API will remain static. The acceptable anonymization algorithms and options are specified in the FLAIM schema, and all policies are validated against this schema before any processing of the logs. A user wishing to use FLAIM needs only to download FLAIM and the modules that interest her. By looking at the documentation or an example policy, they can see what options are valid in a policy for a particular module (a subset of what is acceptable XML for FLAIM itself).

With FLAIM's first release, we supplied modules for netfilter/iptables and pcap logs. In fact, this was implemented in a less flexible and robust incarnation of FLAIM that we created in the fall of 2005 as our first prototype. FLAIM's second release, version 0.5, introduced a module for nfdump format NetFlows. We previously created a converter and anonymizer for NetFlows called CANINE. CANINE is a Java, GUI based tool that works just on NetFlows. This means it is not scriptable, and not as fast as FLAIM which has been written in C++ and C. However, CANINE remains a useful utility due to its ability to handle multiple formats of NetFlows and its portability. The main reason for creating a FLAIM module for NetFlows was to improve performance, which increases by up to an order of magnitude under FLAIM. We have also created a Linux process accounting module for FLAIM (July 2007).